SCS-C01 Amazon AWS Certified Security Specialty – Domain 5 – Data Protection part 4

9. AWS Key Management Service – CMK Deletion & EBS Use-Case

Hey everyone, and welcome back. So, continuing a journey with Kms. Today, we’ll be looking again into the deletion aspect of the Customer Master key with a specific use case. So this use case is extremely important to understand before you go for the exams. So let’s look into the use case where Medium Core is a Kms, using Kms extensively for EBS encryption. So there is one Kms Customer Master Key which is used for all the EBS encryption related operations. Now, one of the system administrator decided to turn drove and have scheduled the key deletion of CMK before leaving the organization. Now, you came to know about it once the CMK was deleted. What will happen to your EBS volume data? So, a very genuine use case where you are using an EBS encryption and you are using one single Customer Master key for all the EBS encryptions.

Now. Someone deleted that customer master key. Now, question is, what will happen to all the data which is present in the EBS volume? So this specific use case is even present in the documentation, the official documentation. And I would really suggest every one of you should read this specific use case scenario before you go for your exam. So let’s look into each of the steps and see on how that would really work. So again, the scenario is the same where you create an encrypted EBS volume at which EBS request a unique data key encrypted with the CMK that you specified while creating the volume. So whenever you create an EBS volume with encryption, so what happens is that there is an API call which is sent to the Kms requesting for a new data key. So that new data key is basically stored within the EBS volume.

Now, as soon as you attach that EBS volume to the EC two instance, there is a Kms decrypt call. So that data key is still stored in the EBS volume in terms of cipher text, it is not stored in plain text. So whenever you attach that EBS volume to the EC to instance, depending upon the Roles permission, there is a Kms decrypt API which is called to decrypt the data key which is stored in the EBS volume. Now, once the Role policy is proper, this specific Kms decrypt API will work properly and AWS Kms will send the decrypted data key to the EC to instance. So this decrypted data key is basically stored in the hypervisor memory in the ABS volume. So now you have the plain text version of the data key which is stored in the memory. Now, if someone schedules the CMK for deletion, so someone has scheduled the CMK for deletion, or someone has already deleted the CMK, it will not have the immediate effect.

Why? Because the plaintext version of data key which was used for encryption is still stored in the hypervisor memory. So this deletion of CMK will not play into the effect immediately. However, if you detach the EBS volume and you attach it again to some another EC two instance, what will happen is again there will be an AWS Kms decrypt API call that will be made to decrypt the data key which is stored in the EBS volume. Now, since there is no Customer Master key, that call will fail and you will not be able to decrypt the data. So this is one of the use case that you must remember before you go for the exams. So a short lecture. I would really encourage you to read this specific documentation once. So if you just type deletion of customer master Key AWS Kms you will be presented with this specific documentation so this is it about this lecture I hope this has been informative for you and I look forward to seeing you in the next lecture.

10. Reducing Risk of Unmanageable CMK

Hey everyone, and welcome back. In today’s video we’ll be discussing about reducing risk of unmanageable CMK. Now, this is a pretty interesting topic and what I have decided was not to include these slides will directly jump into the practical and we’ll understand more about this. So I made my Kms console. Let’s go ahead and create a new key. I’ll just say KP Labs unmanaged, I’ll do a next and we’ll leave everything as default. Now, typically, when you leave everything as default, what Kms does behind the scenes is it basically adds the root account as the principle here. Now, in this type of scenario, what happens is that the root account generally it cannot be deleted.

And this is the reason why this key policy is quite safe. However, instead of root account, if you add an IAM user, then that becomes a problem. So let me show you that. So, I have logged in through a different browser. Now, I have logged in through a user called SKP Labs and the Kplabs user has the administrator access over here. Now, if we look into the Kms CMK policy and if we edit it, let me quickly edit this. Now, instead of the route, if we go ahead and add the ARN of a user, KP Labs, let me quickly edit this and we’ll save this now, from the KP Labs user, if you go to customer manage keys, everything seems to be proper.

There are no errors here. However, if you go to the root account and let me quickly refresh the page, you see it is basically giving an error, saying that access denied exception. Basically, this route user does not really have permission over the keys because the key policy got changed over here. Now, the problem that happens is when the Im user gets deleted. So what happened was currently, if you look, this key is completely managed by the Im user called as Kplabs. And let’s assume that the IAM user, KP Labs, let me just open the KP Labs user, I’ll delete this kplabs user, let me just click on acknowledge and I’ll delete this.

