AWS Key Management Service (KMS) makes it easy for you to create and manage keys and control the use of encryption across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect your keys.
This workshop pretends to provide a better understanding on AWS Key Management Service (KMS) through a set of practical exercises. The workshop is aligned with the AWS KMS best practices "must-read" Whitepaper "AWS Key Management Service Best Practices" and the practices follow its guidelines.
The workshop contains four different sections (NOTE: designed to be followed in order) covering areas like AWS CMKs operations, Types of encryption in AWS KMS with focus on envelope encryption, key policies and best practices working with a demo Web App and AWS KMS monitoring.
- Section I - Operating with AWS KMS and the CMKs
- Section II - Encryption with AWS KMS
- Section III - Key Policies and best practices - Working with a Web App
- Section IV - Monitoring AWS KMS
The workshop is mostly practical and will operate in AWS KMS using the AWS CLI (through an EC2 instance), AWS console and AWS KMS API calls, to get a better understanding of the different options.
In order to set up the working environment for the workshop, you need the following:
- An AWS account.
- An user with enough permissions to generate policies and create/modify roles in IAM.
- An user with permissions to run CloudFormation templates and launch EC2 instances.
- A VPC, public subnet and security groups (or being able to create them), to launch the EC2 instances. If you need help with creating those, please use the following quickstart from AWS.
AWS KMS prior knowledge is not really needed, but if would be great if you take a look into this brief introduction:
Once you are ready, go to the first section of the workshop and launch the CloudFormation template that will provide with the needed resources to start the workshop: