Thursday, June 15, 2017

Introduction to AWS Key Management Service

Introduction to AWS Key Management Service

Overview        

This guide introduces you to the Introduction to AWS Key Management Service self-paced lab

The lab will give you the basic understanding of AWS Key Management Service. It will demonstrate the basic steps required to get started with Key Management Service, creating keys, assigning management and usage permissions for the keys, encrypting data and monitoring the access and usage of keys.

Topics covered

By the end of this lab you will be able to:

  • Create an Encryption Key.
  • Create an S3 bucket with CloudTrail logging functions.
  • Encrypt data stored in a S3 bucket using an encryption key.
  • Monitor encryption key usage using CloudTrail.
  • Manage encryption keys for users and roles.

Prerequisites

Some familiarity with access control management.

It is strongly recommended to complete this lab using the Google Chrome web browser. If you cannot use Google Chrome then you will need to have a utility on your computer that can open gzip compressed files (*.gz).

AWS Key Management Service / CloudTrail / S3

AWS Key Management Service (KMS)

AWS Key Management Service is a managed service that makes it easy for you to create and control the encryption keys that you use to encrypt your data. KMS is integrated with other AWS services including Amazon EBS, Amazon S3, Amazon Redshift, Elastic Transcoder, Amazon WorkMail, and Amazon RDS to make it simple for you to encrypt your data with the encryption keys that you create. AWS KMS is also integrated with AWS CloudTrail to provide you with key usage logs to help meet your regulatory and compliance needs. KMS lets you create keys that can never be exported from the service and which can be used to encrypt and decrypt data based on policies you define giving you greater control of your security and services.

Amazon CloudTrail

AWS CloudTrail is a web service that records API calls made on your account and delivers log files to your Amazon S3 bucket. CloudTrail provides visibility into user activity by recording API calls made on your account. CloudTrail records important information about each API call, including the name of the API, the identity of the caller, the time of the API call, the request parameters, and the response elements returned by the AWS service. This information helps you to track changes made to your AWS resources and to troubleshoot operational issues. CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards.

Amazon S3

Amazon Simple Storage Service (Amazon S3), provides developers and IT teams with secure, durable, highly-scalable object storage. Amazon S3 is easy to use, with a simple web services interface to store and retrieve any amount of data from anywhere on the web. With Amazon S3, you pay only for the storage you actually use. There is no minimum fee and no setup cost.

Create and use your KMS Master Key

In this section you will create a KMS master key. A KMS master key enables you to easily encrypt your data across AWS services and within your own applications.

Setup an Encryption Key

  1. Make a note of the default region that your lab is connected to. This is the region name that is located in the upper right of the AWS console between the user account name and the Support link.
  1. On the AWS console, click Services, and then click IAM.

Key Management Service is accessed through the AWS Identity and Access Management console.

  1. Select Encryption Keys from the bottom left of the dashboard.
  2. If you see a Get Started Now button then click it. If it does not appear then just proceed to the next step.
  3. Click the region name next to Filter: and select the default region for the lab that you recorded at the beginning of this section. Once selected this will also populate the console with any keys already stored in that region.

 

Identity and Access Management functions are generally global however KMS keys must be managed in each region.

  1. Click the Create Key button to create a new encryption key.
  2. In the Alias text box type testKeyOne.
  3. In the Description text box type KMS Key for S3 data. It is a good practice to describe what services the encryption key will be associated with in the description.

    Add Tags:


  4. Click Next Step to proceed to the Define Key Administrative Permissions page.

The Key Administrators are users or roles that will manage access to the encryption key.

  1. Select awsstudent and click Next Step to proceed to the Define Key Usage Permissions page.

The Key Users are the users or roles that will use the key to encrypt and decrypt data.

  1. Select awsstudent again and click Next Step.
  2. Preview the Key Policy and click Finish.
  3. Make a note of the Key ID by copying it into a text file on your own computer. You will use this later when looking at log activity for this KMS key.


    testKeyOne      b25b824a-abb2-4efa-8308-fe812fdcebbb   Enabled  2017-06-15 07:33 EDT

Create an S3 bucket, add CloudTrail to it and encrypt data in the bucket

We make sure CloudTrail is enabled and using an S3 bucket that we create to store its log files. CloudTrail will then store log files of all API calls that are made in this bucket. This will allow you to see when the KMS key you created earlier is used, what it was used for and who used it.