Now, what happened was this key was completely controlled by the Im user KP Labs, and the KP Labs is completely deleted. And this is also referred as the unmanageable CMK. And this is the reason why it is recommended that whatever key policy that you write, make sure you add the policy for the root user, because the root user cannot be deleted and it helps prevent the CMK from being unmanageable. Now, generally, whenever CMK becomes unmanageable, you would typically might need to create a support request for AWS and they have the authority to change it. So that’s about the high level overview about the risk of CMK being unmanageable. I hope this video has been informative for you and I look forward to see in the next video.

11. KMS – Authentication and Access Control

Hey, Ryan. And welcome back. In today’s video we will be discussing about the Kms authentication and access control. Now basically in AWS there are always two types of policies that we would generally work with. One is the IAM level policy which can be attached to a IAM principle. It can be the user or even role. And second is the resource level policies which can be attached directly to the resource like the S three bucket policy. Or even in Glacier we can attach a policy. Now in Kms also we can work with both im policies as well as resource level policies. Now in Kms, if you do not define by default all the customer master key have a key policy attached to it. So this is the default policy which get attached to the CMK that you create.

Now, while managing the control on who has access to the CMK, there are three ways in which this can be defined. One is through the key policies. So these policies are the resource level policies which can get attached to the CMK. Second is through IAM policy in combination with key policies. And third is with the help of Kms grants. So let’s do one thing, let’s go ahead and understand some of them so that it becomes much more clear to us. Now, one interesting thing is that AWS has launched a dedicated key management service console. Earlier it was not present, but now they have launched a completely new one. So let me click here and currently you see there are no customer managed keys which are present over here do remember this is very similar to the console that we see when we go into the Im and encryption keys.

That was the older one, this is the newer one so let’s do one thing, let’s go ahead and create a key so basically the thing that I wanted to show you is that we had discussed that in Kms by default, all the CM case have a default key policy which gets attached to it. So this is what I wanted to show you so let me create a key I’ll say as KP Labs Hyphen test I’ll do a next. Let me do a next again and basically here it asks me to define a key administrator. I’ll just leave it as default. Let me do a next. Now is the key usage permission. Let me just leave it as default and currently you see it says review and edit the key policy. So this is the default key policy which gets added when you have all the things as default.

So let’s click on finish. So once you have done that, you would see that your customer managed key as present. If you just click over here and there are two views which you will generally see. One is the console view over here and second if you click on switch to policy view this is the policy view. So this is how the policy view really looks like. And if you look into the default policy, what it is doing is within the principal. So this is my AWS account. So it is allowing all the actions on this specific Kms from this specific account. So now if at the IAM level, if someone has attached a Kms star policy, then the user will be able to perform all the operations on this specific Kms key that is generated. So let’s do one thing, let me go ahead and add a key administrator or you can even add a key user.

So let’s try and add a key user. I have various default users which are created. Let me add a user called as Alice. All right? So within the key user, now I have a user called as Alice who has been added. And now if you look into the policy view, there would be two policies. So this is the first policy which is present over here and from here, from the line 14 we have the second policy and you have the third policy block which is attached over here. So this is one important part to remember. So basically you can directly edit the policy also from here. So this is also something that you will be able to do. Now if you typically look into the second policy statement. So this is the second policy statement. So what this policy statement does is it allows the user Alice to perform this specific action which is encrypt, decrypt, reencrypt, generate data, again, describe key.

And there is a third policy over here which again is specific for user Alice and it allows only three specific actions which is create grant, list grant and revoke grant. Now, if you basically look into our slides over here, there were three ways in which we could control the access to the CMK. One is through key policies, second is through im policies and third is through the Kms grant. And the third policy statement is basically allowing the Alice to create a grant for the CMK. So this is what it is. So that’s the high level overview about how you can control the authentication attempt to the Kms we’d be discussing in more detail in the upcoming videos. But I hope this high level overview has been useful for you and I look forward to seeing the next video.

12. KMS Policy Evaluation Logic – Use Case Solution – 01

Hey everyone and welcome back. In today’s video we will be discussing about the Kms and I am policy evaluation logic. Now, understanding how the Kms and Im policies work is extremely important for the exams because a lot of students actually get quizzed just on this specific topic. So this is a very important part to remember. Now, again, we will not be looking into the Im policy evaluation logic. That is something that we had already covered in the later videos. But we’ll be discussing directly about the use cases. So we have three use cases over here. So you have secret use case one, secret use case two and secret use case three.

