Skip to main content

AWS Security Essentials – KMS Integration with S3

Hands-On Lab


Photo of

Training Architect





AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses FIPS 140-2 validated hardware security modules to protect the security of your keys. AWS Key Management Service is integrated with most other AWS services to help you protect the data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail and S3 to provide you with logs of all key usage to help meet your regulatory and compliance needs.

This activity allows the student to get experience with how KMS integrates with services in AWS while encrypting S3 data with a default master-key as well as a custom key created by them.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

KMS Integration with S3

Before getting started, make sure you're logged in to the AWS web console and have selected the N. Virginia region (us-east-1). You'll also need a few document files – you can use text files or PDFs that you already have on your computer.

Create an Encrypted S3 Bucket

From the main AWS page, navigate to S3 from the services menu.

Next, click Create Bucket. For the bucket name, enter mytestbucket followed by several random digits to make it unique. Click Next, then click Versioning and select Enable versioning. Click Save to apply this setting.

Click Default encryption and select AWS-KMS. From the dropdown menu, select aws/s3. This will be our master key name. Click Next.

Finally, make sure both the "Read" and "Write" checkboxes are set on the permissions screen for the bucket. Click Next, review the settings, and click Create bucket.

Upload a File

The location for managing KMS Keys has changed. Instead of going to IAM, navigate to the KMS service. Navigate back to S3 from the services menu.

Click Upload and select a document from your computer. Click Next, making sure that the owner has both "Read" and "Write" permissions and that public access is turned off, then click Next again. On the properties screen, leave the default settings (encryption will be set to "None") and click Next, then Upload.

From the S3 bucket, select the document you just uploaded. The object's "Overview" screen will indicate that it's encrypted with a KMS key. This happens because we set KMS encryption on the bucket itself.

Navigate back to KMS from the services menu, and select AWS managed keys from the menu on the left. This time, we'll see our aws/s3 key, which was created when we uploaded our first file.

Creating Multiple Master KMS Keys

We can also use the KMS console to create multiple master keys. To start, go under Customer managed keys at the top of the page. Enter a name of your choosing, such as my_s3_key for the Alias as well as the Description. Click Next Step.

We won't be adding tags, so click Next Step. We'll also skip adding key administrators and usage permissions; click Next Step two more times.

On the final screen, we can review our key policy and click Finish. On the list of keys, we'll now see the my_s3_key we just created.

Using a Created KMS Master Key

Next, we'll learn how to use the key we created.

Navigate back to S3 from the services menu. Click Create Folder and enter a name like myFolder. Below the name field, choose the AWS-KMS encryption setting and select my_s3_key from the dropdown menu. Click Save.

We'll navigate into our newly created folder by clicking its name in our S3 bucket. Click Upload and select another file from your computer. Click Next, make sure that the owner has "Read" and "Write" permissions and that public access is turned off, and click Next again. Leave the default properties (encryption will again be set to "None") and click Next, then Upload.

Click the object's name once it has been uploaded, and we'll see that it has been encrypted with KMS as well. To check its encryption settings, note the last few digits of the KMS key ID, and compare it to the ID of the original document we uploaded. The keys' IDs will match, meaning that both documents are encrypted using the same key - the default aws/s3 key.

This happens because the bucket policy overrides that of the folder within it. In order to use our created key, we'll need to set encryption on the document itself.

Select the second document you uploaded to S3 (within myFolder) and select the Properties tab at the top of the screen. Click Encryption. Below the AWS-KMS option, select my_s3_key from the dropdown menu. Click Save.

Click the Overview tab at the top of the page. This time, the KMS key ID will be different, indicating that the document has been encrypted with the key we created.


In this lab, we created an S3 bucket and configured it to use KMS encryption. We also learned how to create our own KMS keys and configure documents to use them for encryption (rather than default keys).

Remember: S3 bucket encryption policies override the settings of the folders within them. If you need to use separate encryption keys for some documents within a bucket, you will need to change the settings on each document individually.

Congratulations! You've completed the lab on KMS integration with S3!