1
00:00:00,210 --> 00:00:03,090
So let's have a look at the KMS service.

2
00:00:03,090 --> 00:00:04,110
And first on the left side

3
00:00:04,110 --> 00:00:06,900
I will look at the AWS managed keys.

4
00:00:06,900 --> 00:00:07,733
You can see

5
00:00:07,733 --> 00:00:11,190
if I've been using KMS encryption throughout this course

6
00:00:11,190 --> 00:00:13,530
then these keys will appear right here.

7
00:00:13,530 --> 00:00:17,100
So we can look for example, at the AWS EBS.

8
00:00:17,100 --> 00:00:18,810
And this is an S managed key

9
00:00:18,810 --> 00:00:21,390
because it belongs to the EBS service.

10
00:00:21,390 --> 00:00:23,790
So we can have a look here how it's being used.

11
00:00:23,790 --> 00:00:25,672
So there is a key policy

12
00:00:25,672 --> 00:00:29,670
and this policy defines what can access this key.

13
00:00:29,670 --> 00:00:33,240
And of course, because this is an EBS AWS key

14
00:00:33,240 --> 00:00:35,460
then you will look at all the actions.

15
00:00:35,460 --> 00:00:38,241
So it can come from anywhere, do some kind of actions.

16
00:00:38,241 --> 00:00:43,140
But the condition is that the color accounts has to be mine.

17
00:00:43,140 --> 00:00:45,480
And the VS service has to be the EC two service

18
00:00:45,480 --> 00:00:48,450
which is a service above the EBS service.

19
00:00:48,450 --> 00:00:49,283
Okay?

20
00:00:49,283 --> 00:00:50,550
If I looked for example

21
00:00:50,550 --> 00:00:55,290
at another AWS managed key, for example, the SQS one

22
00:00:55,290 --> 00:00:59,160
and look at the key policy here, the via service

23
00:00:59,160 --> 00:01:03,420
as a condition to my KMS key policy is the SQS service.

24
00:01:03,420 --> 00:01:07,049
Therefore allowing only access from, to KMS

25
00:01:07,049 --> 00:01:09,720
from SQS to this key

26
00:01:09,720 --> 00:01:12,030
we can also look at the cryptographic configuration

27
00:01:12,030 --> 00:01:15,600
which shows that this key is symmetric of origin KMS

28
00:01:15,600 --> 00:01:18,870
and it's used to encrypt N decrypt data.

29
00:01:18,870 --> 00:01:19,703
Okay.

30
00:01:19,703 --> 00:01:22,260
So that's for the KMS managed key by AWS

31
00:01:22,260 --> 00:01:23,820
but then we have other accounts.

32
00:01:23,820 --> 00:01:26,280
We have the customer managed keys as well

33
00:01:26,280 --> 00:01:27,930
as the customer key store.

34
00:01:27,930 --> 00:01:31,020
So the customer key store is when we wanna use CloudHSM

35
00:01:31,020 --> 00:01:34,050
but this is out of scope for this exam.

36
00:01:34,050 --> 00:01:35,460
So we don't go over this.

37
00:01:35,460 --> 00:01:38,370
We're just gonna go over the customer manage key.

38
00:01:38,370 --> 00:01:40,620
So this is when we want to create our own keys

39
00:01:40,620 --> 00:01:43,860
within KMS and not use the ones managed by AWS.

40
00:01:43,860 --> 00:01:45,660
So let's create a key, but if we do so

41
00:01:45,660 --> 00:01:48,480
remember this gonna cost you $1 per month.

42
00:01:48,480 --> 00:01:51,300
So if you don't wanna pay anything, then do not do this.

43
00:01:51,300 --> 00:01:53,250
So here for the key type, have multiple options

44
00:01:53,250 --> 00:01:56,310
have the symmetric or asymmetric type of key.

45
00:01:56,310 --> 00:01:59,007
So if I use asymmetric, this could be used for encrypt

46
00:01:59,007 --> 00:02:02,610
and decrypt or sign and verify type of operations

47
00:02:02,610 --> 00:02:04,260
but this is out of scope for this lecture.

48
00:02:04,260 --> 00:02:07,560
I am going to use the symmetric type of KMS key

49
00:02:07,560 --> 00:02:10,050
and we'll use the encrypt and decrypt option.

50
00:02:10,050 --> 00:02:11,940
Okay, this is the most basic one.

51
00:02:11,940 --> 00:02:13,470
I want to show you,

52
00:02:13,470 --> 00:02:14,820
for advanced options.

53
00:02:14,820 --> 00:02:17,430
The key origin is going to be KMS

54
00:02:17,430 --> 00:02:19,620
because we want KMS to create this key for us.

55
00:02:19,620 --> 00:02:22,980
If we wanted to import a key, this will be the external type

56
00:02:22,980 --> 00:02:25,320
of key origin or custom key story.

