How To Create A Customer Managed Customer Master Keys (CMKs) In AWS KMS:
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In this blog post, we will discuss how to create a customer managed customer master key (CMKs) in AWS KMS. More specifically we will create a symmetric KMS CMK key using AWS CLI.
What Is A Customer Managed Master Keys (CMKs):
Customer master keys are the primary resources in AWS KMS. A customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data. Customer managed CMKs are CMKs in your AWS account that you create, own, and manage. You have full control over these CMKs and usage is charged.
You can create symmetric and asymmetric customer master keys (CMKs). During this process, you determine the cryptographic configuration of your CMK and the origin of its key material. You cannot change these properties after the CMK is created. You also set the key policy for the CMK, which you can change at any time. In this demo, we will create a symmetric key.
You can also create an alias to your CMKs. An alias is a friendly name for a customer master key (CMK). You can use an alias to identify a CMK in the AWS KMS console, in the DescribeKey operation, and in cryptographic operations, such as Encrypt and GenerateDataKey. Aliases also make it easy to recognize AWS managed CMKs. Aliases for these CMKs always have the form: aws/<service-name>.
How To Create A Customer Managed Customer Master Keys (CMKs) In AWS KMS:
Requirements:
AWS CLI installed and configured. You can follow the below blog post to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Note: Some cost is associated with AWS KMS, for details please refer to below link.
https://aws.amazon.com/kms/pricing/
Step 1: Create a new IAM access policy for KMS CMKs.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
############################################################################# ## How To Create A Customer Managed Customer Master Keys (CMKs) In AWS KMS ## ############################################################################# ## I am using a Linux shell to execute AWS CLI commands ## create a directory for this demo mkdir kmsdemo && cd kmsdemo ## create a access policy for your key IAM_USER_DETAILS=$(aws sts get-caller-identity \ --query 'Arn' \ --output text) && AWS_ACCOUNT_ID=$(aws sts get-caller-identity \ --query 'Account' \ --output text) ## make sure you are using a IAM user and not a role for AWS CLI configure ## else below policy will not work cat < { "Id": "key-consolepolicy-3", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::$AWS_ACCOUNT_ID:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "$IAM_USER_DETAILS" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "$IAM_USER_DETAILS" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "$IAM_USER_DETAILS" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] } EOF |
Step 2: Create a new symmetric KMS CMK using AWS CLI.
|
1 2 3 4 5 6 |
## create a new symmetric CMK AWS_KMS_CMKS_ID=$(aws kms create-key \ --policy file://mypolicy.json \ --tags "TagKey=Name,TagValue=MySymettricKey" \ --query 'KeyMetadata.KeyId' \ --output text) |
Step 3: Get details of KMS CMKs using AWS CLI.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
## list all CMKs in your AWS account region aws kms list-keys ## get details for a specific CMK aws kms describe-key \ --key-id "$AWS_KMS_CMKS_ID" ## list all the alias for CMKs in your account aws kms list-aliases ## create alias for your CMK aws kms create-alias \ --alias-name "alias/my_symmetric_cmk" \ --target-key-id "$AWS_KMS_CMKS_ID" ## get key alias details aws kms list-aliases \ --key-id "$AWS_KMS_CMKS_ID" ## get key policy details aws kms get-key-policy \ --policy-name default \ --key-id "$AWS_KMS_CMKS_ID" \ --output text ## get key grant details aws kms list-grants \ --key-id "$AWS_KMS_CMKS_ID" ## get key rotation details aws kms get-key-rotation-status \ --key-id "$AWS_KMS_CMKS_ID" |
Step 4: Encrypt an AWS resource (S3 bucket in this demo) using the newly created KMS CMK.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
## create a s3 bucket aws s3api create-bucket \ --bucket cloudaffaire-kms-cmk-demo \ --region ap-south-1 \ --create-bucket-configuration "LocationConstraint=ap-south-1" ## create an encryption configuration file cat < { "Rules": [{ "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "$AWS_KMS_CMKS_ID" } }] } EOF ## encrypt the bucket with your custom cmk key aws s3api put-bucket-encryption \ --bucket cloudaffaire-kms-cmk-demo \ --server-side-encryption-configuration file://myconf.json |
Step 5: Cleanup.
|
1 2 3 4 5 6 7 8 9 10 |
## delete the bucket aws s3 rb s3://cloudaffaire-kms-cmk-demo ## delete your custom master key aws kms schedule-key-deletion \ --key-id "$AWS_KMS_CMKS_ID" \ --pending-window-in-days 7 ## delete the directory cd .. && rm -rf kmsdemo |
To get more details on AWS KMS, please refer below AWS documentation
https://docs.aws.amazon.com/kms/index.html