So what we’ll be doing, we’ll take up one use case and I’ll give you the questions which you need to answer out. Definitely after the end of all the three use cases, I’ll be posting the relevant solution. But this is some kind of an exercise that you should be doing. So let’s go ahead and understand what the first use case is. So what the first use case is, I have a CMK which is KP Labs case one. If I click over here, basically it has a key policy. So let me just click on edit so it becomes visible to you. Now, the first resource within the key policy basically allows the principle of root to have all actions on all the resources. So this is the first policy and if you go below, you have the second policy over here, which is specific for the principle of the user Alice.

And the action which is allowed here is decrypt and describe key. So only two actions are specified within this key policy. Basically, I’ll be posting all of these key policies below the video so that you can just go through them. Now, this is as far as the CMK key policy is concerned. Now, if we look into the Im policy related to the user Alice, so this is how the Im policy looks like, where only one action is allowed. The action is Kms encrypt. So only action of type encrypt is allowed. And the ARN. So this is the ARN of this specific key. So this is seven, six, six CD. And here also you have seven, six, six CD. All right? So now the question is can Alice perform encrypt operation? Can Alice perform decrypt operation? So, what you can do, just go through the policies, ie.

Will be pasting it as a document. Below the video you can go through the policy which is present over here. You can even put this policy within your console and try it out and try to answer can Alice perform the encrypt operation? Can Alice perform the decrypt operation? So, this is about today’s video and will conclude, and I hope that you will be able to answer this correctly.

13. KMS Policy Evaluation Logic – Use Case Solution – 01

Hey, everyone, and welcome back. Now, in the earlier video, we were discussing about the Use case. One, so the question was whether Alice would be able to perform encrypt operation, and second was whether Alice will be able to. Perform the decrypt operation. Now jumping directly to the answer. The answer is yes. Alice will be able to perform both the encrypt as well as decrypt operation. So let’s look into to this whether it actually works. And then we’ll come into the scenario where we’ll discuss on why this will work. So let’s get started. So for our sample I have already written down the commands so that we can have a quick video. Otherwise it will again go too long, so I’ll just copy it up. And within my console, I have the Alice’s access and secret key here.

So let me first try and check whether the Alice will be able to perform at the Encrypt. Operation and it seems yes so if we quickly do the cat on example encrypted file and we see that the file has been encrypted so we know that Alice will be able to perform the encrypt operation so let’s discuss about the second where let’s see whether the Alice will be able to perform the decrypt operation. Let’s put it here. And it seems that the decrypt operation is also successful. So if we quickly do a cat on decrypted plain text. So this would be let’s run a base 64 decode on this. You should get a hey. And we got a plain text back, so if you quickly look here in the first command we were having, the plain text, and we encrypted it.

And in the second command, we ran the decrypt command, and we saw that we were able to decrypt it. So from here, we can confirm that the Alice will be able to perform both the encrypt as well as decrypt operation so let’s look into why so let’s come here so in the Im policy which is attached to Alice the Im policy is allowing Kms Encrypt over here so this is the first step. So now the second step is actually go to the Kms and verify whether there is any explicit deny or not. Since there is no explicit deny over here, alice will be able to perform the encrypt. Operation now, one more reason why Alice is able to perform the encrypt operation is because of this first block now, within the first block if you would see the principal is the root so basically principle is this account.

Now, since Alice user belongs to this specific account and there is no deny over here you see there is an effect of allow this is the reason why Encrypt operation will be performed. Now, when it comes to the decrypt operation. You have an explicit policy present over here which says that the user Alice if you see the principle which contains the ARN of Alice user, so the Alice user has the option for decrypt. And this is the reason why the decrypt operation can be performed. If in case you remove this specific block, then Alice will not be able to perform the decrease operation. Let’s try it out. So let me click on edit and let me remove this specific block.

All right, so let’s remove the specific block and I’ll do the save changes. So let’s switch back to the policy view and just confirm that you do not really have any second policy statement. The only policy statement that you have over here is the root account one. Now, if you try to run the decrypt command once again, you see it has failed, saying that the access denied exception. And this is the reason why it was able to perform, because within the key policy, we had allowed the principal, which had the ARN of the Alice user, to be able to do the decrypt operation. So this is it about the first Use case. I hope this video has been informative for you and I look forward to seeing the next use case video.