AWS Security Lab: Implementing Encryption with KMS and Amazon S3

This hands-on lab guides you through the process of implementing encryption at rest using AWS Key Management Service (KMS) and Amazon S3. You will learn how to create a Customer Managed Key (CMK), configure S3 for server-side encryption with KMS keys (SSE-KMS), and use the AWS CLI to perform programmatic encryption operations.

[!WARNING] Remember to run the teardown commands at the end of the lab to avoid ongoing charges for the KMS key ($1/month prorated) and S3 storage.

Prerequisites

• An active AWS Account.
• IAM Permissions: You must have AdministratorAccess or a policy that allows kms:* and s3:* operations.
• AWS CLI installed and configured on your local machine with access keys (aws configure).
• Basic familiarity with the AWS Management Console.

Learning Objectives

• Create and manage an AWS KMS Customer Managed Key (CMK).
• Configure an Amazon S3 bucket to use SSE-KMS for default encryption.
• Perform programmatic encryption and decryption of small data chunks (up to 4KB) using the AWS KMS API.
• Understand the metadata differences between SSE-S3 and SSE-KMS.

Architecture Overview

The Envelope Encryption Concept

\begin{tikzpicture}[node distance=2cm, auto] \draw[thick, fill=blue!10] (0,0) rectangle (3,2) node[pos=.5] {Plaintext Data}; \draw[->, thick] (3.2,1) -- (4.8,1) node[midway, above] {Encrypt}; \draw[thick, fill=red!10] (5,0) rectangle (8,2) node[pos=.5] {Ciphertext}; \draw[thick] (4, -1) circle (0.4) node {K}; \draw[->, dashed] (4, -0.6) -- (4, 0.8); \node at (4,-1.6) {Data Key}; \end{tikzpicture}

Step-by-Step Instructions

Step 1: Create a KMS Customer Managed Key (CMK)

We will start by creating a symmetric encryption key. This key will be used to protect our S3 objects and perform manual encryption operations.

CLI Interface:

Note: Copy the KeyId (UUID) from the JSON output. You will need it for the next steps.

▶Console alternative

1. Navigate to KMS in the AWS Console.
2. Choose Customer managed keys in the sidebar.
3. Click Create key.
4. Select Symmetric and Encrypt and decrypt.
5. Give it the Alias lab-encryption-key.
6. Assign your current IAM user as the Key Administrator and Key User.
7. Click Finish.

Step 2: Create an Encrypted S3 Bucket

Now, we will create an S3 bucket and configure it to use our new KMS key for all future object uploads by default.

CLI Interface:

Step 3: Test Encryption with Object Uploads

Upload a simple file and verify that S3 is using the KMS key for encryption.

CLI Interface:

[!TIP] In the head-object output, look for "ServerSideEncryption": "aws:kms" and your SSEKMSKeyId.

Step 4: Programmatic Encryption (API Practice)

KMS isn't just for S3. You can use it to encrypt small bits of data (strings, passwords) directly in your code using the Encrypt API.

CLI Interface:

Checkpoints

1. KMS Verification: Run aws kms list-keys. Does your new key appear in the list?
2. S3 Encryption: In the S3 Console, click on your bucket -> Properties. Under Default encryption, does it show SSE-KMS and your specific key ARN?
3. Decryption Check: Try to decrypt the blob from Step 4:
   bashCopy

   aws kms decrypt --ciphertext-blob fileb://<(base64 -d encrypted_blob.txt) --query Plaintext --output text | base64 -d
   Expected Output: MySecretPassword

Clean-Up / Teardown

To avoid ongoing costs, you must delete the S3 bucket and schedule the KMS key for deletion.

Troubleshooting

Stretch Challenge

Goal: Enforce SSE-KMS encryption via a Bucket Policy.

Try to apply a bucket policy that denies any s3:PutObject request that does not include the header x-amz-server-side-encryption: aws:kms. This ensures that even if a developer tries to upload an unencrypted file, S3 will reject it.

Cost Estimate

Concept Review

Key Takeaway: Use SSE-KMS when you need audit trails and separate administrative control over who can encrypt/decrypt specific objects.