DEV Community

Cover image for AWS Locksmith: Encrypting S3 and EBS with Amazon KMS

AWS Locksmith: Encrypting S3 and EBS with Amazon KMS

Introduction:
As businesses and organizations increasingly store sensitive data in the cloud, security becomes a top priority. To address this need, Amazon Web Services (AWS) offers the Amazon Key Management Service (KMS) – a robust encryption solution. In this blog post, we will explore how you can use AWS KMS to enhance the security of your data that is stored in Amazon Simple Storage Service (S3) and Elastic Block Store (EBS).

Understanding AWS Key Management Service:
Amazon KMS is a comprehensive encryption service that manages the creation and control of cryptographic keys used to encrypt data. It streamlines the process of integrating encryption into your applications and workflows by providing a secure and centralized location for managing keys.

Enabling CloudTrail and S3 logging with encryption
AWS CloudTrail is a service that allows you to track and log API events from the AWS console, API, or CLI (command line interface). CloudTrail is compatible with various AWS services, including KMS (Key Management Service). The JSON-formatted log files produced by CloudTrail are delivered to an S3 bucket. Once you enable and configure CloudTrail, the JSON logs will contain KMS events that can be used for monitoring, auditing, governance, and compliance.

Let's see how to activate CloudTrail and create a Customer Master Key (CMK) that will encrypt the data CloudTrail logs in S3.

  • In the AWS Management Console search bar, enter CloudTrail, and click on CloudTrail result to navigate to AWS Cloudtrail console:

Cloudtrail console

  • Click on Create Trail.
  1. Fill out the following details:

Trail name: Key-Trail
Enable for all accounts in my organization: Unchecked
Storage location: Create new S3 bucket
Trail log bucket and folder: keytrail-bucket-unique_number
Note: S3 bucket names should be unique. Append a number to "Keytrail-bucket" for a unique bucket name.
Log file SSE-KMS encryption: Checked
AWS KMS Key: New
AWS KMS alias: S3-CloudTrail

Create trail

Scroll to the bottom, and click on Next and fill out the form:

Event type: Ensure Management events is checked
Click Next

Review and create

In the left-hand menu, click Event history:
After the API activity is completed, it may take up to 15 minutes for the activity to update. The most recent events are located at the top.

Note: If you encounter a significant delay, you can proceed with the following steps. However, make sure to review the Event history later to see important events recorded by CloudTrail.

In the AWS search bar at the top, enter KMS, and under Services, click the KMS result to navigate there:

AWS KMS

In the left-hand menu, click Customer managed keys.

CMK

Select the key you just created (S3-CloudTrail) when enabling CloudTrail:

In the row of tabs, click Key rotation.
(In this way, you can automate key rotation by enabling a simple checkbox.)

In the AWS search bar at the top, enter S3, and under Services, click the S3 result to navigate there:

S3
Select the unique bucket name you created earlier (keytrail-bucket-#)

To access your data, navigate through the folders and follow the path including your AWS account ID, region, and date.
If you see two folders, click on CloudTrail and not CloudTrail-Digest.

Upon checking, you will find compressed JSON files in the directory. These are the log files sent from CloudTrail to S3:

s3-log

The Customer Master Key (CMK) has been successfully created and is now available for use in both encrypting and decrypting data that is at rest, whether it's on S3 (as in the example above) or an EBS volume. You can also use a similar process to search for other KMS-related events within a given day's CloudTrail log files, such as EnableKey, DisableKey, and so on.

Create a Customer Master Key (CMK)

In the AWS Management Console search bar, enter KMS, and click on KMS result to navigate there:

KMS

Select Customer managed keys in the left side-bar of the KMS console.

Click Create Key

Key type: Symmetric (Symmetric keys are suitable for most data encryption applications. The same key is used for both encrypt and decrypt operations with symmetric key algorithms.)
Key usage: Encrypt and decrypt

configure-KMS

scroll down then expand Advanced Options and set the following values:

Key Material Origin: Leave as KMS (default).
Regionality: Single-Region key

Advance KMS

Click Next

Set the following values before clicking Next (leave the default values for other fields)

Alias: Test-CMK-key

Click Next to the Define Key Administrative Permissions page and leave the default values.

Click Next to Define Key Usage Permissions page
Click Next to preview the key policy and then click Finish when ready.

The CMK is created ..

Create a simple EC2 with unencrypted EBS volume.

Create an Encrypted EBS Volume
First, check if your running instance uses a non-encrypted EBS-backed root device. Then, create an encrypted EBS volume using a CMK, attach it, and confirm encryption on the volume from the console and CloudTrail.

Click Volumes in the left side-bar below Elastic Block Store in EC2 console.

Click Create Volume and fill out the dialog box

Size: 3 (Since we are not doing anything with a lot of data, it's OK to make this quite small.)
Availability Zone: us-west-2a (Select the same AZ as your running instance.)
Encryption: Check this (Once selected, it will expand to show Key information.)
Master Key: Test-CMK-key (Select the CMK you created earlier.)

Encrypt-Volume
Create ..

Select the EBS Volume, and click Actions > Attach Volume. Click in the Instance field and select your running instance

After the Instance is selected, a default Device is set.

Click Attach when ready. The State transitions from available to in-use.

We have encrypted the S3 and EBS data in this manner ..

Top comments (0)