AWS-QwikLabs : KMS (Key Management Service)

bogotobogo.com site search:

Terminology

Data keys are encryption keys that we can use to encrypt data. To create a data key, call the GenerateDataKey operation and KMS uses the CMK that we specify. The CMK creates a plaintext data key and an encrypted data key.

Customer master key (CMK) is the key at the top of key hierarchy.
AWS KMS uses the customer master key to decrypt the encrypted data key stored along with the data. It returns the plaintext key which is then used to decrypt the data again this plaintext key is removed from the memory.

Envelope encryption: when we encrypt our data, our data is protected, but we have to protect our encryption key by encrypting it. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.

Introduction

In this post, we'll create an Encryption Key and encrypt the data stored in S3 bucket. Then, we will make a Get request with presigned URL for the sse-kms encrypted object using Postman. We'll also monitor the CloudTrail log for the key usage.

This post is partially based on Introduction to Amazon CloudFront

Create a KMS Master Key

Let's create our KMS master key.

Here is the key policy:

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::526262051452:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::526262051452:user/K"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::526262051452:user/K"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::526262051452:user/K"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

Click "Finish".

Actually, as we can see it's a "Customer managed keys":

We can get the policy using the following command as well:

$ aws kms get-key-policy --key-id fb17f3e0-0a0e-4fdb-889f-5c033a8bc664 --policy-name default --output text > policy.txt

Upload to s3 with kms encryption

We want to upload a file from local machine to s3 with kms encryption using the following command:

aws s3 cp /filepath s3://mybucket/filename --sse aws:kms --sse-kms-key-id <key id>

Let's create a bucket first, and then upload a file with the kms-key-id. To get the id:

$ aws kms list-aliases
{
    "Aliases": [
...
        {
            "AliasName": "alias/myFirstKey",
            "AliasArn": "arn:aws:kms:us-east-1:526262051452:alias/myFirstKey",
            "TargetKeyId": "da0f41cc-b71c-484f-977f-f4edac09859a"
        }
    ]
}

Let's create the bucket and upload our file with encryption:

$ aws s3 mb s3://kms-bogo-test

$ aws s3 cp ./eiffel.png s3://kms-bogo-test/eiffel.png --sse aws:kms --sse-kms-key-id da0f41cc-b71c-484f-977f-f4edac09859a
upload: ./eiffel.png to s3://kms-bogo-test/eiffel.png

We used the option --sse that specifies server-side encryption of the object in S3. Valid values are AES256 and aws:kms.

Also, there is another option --sse-kms-key-id we used in the command. Note that we should only provide this parameter if KMS key ID is different the default S3 master KMS key.

Accessing the encrypted S3 file

After making the image public, we get the following error when we access it from a browser:

<Error>
<Code>InvalidArgument</Code>
<Message>
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
</Message>
<ArgumentName>Authorization</ArgumentName>
<ArgumentValue>null</ArgumentValue>
<RequestId>FCC533C8E70958C6</RequestId>
<HostId>
X3Jq8qbLw9Qf15zPgLbrwcYtDRWmcGCkE9SKA64EONDl3WWSx3iM23ytoRS4QAqKYizJBf4HLZM=
</HostId>
</Error>

The following will generate a URL that will expire in 3600 seconds (default):

$ aws s3 presign s3://kms-bogo-test/eiffel.png
https://kms-bogo-test.s3.amazonaws.com/eiffel.png?AWSAccessKeyId=AKIAIY6RID2W2C5I3P5Q&Signature=v3gTX6YiTZ4aWYDtOyfwaJWlxSc%3D&Expires=1547347373

https://kms-bogo-test.s3.amazonaws.com/eiffel.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIY6RID2W2C5I3P5Q%2F20190113%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190113T051556Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=0fd284192f221c26b57e21636995a57283f6877c8165cd1e1085b5ab7ab44f40

Check presign: "Generate a pre-signed URL for an Amazon S3 object. This allows anyone who receives the pre-signed URL to retrieve the S3 object with an HTTP GET request. For sigv4 requests the region needs to be configured explicitly."

We need to make a REST API call.

REST API to secure S3 objects with SSE-KMS

Ref : How to Use the REST API to Encrypt S3 Objects by Using AWS KMS

In this section, we'll use the URL we got from aws s3 presign in the previous section. To make a REST API call, we use POSTMAN. Here is the outcome when we make a GET request :

Configure CloudTrail for S3 logs

Click "Create":

Check the logs on S3:

S3 encryption/decryption with KMS Managed Keys

Here are the processes how the SSE-KMS encryption works:

A user (or a client) wants to upload a text that has sensitive information and store it using SSE (Server Side Encryption) KMS.
When the request made to S3, S3 will handle the KMS service for the user. S3 realizes it needs to invoke KMS services. So, it calls upon KMS to generate data key for the user, and it send a request over to KMS.
At this point, the KMS uses the specified CMK (Customer Master Key) to generate two keys. The first key is a plain data text key, and the 2nd key is the same key but encrypted version of that key.
Both keys are then sent back to S3, and S3 sees two keys (plain data text key and encrypted data key). Now S3 has all keys to process encryption.
S3 takes the object uploaded by the user and combine with the plain data text key to perform encryption. S3 now has the encrypted version of the document alongside with the encrypted data key. The plain data text key will be deleted from the memory.

SSE-KMS decryption:

A user (or a client) wants to get an SSE-KMS encrypted text.
When the request made to S3, S3 knows the requested object has an associated encrypted data key. So, S3 sends the encrypted data key over to KMS.
Then, KMS uses the CMK (Customer Master Key) and the encrypted data key to generate plain version of that key.
S3 takes the plain text data key to decrypt the object.
S3 returns the plain document to the client.