AWS Key Management Service (KMS) is an Amazon Web Services product that allows administrators to create, delete, and control keys that encrypt data stored in AWS databases and products. In this article, I am going to walk you through how to encrypt data using the AWS Key Management Service. We’ll be creating an encryption key, encrypting s3 bucket using KMS, and encrypting data using KMS.
When encrypting your s3 bucket data in AWS, you can either use the AWS Server-Side encryption or go through the Key Management Service. To know how to carry out server-side encryption, click here.
Creating a key
The first step to encrypting your S3 bucket or your data using AWS KMS is to create your encryption key. Let me walk you through this process real quick.
1. Sign in to your AWS Console. (https://console.aws.amazon.com/console/home).
2. Drop down the “Services” tab. Select “Key Management Service”. It can be found in the “Security, Identity & Compliance” menu. Here’s what I mean:
3. A new page will be displayed where you can select the “Create a key” button to create your encryption key.
4. Next up is to configure your key. Select the type of key that you want to create. You can choose to create a symmetric key type, i.e, a single encryption key. The other option is an asymmetric key type that contains a pair of a public and private key. For this article, we’ll be using a symmetric key type.
5. Finally, enter an alias and a description for your key. The description is totally optional
Encrypting s3 bucket using KMS
Now that you have created your key, you can proceed to encrypting your data with KMS. To encrypt an entire s3 bucket in AWS with KMS, follow these steps:
1. Drop down the “Services” tab in your AWS console and select “S3” in the “Storage” menu.
2. Select the S3 bucket you want to encrypt, or create a new one as the case may be.
3. This will take you to your bucket page. There you will find the “Overview”, “Properties”, “Permissions”, “Management”, and “Access Points” tab. Select the “Properties” tab and click on “Default encryption”.
4. Select the AWS-KMS option, select the key you created earlier and “Save”. This will encrypt your bucket with the Key Management Service.
Your “Default encryption” tab should look like the image below when you are done:
Encrypting data using KMS
If you want to encrypt data using KMS before uploading to your s3 bucket, follow these steps:
1. Select the s3 bucket you want to upload data into, and as expected, select the “Upload” button.
2. Select the file(s) you want to upload, and click “Next”.
3. Scroll down to the Encryption section and select the “AWS KMS master-key” option, and select the encryption key.
4. Complete the uploading process and you are all set.
If you found any aspect of this walk-through helpful, you can share it with any of the buttons below. Questions are welcomed in the comments section.