57
00:02:25,320 --> 00:02:26,700
If you wanted to have CloudHSM.

58
00:02:26,700 --> 00:02:28,230
But again, this is out of scope.

59
00:02:28,230 --> 00:02:30,833
So we'll use KMS and here for regionality

60
00:02:30,833 --> 00:02:34,050
we have single region key and multi region key

61
00:02:34,050 --> 00:02:36,120
and we're just going to consider single region

62
00:02:36,120 --> 00:02:38,602
key right now, because this is the most

63
00:02:38,602 --> 00:02:42,240
the oldest type of option and the most common for KMS.

64
00:02:42,240 --> 00:02:45,240
So we'll use single region key, click on next,

65
00:02:45,240 --> 00:02:46,470
next we have a key alias

66
00:02:46,470 --> 00:02:51,120
so I'll just have it as tutorial, click on next.

67
00:02:51,120 --> 00:02:54,360
And here we can start define key administrators.

68
00:02:54,360 --> 00:02:56,910
So if I don't define one, then we're going to

69
00:02:56,910 --> 00:03:00,060
use the default KMS key policy, which is what I want.

70
00:03:00,060 --> 00:03:01,770
But if you wanted to be very specific

71
00:03:01,770 --> 00:03:05,010
about who can use this key and who could administer it

72
00:03:05,010 --> 00:03:07,020
this is where it would happen.

73
00:03:07,020 --> 00:03:09,125
So right now I'm not going to take anything

74
00:03:09,125 --> 00:03:10,890
and click on next.

75
00:03:10,890 --> 00:03:12,570
Then you can say, who can use this key?

76
00:03:12,570 --> 00:03:13,403
So again, this is

77
00:03:13,403 --> 00:03:16,770
for your KMS key policy to be more specific right now.

78
00:03:16,770 --> 00:03:18,510
I want to allow everyone to use it

79
00:03:18,510 --> 00:03:21,000
if they have the right IAM permissions.

80
00:03:21,000 --> 00:03:23,520
But if you wanted to also have some extra security

81
00:03:23,520 --> 00:03:26,520
you could say, Hey, only Stephan can use this key.

82
00:03:26,520 --> 00:03:30,270
And this would create a custom KMS key policy.

83
00:03:30,270 --> 00:03:32,190
But in this instance, I don't want this.

84
00:03:32,190 --> 00:03:33,840
And as you can see at the bottom

85
00:03:33,840 --> 00:03:37,770
I can choose other AWS accounts to access my key.

86
00:03:37,770 --> 00:03:39,720
So this is if you had, for example

87
00:03:39,720 --> 00:03:42,667
the use case of sharing an encrypted snapshot

88
00:03:42,667 --> 00:03:44,820
an EBS snapshot, for example

89
00:03:44,820 --> 00:03:48,963
you would add another account to allow access to your key.

90
00:03:50,033 --> 00:03:52,020
So we summarize everything.

91
00:03:52,020 --> 00:03:55,230
So we have a symmetric key, and then this is the key policy

92
00:03:55,230 --> 00:03:57,900
and this is what I call the default key policy.

93
00:03:57,900 --> 00:03:59,760
This is just to enable IAM user permission.

94
00:03:59,760 --> 00:04:03,750
So it allows anything to do any resource on KMS, as long

95
00:04:03,750 --> 00:04:07,140
as they will have of course, IAM permissions to do so.

96
00:04:07,140 --> 00:04:09,090
So let's finish this.

97
00:04:09,090 --> 00:04:10,890
And now my key has been created

98
00:04:10,890 --> 00:04:12,573
and we can click on view key.

99
00:04:13,560 --> 00:04:15,150
So now that my key is created

100
00:04:15,150 --> 00:04:17,610
I can have a look at the key policy.

101
00:04:17,610 --> 00:04:20,850
And so the key policy is just like this.

102
00:04:20,850 --> 00:04:23,610
It's an IAM policy for your key, but you can switch

103
00:04:23,610 --> 00:04:26,874
to the default view and you can see in a better summary

104
00:04:26,874 --> 00:04:28,686
like who are the key administrators?

105
00:04:28,686 --> 00:04:31,537
Is it allowed for key deletion, who are the key users

106
00:04:31,537 --> 00:04:34,200
and can other accounts access it?

107
00:04:34,200 --> 00:04:35,520
So I won't touch this.

108
00:04:35,520 --> 00:04:38,160
Then you can have a look at the cryptographic configuration.

109
00:04:38,160 --> 00:04:40,620
I won't touch this, tags not needed.

110
00:04:40,620 --> 00:04:41,910
Key rotation is very important.

