Amazon AWS Certified SysOps Administrator Associate – Security and Compliance for SysOps Part 5

11. [SAA/DVA] KMS Hands On w/ CLI

Okay, so let’s play with key management service or Kms. And Kms is a service, as we said, I’ve been using all along. But let’s go ahead and look at first on the left hand side, the AWS managed keys. So some of these keys that we see here are AWS managed keys. And as we can see, we know they are AWS managed because they start with the AWS alias. .

So we have one key for SRA, key for ACM, one key for click commit DynamoDB lambda elastic valve system. You may have different keys based on the services you have enabled encryption for or not. So the idea is that, for example, if we have an EBS volume or an elastic file system in this example, and we encrypted that elastic file system with Kms, then automatically it would have used this alias alias elastic File System if we wanted to use the default AWS managed keys. And this is a key that’s going to be free.

So here we have six, but you may have a different number and these are free and we don’t have access over them. So we cannot use them outside of this service. We cannot delete them, we cannot rotate them, we can just get some default information about it and view the key policy, for example. And these key policies allows EFS to access this key. So if we look at it, we said Principal AWS star and then if we scroll down, we say that the via service has to be Elastic File System. So that means that the service using that key has to be EFS, which makes sense because this is an AWS EFS key. Okay? So this is the first kind of keys that we have, the AWS managed keys. And the second one we have is the customer managed keys. So these are where we create our own keys in here. And this is truly important to make sure that if you do create a key here, you’re going to pay $1 per month. So if you don’t want to pay, then don’t follow this hands on, just watch me do.

And finally, custom keystore, just briefly. This is around eight of us, cloud HSM cluster, which is something that is out of scope for the exam, so I don’t include it in this lecture. Okay, so customer Manager keys, we are going to create a key and now we have to configure the key type. So it could be a symmetric key or an asymmetric key. Symmetric key is the same key is used for encryption and decryption. And asymmetric is when you have a public and a private key pair if you want to do encrypt, decrypt or sign verify operations. So we’re going to use asymmetric. And in terms of the origin of the symmetric, we’re going to use Kms. So Kms will generate our own key, but we could provide the key value if we wanted to or use cloud HSM to generate that key for us but for now we’ll just use Kms. This is the most simple okay, next then we can enter an alias in the description so I can just enter tutorial and for the description I’m not going to enter anything.

Then we scroll down do we want to type that key? No, it is fine then this is around the key policy. So here we can define key administrators. If I don’t do this then we’re going to go with a default key policy so I’m going to keep it like this but if you want to have a more tailored key policy then in here you would choose what services or what users and roles can administer this key through the Kms API. So I’m not going to do this right now, I’m just going to say next and then who can use this key? Again, if I don’t set anyone we’re going to use a default key policy which is what I want but if I wanted just one user, for example stiff and to access this key I would take this box and then click on Next. But for now no, we just want everyone to be able to use it. So we’ll scroll down and then click on Next.

And as we can see here we can also specify other accounts to access our key through here and this would be very helpful for example if you wanted to copy a snapshot across accounts. Okay, so next we have to review and edit the key policy. And so this is what I call the default key policy, which is to allow the root user of my account to use this kms key. And by allowing the root user of my account, this allows any user enrolls within my account to access this kms key, which is the most permissive thing. So this is great, I want to use this and click on Finish.

So now my customer master key has been created. This is one dollars per month and it is enabled. I can start using it but I’m going to click on it and see a bit more details about it before I do. So here we can see the alias, the fact that my key is enabled, it’s ARN we can see some key actions such as disabling the key or scheduling the key deletion. We don’t want to do this right now. The cryptographic configuration shows me it’s a symmetric type of key and the source of who generated that key was Kms service and then it’s symmetric default and with it we can encrypt and decrypt there’s a key policy and right now it’s empty. If we go to the key policy view that we can see it’s allowing everyone in because it’s a default key policy.

So this is fine. And then we don’t have any key administrators and we haven’t scheduled the key for deletion and we haven’t added any key users or other accounts. Finally the key rotation would allow us to rotate this key for extra security every year. So if I take this box, then we automatically rotate the CMK every year. And then you would click on save. Okay, so we have our key and this is great, but we want to be able to encrypt and decrypt some data. So let’s go ahead and play with this with the CLI. So under Kms, I have Kms democlish, which is going to show us how to use the encrypt and decrypt all of Kms with an example. So first we are going to create a file.

I’m going to call it example secretfile TXT. And with it I’m going to say there is a super secret password. Okay, so this is whatever you want in this text file. For me, I just entered a password called super secret password. And we’re going to encrypt it and then decrypt it using Kms. So the first thing you have to do for Kms encryption is use the encrypt command. So we have to specify a key ID from its alias tutorial. So this corresponds to the key you have created in my console. And you could use the alias, you could use this key ID right here, or you could use the full ARN. It doesn’t really matter, just use whatever you want. And then you need to pass in plain text the address of your file. So from its example secret file TXT, the output of the query. So you’re querying for the cipher text block which represents the encrypted contents, and you want the text as is.

