SCS-C01 Amazon AWS Certified Security Specialty – Domain 5 – Data Protection part 2

4. AWS Key Management Service

Hey everyone and welcome back. In today’s video, we will be discussing about the AWS key management service. Now, typically, let’s say your organization wants a system to store the secrets. Now you can say alright, if the secrets wants to be sold, we will go with Cloud HSM. However, Cloud HSM is definitely good, but it comes with its own disadvantages. Now, the first disadvantage of Cloud HSM is the additional complexity and also it is not fault tolerant by default. So it’s not like you can launch a single cloud HSM and you can store the keys there. You need to have at least two cloud HSM for fault tolerance. The second disadvantage of Cloud HSM is as far as the Q one of 2019 is concerned is that they do not really have SLA for that. So AWS does not have an SLA for Cloud HSM and the third thing is the costing.

So in Mumbai region, it costs around $2 per hour. And if you have two cloud HSM, that means $4 per hour. And if you compare it at the monthly cost, it becomes expensive and for smaller startups or for medium sized organization, it is really not the right choice. So what you can go ahead is the key management service which provides a similar functionality at a lower cost and at a lower complexity. Now, in definitive terms, AWS Kms is a managed service which allows us to create, manage and control the encryption keys and it uses HSMs to protect the security of the keys behind the scenes. Now, one of the great things about Kms is that it does not really have any upfront cost and is at the pay as you go model and it is much, much more cheaper when you compare it with the typical cloud HSM.

Now, there are certain concepts that you need to remember as far as the Kms is concerned. One is the plaintext and ciphertext. Now, plain text basically refers to the data in an unencrypted form and the ciphertext basically refers to the data after it is encrypted. Now also we need to understand the algorithm and keys. Now typically an encryption algorithm is a step by step approach that tells on how a specific plaintext will be converted to a cipher text. So let’s say you have a plain text here and you have a cipher text here. So the conversion from plain text to cipher text can differ based on the algorithm. Now, encryption algorithm, you have various kind of algorithm and which algorithm will choose the way in which the plaintext gets converted is different here.

Now, as far as the Kms is concerned, kms only supports the symmetric key algorithm primarily with the help of AES GCN with 256 bit keys. Now, let’s look into how exactly we can configure Kms. So there are three major steps. First is we go ahead and create a CMK. CMK basically is the customer master key. Once we do that, we configure the administrator user and the key user. And the third is the key user can reference the key ID to encrypt and decrypt the data. So let’s look into this in terms of screenshots. Now we discussed the first thing is basically the creation of the CMK of the Kms key. Now within here you have to give an alias, which basically helps us in referencing keys for ease of use. All right? So this is the first thing. The second thing is the key administrator. So we have to define who will be the key administrators, who will have full permission over the key.

And the third is key usage permission where we can specify who will be allowed to use the keys, like who will be allowed to encrypt or decrypt the data with the help of keys. Now, this screenshots that we had in this slide is basically based on the older console. AWS has recently released the new GUI for Kms. So let’s go ahead and look into how we can achieve that in terms of practicality. So I’m in my AWS management console and let me quickly show you both the ways in which you can configure the key management service. The earlier way was to go to the IAM console and click on encryption keys. So yes, there are lot of keys which are available and if you click on Create key, you see these are the screenshots that we had within our slide. However, AWS has also released the newer console for key management service.

So if you just type key here you will have a key management service option and this is how the new console looks like. So this is pretty good if you go to the AWS managed, these are the managed keys which are available anyway. So here we are more interested in the customer managed keys. So generally there are two keys that you’ll see. One is the AWS managed one. So these are the ones which are used by the various AWS services. And second is the customer managed keys. So currently these are the keys that you generally create for your custom application. So let’s click on create key. So the first thing that you need to give is you have to add an alias. So let me give an alias as Kplabs key and let’s click on Next. So I’ll avoid the tag. Let’s click on next. Now in the next screen you can specify the key administrator.

Key administrator basically has the full control over the key. So you can add a key administrator over here or you can skip it. So in my case I’ll add one. I am user. So these are basically the IAM user and the IAM role. I have an Im user called Zele and I’ll add ZEEL as the key administrator over here. Now, let’s click on next. So here you have to specify the key usage permission. Now you do not really have to do it right now. You can do it at a later stage as well. Let me show you that as well. So I’ll just skip the key usage permission. I’ll click on Next and this is the key policy that really gets created. So if you look into the key policy over here so this is the principle of root and it has the full access. And then you have the z user over here. Now, since this z user, we define it as an administrator.

These are all the permission that the z user has. All right, so we’ll click on Finish. Great. So it says that your customer managed key was created and the alias here is KPI as FN key. So this alias allows us to distinguish the keys in a much more easier form because if the keys are distinguished by the key ID, it really becomes confusing. So alias is something that is useful for us. So if you go inside the key, this is how things would really look like. Now you’re within the key policy, you have a switch to policy view. So if you click on the policy view, this is the exact policy. All right, let’s go back to the key and let’s go a bit down. So here you have the key administrator and you can define multiple administrator. Over here you also have the key user. Now, let me quickly show you in fact, I already have it open in an other tab.

So if you click on the users that I have multiple users, if required, you can go ahead and add a user as well. Let me add a Kms user. I’ll just give it as a programmatic access for the time being. I’ll click on review and I’ll go ahead and create a user. Great. So Kms user has been created. So let’s quickly refresh the screen. And now let’s go a bit down under the key user, we can go ahead and add the Kms user here. Great. So the Kms user has been added. So this is the high level overview about the Kms. Now again, since the key user has been added your Kms user. So with the access and secret key, this user can encrypt or decrypt his or her own data.

