AWS Key Management Service (KMS) gives you centralized control over the cryptographic keys used to protect your data. The service is integrated with other AWS services making it easy to encrypt data you store in these services and control access to the keys that decrypt it. AWS KMS is also integrated with AWS CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when. AWS KMS enables developers to easily add encryption or digital signature functionality to their application code either directly or by using the AWS SDK. The AWS Encryption SDK supports AWS KMS as a root key provider for developers who need to encrypt/decrypt data locally within their applications.
How KMS works
# Scenario
Create 2 IAM users (user-a and user-b), and attach S3 bucket and user-a with KMS. Test to upload some file to S3 bucket with user-a. Try to access and download the file with user-b, and try to open the file.
Ideally, a user with defined KMS can open the uploaded file. While other users do not, even though that user has AmazonS3FullAccess permissions. In this experiment, we will try to secure object files granularly.
Step:
Go to IAM and create 2 IAM users: user-a and user-b User a creation User b creation
Make sure you don't give public access to the S3 bucket, because giving public access will reduce security. As much as possible if you want to make the object public, you can create a presigned URL. Check the AWS S3 documentation for presigned URL here https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html
Go to KMS, create and configure KMS key. Check the documentation for AWS KMS symmetric here https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks Choose Symmetric, and Key usage: Encrypt and decrypt Add key alias. Add tags. AWS documentation: The default key policy created by the console allows you to choose IAM users and roles in the account and make them key administrators. This statement is called the key administrators statement. Key administrators have permissions to manage the KMS key, but do not have permissions to use the KMS key in cryptographic operations. You can add IAM users and roles to the list of key administrators when you create the KMS key in the default view or the policy view. I use my own IAM user for Key administrator
AWS Documentation: The default key policy that the console creates for KMS keys allows you to choose IAM users and roles in the account, and external AWS accounts, and make them key users.
The console adds two policy statements to the key policy for key users.
Add user-a in Define key usage permissions and hit Finish.
Set S3 Bucket with configured KMS Go to Properties tab. Scroll down to Default Encryption and hit Edit. Choose AWS KMS key with configured KMS
Try to logout the current user and login again with user-a and user-b. You can login with incognito browser or another browser to work with.
Upload file to S3 bucket with user-a
Try to login with user-b and download the file.
Try to open the downloaded file with user-b
Try to download the file and open it with user-a
And it works.
That's why it's a good idea to use KMS in an S3 bucket. You can add permissions to a specific bucket with a policy bucket, or you can add an IAM policy that resides in the user's IAM. Imagine if an intruder got your file and used it carelessly. If hijacking occurs, and the hijacker gets to the file they won't be able to open it because the file is encrypted with KMS. That way it's useless for people to get the file if they can't open it.
