Troubleshoot KMS Key Policies

Hands-On Lab

 

Photo of Trent Hayes

Trent Hayes

Training Architect

Length

00:30:00

Difficulty

Intermediate

In this hands-on learning activity, you will work with the AWS Key Management Service (KMS) to define a policy which restricts access to encrypted objects in S3 buckets. When working with S3, we already know we can apply a bucket policy which can restrict object access to specific users or groups. However, when working with encrypted objects in S3, we can use the encryption key's policy to restrict access as well.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Troubleshoot KMS Key Policies

Introduction

In this hands-on learning activity, you will work with the AWS Key Management Service (KMS) to define a policy which restricts access to encrypted objects in S3 buckets.

Solution

Log in to the AWS Management Console using the credentials provided on the lab instructions page. Make sure you're using the us-east-1 region.

Create the Encryption Key

  1. In the AWS Management Console, click on IAM.

  2. Click Encryption keys from the left-hand menu.

  3. Click Get Started Now.

  4. Click Create key.

  5. Under Alias (required), enter "mykey".

  6. Click Next Step.

  7. Click Next Step.

  8. Select the checkbox next to cloud_user.

  9. Click Next Step.

  10. Click Next Step.

  11. Select the entire key policy and copy it to the clipboard.

  12. Click Finish.

Configure the Encryption Key for Users

  1. Click mykey.

  2. Under Key Users, click Add.

  3. Select the checkbox next to user-1.

  4. Click Attach.

  5. On the Key Policy row, click the Switch to policy view link.

  6. Select the permissions for user-1 and copy them.

  7. Paste a copy to the end of permissions.

  8. Update the "Sid" and "Effect" to deny the use of the key.

    "Sid": "Deny use of the key",
    "Effect": "Deny",
  9. Update the "AWS" entry to indicate user-2.

  10. Replace the "Action" section with the following.

    "Action": [
      "kms:*"
    ],
  11. Click Save Changes.

  12. Click Proceed.

Create a Bucket Using the Key and Upload an Object

  1. Select Services from the top menu bar.

  2. Select S3.

  3. Click + Create bucket

  4. Under Bucket name enter "mybucket" with several random numbers afterward to ensure uniqueness.

  5. Click Next.

  6. Select Default encryption.

  7. Select AWS-KMS.

  8. From the dropdown, select mykey.

  9. Click Save.

  10. Click Next.

  11. Click Next.

  12. Click Create bucket.

  13. Click on the bucket name.

  14. Click the Upload button.

  15. Click Add files and select any file from your local drive.

  16. Select a file to upload.

  17. Click Next.

  18. Click Next.

  19. Click Upload.

Test the Policy

  1. Log out of the AWS Console.

  2. Log back into AWS using the user-1 credentials provided on the lab page.

  3. Click S3.

  4. Click the bucket name.

  5. Click the uploaded file.

  6. Click the Download button and verify the download works.

  7. Log out of the AWS Console.

  8. Log back into AWS using the user-2 credentials provided on the lab page.

  9. Click S3.

  10. Click the bucket name.

  11. Click the uploaded file.

  12. Click the Download button and verify you receive an access denied message.

Conclusion

Congratulations — you've completed this hands-on lab!