111
00:04:41,910 --> 00:04:44,760
So if we do want to enable key rotation

112
00:04:44,760 --> 00:04:46,005
we have to tick this box

113
00:04:46,005 --> 00:04:49,500
and this would rotate this KMS key every year.

114
00:04:49,500 --> 00:04:52,170
Okay, you cannot configure it to be more or less.

115
00:04:52,170 --> 00:04:53,730
It has to happen every year.

116
00:04:53,730 --> 00:04:56,190
And it's only possible because I did create this

117
00:04:56,190 --> 00:04:58,980
key from within KMS.

118
00:04:58,980 --> 00:05:01,950
And finally see, finally, what is the alias for my key?

119
00:05:01,950 --> 00:05:02,970
It is named tutorial.

120
00:05:02,970 --> 00:05:05,370
So I can refer to it with an alias

121
00:05:05,370 --> 00:05:08,070
which can be a little bit simpler for us.

122
00:05:08,070 --> 00:05:09,536
Finally, for key actions

123
00:05:09,536 --> 00:05:13,530
you can disable it or schedule key deletion.

124
00:05:13,530 --> 00:05:14,400
So we have our key.

125
00:05:14,400 --> 00:05:17,280
It's great, but now let's go use the CLI to

126
00:05:17,280 --> 00:05:19,980
encrypt and decrypt some data.

127
00:05:19,980 --> 00:05:24,390
So under KMS, I have KMS demo CLI dot SH, which is going to

128
00:05:24,390 --> 00:05:28,590
show us how to use the encrypt and crypto of KMS

129
00:05:28,590 --> 00:05:30,060
with an example.

130
00:05:30,060 --> 00:05:33,047
So first we are gonna to create a file

131
00:05:33,047 --> 00:05:38,047
and I'm going to call it example, secret file dot TXT.

132
00:05:38,250 --> 00:05:39,600
And with it, I'm going to say there

133
00:05:39,600 --> 00:05:43,980
is a super secret password, okay?

134
00:05:43,980 --> 00:05:45,954
So this is whatever you want in this text file,

135
00:05:45,954 --> 00:05:48,870
for me, I just entered a password called super secret

136
00:05:48,870 --> 00:05:51,270
password, and we're going to encrypt it and then decrypt it

137
00:05:51,270 --> 00:05:52,740
using KMS.

138
00:05:52,740 --> 00:05:53,573
So the first thing that you

139
00:05:53,573 --> 00:05:56,370
do for KMS encryption is use the encrypt command.

140
00:05:56,370 --> 00:05:58,980
So we have to specify a key ID for me

141
00:05:58,980 --> 00:06:00,570
it's alias slash tutorial.

142
00:06:00,570 --> 00:06:04,140
So this corresponds to the key I have created in my console.

143
00:06:04,140 --> 00:06:05,490
And you could use the alias.

144
00:06:05,490 --> 00:06:07,620
You could use this key ID right here

145
00:06:07,620 --> 00:06:09,240
or you could use the full ARN.

146
00:06:09,240 --> 00:06:11,850
It doesn't really matter, just use whatever you want.

147
00:06:11,850 --> 00:06:13,080
And then you need to pass

148
00:06:13,080 --> 00:06:15,780
in plain text the address of your file.

149
00:06:15,780 --> 00:06:18,600
So for me it's example secret file dot txt,

150
00:06:18,600 --> 00:06:20,520
the output of the query.

151
00:06:20,520 --> 00:06:22,230
So you're querying for a cipher text blog

152
00:06:22,230 --> 00:06:24,360
which represents the encrypted contents.

153
00:06:24,360 --> 00:06:25,869
And you want the text as is

154
00:06:25,869 --> 00:06:28,200
and finally the region, your key is in.

155
00:06:28,200 --> 00:06:30,810
So for me, my nearest region EU west two.

156
00:06:30,810 --> 00:06:33,709
This is going to give us a base 64 file

157
00:06:33,709 --> 00:06:35,670
containing the encrypted content.

158
00:06:35,670 --> 00:06:39,596
So let's copy this command right here and paste it, run it.

159
00:06:39,596 --> 00:06:43,350
And now I have a file called example

160
00:06:43,350 --> 00:06:45,177
secret file encrypted at base 64.

161
00:06:45,177 --> 00:06:47,670
And this represents my encrypted file.

162
00:06:47,670 --> 00:06:48,503
Okay?

163
00:06:48,503 --> 00:06:49,530
In base 64.

164
00:06:49,530 --> 00:06:53,160
So just with letters and numbers that we can recognize now

165
00:06:53,160 --> 00:06:55,950
though, we're going to do a base 64 decode to

166
00:06:55,950 --> 00:06:57,870
get the binary encrypted value.

167
00:06:57,870 --> 00:07:00,032
So if you're on Windows, the command is different.