And finally the region your key is in. So from e minus minus region EU s two. This is going to give us a base 64 file containing the encrypted contents. So let’s copy this command right here and paste it. Run it. And now I have a file called example secret file encrypted base 64. And this represents my encrypted file. Okay, in base 64. So just with letters and numbers that we can recognize. Now though, we’re going to do a base 64 decode to get the binary encrypted value. So if you’re on Windows, the command is different. So for Linux I’m just going to run this one, but for Windows you can run the other one. And so the idea is that you’re going to create a file called example secret file encrypted without a base 64. So let me copy this and paste it. And now I have a new file called example secret file encrypted. And if I try to open it with my text editor, it’s not going to work because it uses either binary or unsupported text encoding. So this is indeed a binary file.

So this is the kind of secret file that you would share with someone. And so now I want to go and decrypt it. So this is completely gibberish and we cannot get any information of it. Even this one, we cannot get any information. How do we know it’s super secret password? So this is an encrypted file, but now we want to take this encrypted binary file and decrypt it. So for this, we’re going to run an Kms decrypt command. So this time we pass in the block the file that was encrypted. So this is where we pass in the file in here. Then we query for the plaintext value, so the decrypted value. And we write this to another file that is going to be base 64 encrypted. And we specify the region. So let’s go ahead. Kms knows automatically which key to use for the description because it is included in the blood of encrypted value. So let me enter this.

And so this has succeeded. So now if I go to my example file decrypted base 64, it is here. It’s a much shorter thing. And now we’re going to base 64 decode this to get my text value. So we’ll have a different command again if you’re on Windows or if you’re on Mac. So I’m going to use this one. So I’m copying this command pasting it. And now we have done a basic default decoding of our file. So if we go back to example file decrypted TXT, we find back our super secret password. So we have shown the encryption and it’s reverse operation decryption I’d. These are low level commands. The SDK will abstract some of that for us. But this shows you the full example of how you can use the encrypt and decrypt command of Kms with your own customer master key. So that’s it super simple. I hope that was helpful and I will see you in the next lecture.

12. [SAA] KMS Key Rotation

So let’s talk about an important advanced topic for Kms, which is key rotation. So you can enable automatic key rotation for a customer managed CMK, so not an AWS managed CMK. And if you enable the automatic key rotation, it will happen every one year, and after one year the key will change, but the previous key will be kept active. So that obviously you can be able to decrypt your old data. The new key will have the same CMK ID though. So that means that only the backing key, the macking material of that key, will be changed. So let’s take an example. Here’s the backing key, and here’s the CMK ID. And so after automatic reduction, which happens every one year, and you cannot change the period, it has to be every one year, then the backing key is going to change.

So that means the material of the key is going to change, but the Cmkid remains the same and the old backing key is going to be saved so that you can still decrypt the old data. That’s for automatic key rotation, but you can also rotate your key manually. For example, you want to rotate your key every 90 days, or every 190 days, these kind of things. The new key will have a different CMK ID because you create it manually. So the idea is that you will keep the previous key active, obviously, so that you can decrypt old data, otherwise you will lose access to all your other old data.

And in this case, it is better to use aliases when you encrypt and decrypt data, because if you use aliases, then you hide the change of key for the application. And I will show you this in diagrams. So it’s a good solution to rotate a CMK that is not eligible for automatic rotation as well, such as your Asymmetric CMK.

So here’s an example. The client is currently talking to alias, my custom key, and we have a backing key and we have a CMK ID, and then we’re going to rotate the key manually by creating a new key and we’re going to change the alias. And so what happens is that there is going to be a new CMK ID. Your old Viking key is still going to be around here, okay? But now your clients, thanks to the new alias, is going to point to the new material and you have done a manual key rotation. So how does it work to update the alias? Well, you update the alias to hide again the change to your application. So your application only interacts from an API perspective with your key alias, my app key.

And then the old key of the key alias is the one you had before rotation. And after rotation you’re going to create a new key and you’re going to issue an update alias API call, and this update alias will have the alias point to the new key and therefore from an application perspective, the change will not be detected. It will just be transparent. Okay, so what you need to remember from an exam perspective is that if you want to have automatic key rotation, the period is one year.

But if you want to have manual key rotation, then you can go to 90 days or 180 days based on the requirements. And all the extra information I gave you is just to show you how this would work in real life. But the exam will not test you on the details as far as I know. Okay, so that’s it for this lecture. I hope you liked it and I will see you in the next lecture.