Now, one important part to remember is that Kms will not give you the CMK. So the master key is something that Kms will not give you. You can reference to the key ID. So this is the key idea. Let’s say you have the data, you can tell the Kms to use this specific key ID to encrypt or to decrypt your data. Now, the great thing about this is that since you do not get the key, there is no chance that the key will be stolen from your side. So this is one of the great things anyways, this is the high level overview about the CMK. In the next video we’ll look into how we can make use of the Kms user to encrypt and decrypt the data in Kms. With this, we’ll conclude this video. I hope this video has been informative for you and I look forward to seeing the next video.

5. AWS Key Management Service – Part 02

Hey everyone, and welcome back. Now, in the earlier video, we had created our first Kms key and this is basically the key ID. So in today’s video, we’ll look into how we can go ahead and perform the encrypt and decrypt operation using this specific Kms key. Now, if you remember, within the key user, we had added a user called the Kms key user over here. And within the Im console, I am inside the Kms user. So let’s do one thing. Let’s go to the security credentials and let’s generate an access and secret key. So I’ll copy this access key and I’ll run the AWS configure command. Let me put the access key here and I’ll copy the secret key as well. I’ll put the secret key. Now, the region here will be selecting the southeast one region because our Kms key is created in the southeast region, which is Singapore. So I’ll just leave this as default and I’ll press Enter.

Great. Now our Kms key is created. So let’s try and do a simple Kms list keys operation here and here it says that access denied exception. And basically it does not really have access to list the keys. And who does not have access, it says the ARN. So this is the ARN here and basically this is associated with the Kms user. So let’s do one thing. I’ll go to the Im consoles and let’s go to the permission. I’ll add a new inline policy over here. The visual editor is something that we’ll use. I’ll select the service of Kms, the actions. Let’s select the list keys over here. This action does not support a specific resource. So this basically supports all the resources. I’ll go ahead and review the policy. I’ll call it as Kms list keys and I’ll go ahead and I’ll create the policy here. Great. So our policy is now created.

So let’s go back to the CLI. I’ll clear the screen and let’s type the same command again. And you are able to see that these are the keys which are available. Now, if you just want to see which is our key ID. So we already discussed, every key has a key ID. So this is the key ID over here. It ends with FD. Eleven. So if you just want to verify, this is the specific key ID that we are dealing with. Great. So now the next thing is to check on how we can perform the encrypt operation. So in order to do that, let’s do one thing. I’ll type AWS Kms CLI over here and let’s look into some of the command line argument associated with the Kms. So, if you go a bit down, we are more interested in the encrypt as well as the decrypt operations.

Now, for the AWS Kms encrypt, if you go a bit down, there are certain things which are required. One is the key ID. So key ID is the mandatory one. And second is the plaintext over here. So these are the mandatory fields if you want to encrypt a data. So let’s do one thing, I’ll put AWS kms encrypt, I’ll say key ID and let’s copy this specific key ID completely. And the next available command was the hyphen hyphen plain text. So here you have to use this. Let’s quickly do this and I’ll say this is z, all right. And let’s press enter. And currently you see it basically here, it gave the key ID and it gave the cipher text blob. So this specific value that you see over here, this is the base 64 encode of the encrypted form of this specific text that we had specified.

Now you can let’s say specify the query on cipher text blob because now what is happening is you are getting huge amount of value. You are not interested in key ID, all right? So you might only be interested in this specific part. So now let’s do a query on ciphertext block. It is giving null oops, I made a simple typo mistake. Great. So now it gave the specific value. So within this value you do have a double quotes over here. Again, this double quotes are not really required. So now what you can do here, you will specify the output as text. And now you see you just have this specific data. Now again, this is completely in base 64. So if you quickly do a base 64 and decode, you see this is all the binary data. So let’s do one thing, I’ll I’ll do a base 64 decode and I’ll store it in a file called as encrypted demo dot TXT.

All right. And if you do a less on encrypted demo dot TXT, you see it says that it is a binary file. So anyways will not be able to read it because the entire data is encrypted over here. So this is as far as the encryption is concerned. So coming back to the CLI for AWS kms decrypt. So let’s look into the synopsis aspect. So you have AWS kms decrypt, you have to specify the ciphertext blob file. So if you see the ciphertext blob basically is a ciphertext to be decrypted. Now let’s do one thing, let’s try it out. I’ll put AWS kms decrypt, then you can make use of the ciphertext block file here and you can specify the file over here encrypted demo TXT and let’s press Enter. And currently you see it gave us a plain text back. But again, the problem is that this specific value, this is the entire value.

So if you just want to have this specific value, you can make use of query and you can specify the field which is plain text. All right, so now you got this specific value, but again there is a double quotes which we do not really need it here. So I’ll just specify the output as text. Great. So now you have the output as text. And this is the value. So now we’ll make use of base 64. Again, this is the base 64 value. And this does not really make sense to us. So let’s do a base 64 decode once again. And now you see you have the plain text value, which is this is the Z, which is present over here. So this is the high level overview about how you can perform the encryption and decryption operations. Now, throughout this entire operation, we never received the master key. Master key always and always is stored in the Kms. And here we do not have the master key.

That means we do not really have to bother about the master key getting lost because it is stored in the AWS site and AWS takes care of that. So this is the high level overview about the Kms as far as the encryption and decryption is concerned. Again, if you would have noticed, we were just going through the CLI and using the CLI commands which are present now. This is the best way because generally, if you give the Red Hat certification, it becomes difficult to remember so many commands over there. So it’s always recommended to go through the documentation and look into some of the synopsis. Or if you go a bit down, you also have the examples over here. So if you have this habit, it will really help you in the longer term. And this is the reason why I try to use this kind of set up throughout the videos. So with this, we’ll conclude this video. I hope this has been informative for you and I look forward to see you in the next video. Do.