168
00:07:00,032 --> 00:07:02,220
So for Linux, I'm just going to run this one

169
00:07:02,220 --> 00:07:05,010
but for Windows, you can run the other one.

170
00:07:05,010 --> 00:07:05,843
And so the idea is

171
00:07:05,843 --> 00:07:09,090
that you're going to create a file called example

172
00:07:09,090 --> 00:07:11,520
secret file encrypted without a base 64.

173
00:07:11,520 --> 00:07:14,343
So let me copy this and paste it.

174
00:07:15,180 --> 00:07:18,360
And now I have a new file called example

175
00:07:18,360 --> 00:07:19,800
secret file encrypted.

176
00:07:19,800 --> 00:07:21,990
And if I try to open it with my text editor

177
00:07:21,990 --> 00:07:23,160
it's not going to work because it's

178
00:07:23,160 --> 00:07:26,070
it uses either binary or unsupported, text encoding.

179
00:07:26,070 --> 00:07:27,840
So this is indeed a binary file.

180
00:07:27,840 --> 00:07:28,740
So this is the kind

181
00:07:28,740 --> 00:07:31,560
of secret file that you would share with someone.

182
00:07:31,560 --> 00:07:34,260
And so now I want to go and decrypt it.

183
00:07:34,260 --> 00:07:36,600
So this is completely gibberish

184
00:07:36,600 --> 00:07:38,610
and we cannot get any information of it.

185
00:07:38,610 --> 00:07:40,980
Even this one, we cannot get any information.

186
00:07:40,980 --> 00:07:43,020
How do we know it's super secret password?

187
00:07:43,020 --> 00:07:45,180
So this is an encrypted file, but now we want

188
00:07:45,180 --> 00:07:49,290
to take this encrypted binary file and decrypt it.

189
00:07:49,290 --> 00:07:52,830
So for this, we're going to run and KMS decrypt command.

190
00:07:52,830 --> 00:07:55,225
So this time we pass in the blog, the

191
00:07:55,225 --> 00:07:57,270
the file that was encrypted.

192
00:07:57,270 --> 00:07:59,970
So this is where we're passing the file in here.

193
00:07:59,970 --> 00:08:01,800
Then we query for the plain text value.

194
00:08:01,800 --> 00:08:03,270
So the decrypted value

195
00:08:03,270 --> 00:08:05,340
and we write this to another file that is going

196
00:08:05,340 --> 00:08:09,360
to be base 64 encrypted, and we specify the region.

197
00:08:09,360 --> 00:08:10,380
So let's go ahead.

198
00:08:10,380 --> 00:08:12,900
KMS knows automatically which key to use for

199
00:08:12,900 --> 00:08:13,733
the description

200
00:08:13,733 --> 00:08:18,450
because it is included in the blob of encrypted value.

201
00:08:18,450 --> 00:08:20,070
So let me enter this.

202
00:08:20,070 --> 00:08:21,540
And so this has succeeded.

203
00:08:21,540 --> 00:08:23,340
So now if I go to my example

204
00:08:23,340 --> 00:08:27,030
file decrypted base 64, it is here.

205
00:08:27,030 --> 00:08:28,200
It's a much shorter thing.

206
00:08:28,200 --> 00:08:29,910
And now we're going to basic 64

207
00:08:29,910 --> 00:08:32,789
decode this to get my text value.

208
00:08:32,789 --> 00:08:35,220
So we'll have a different command again

209
00:08:35,220 --> 00:08:37,650
if you're on Windows or if you're on Max, I'm on Mac

210
00:08:37,650 --> 00:08:38,909
I'm going to use this one.

211
00:08:38,909 --> 00:08:42,480
So I'm copying this command, pasting it.

212
00:08:42,480 --> 00:08:45,660
And now we have done a base 64 decoding of our file.

213
00:08:45,660 --> 00:08:49,980
So if we go back to example, file decrypted dot TXT

214
00:08:49,980 --> 00:08:52,530
we find back our super secret password.

215
00:08:52,530 --> 00:08:56,130
So we have shown the encryption and its reverse operation.

216
00:08:56,130 --> 00:08:57,360
The decryption.

217
00:08:57,360 --> 00:08:58,950
Obviously these are low level commands.

218
00:08:58,950 --> 00:09:01,470
The SDK will abstract some of that for us

219
00:09:01,470 --> 00:09:03,000
but this shows you the full example

220
00:09:03,000 --> 00:09:05,700
of how you can use the encrypt and decrypt command

221
00:09:05,700 --> 00:09:08,880
of KMS with your own customer master key.

222
00:09:08,880 --> 00:09:10,230
So that's it super simple.

223
00:09:10,230 --> 00:09:11,400
I hope that was helpful.

224
00:09:11,400 --> 00:09:13,350
And I will see you in the next lecture.