  1. On the AWS console click Services and then click CloudTrail.
  2. Click the Get Started Now button if it appears otherwise,

a. In the navigation pane, click Trails.
b. Click Add new trail
.

  1. For Trail name, type a name for the new Trail: whe-cloudtrail-test1
  2. For Apply trail to all regions, click No.
  3. For Create a new S3 bucket, click Yes.
  4. Choose a unique name for the bucket starting with the name testbucket so we can locate it easily later. Something like testbucket-xxxx substituting something unique for -xxxx.

  1. Click Create. If you did not choose a unique name you will get an error and you will have to choose another name.

Encrypt Data in an S3 Bucket

You will now upload a file to S3 and encrypt it using the encryption key you created earlier. Since we have already created an S3 bucket for the CloudTrail logs we will use that as the file upload location.

  1. On the AWS console click Services and then click S3.
  2. Click the testbucket-xxxx name in the All buckets list to open the bucket and click Upload.
  3. Click Add Files, then navigate to the file that you want to upload from your system and select it.



  4. Click Set Details which is located in the bottom right of the file upload dialog.
  5. Select Use Server Side Encryption.
  6. Select Use an AWS Key Management Service Master Key.
  7. In the Master Key drop down box select the testKeyOne key you created.

  1. Click Start Upload.
  2. Once the file has been uploaded right click it and click Properties. Click Details to expand the details section and note that the Server Side Encryption: setting for this file is set to your encryption key.

  1. Make a note of the Last Modified timestamp for the file you uploaded.

Monitor and manage KMS Key usage

Monitor KMS activity using CloudTrail logs

  1. Click the All Buckets link to return to the S3 root.
  2. Select the bucket you created to hold the CloudTrail logs, testbucket-xxxx.
  3. Click AWSLogs and continue to click through the subfolders until you reach the CloudTrail folder. (Refresh till the CloudTrail folder appears.) Click through to the region you selected at the start of the lab and then continue to click through to today's date. You should see a structure similar to this.

  1. Refresh this list until you can see a log file with a Last Modified time stamp that is later than the timestamp from your file upload recorded in the last section. This can take up to 5 minutes.
  2. Select the latest log file in the list, click Actions and then Open. This document opens as a pop-up and if you see a pop-up security warning you should confirm that you want to open this file.

Your browser security settings may simply ignore the pop-up. If you do not see any file being opened and do not see a pop-up alert you should enable pop-ups for this site by configuring pop-up settings in Chrome's Settings page. The pop-up configuration can be edited in the +Show Advanced Settings > Site Settings > Pop-ups section.

Note: If you are not using Google Chrome as your web browser you will have to download and decompress this gz compressed file using a local utility on your own computer. Once the .gz file is decompressed you will then need to open it in a text editor.

  1. The log file is in a JSON format and contains each API call that has been logged by CloudTrail. It can be difficult to locate specific items visually in it but if you search for the word Encryption you will find an entry detailing the file uploaded you performed earlier.

The object shows that the file was uploaded and also identifies the KMS Key ID that was used to encrypt it and the user who invoked it. If you compare that to the Key ID you recorded when you created the key you will see that they match.

If you have a JS/JSON formatting tool you can download the file and get a clearer view of the information that is logged as shown here.

Manage Encryption Keys

  1. On the AWS console click Services and then IAM.
  2. Click Encryption Keys.
  3. Click the region name next to Filter: and then select the desired region from the drop down list.
  4. Select the key name (testKeyOne) that you wish to modify.

From here you can alter the keys description, Add or Remove Key Administrators and Key Users, allow external users to access the key and place the key into annual rotation.

  1. In the Key Users section select the box beside the awsstudent user's name.
  2. Click the Remove button in the Key Users section, and then click Yes, remove to confirm. You have now removed the user's permission to use this key.
  3. Click the Add button in the Key Users section to add a user to the key. This opens the attach page that lists the IAM users and roles available. Select the awsstudent account and click Attach.

This shows how you can control which IAM users can use KMS Keys that you create. The same add and remove steps are used to control which IAM users can manage KMS keys.

End Your Lab

 

posted by Data Tech Way @ June 15, 2017