wnCwt6P9

1
2
3
4
5
6SPL-87 - Version 2.0.9
7
8© 2020 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited.
9
10Errors or corrections? Email us at aws-course-feedback@amazon.com.
11
12Other questions? Contact us at https://aws.amazon.com/contact-us/aws-training/
13
14Lab Overview
15
16This lab introduces you to the Introduction to AWS Key Management Service self-paced lab. It will give you a basic understanding of the AWS Key Management Service. It will demonstrate the basic steps required to get started with Key Management Service, creating keys, assigning management and usage permissions for the keys, encrypting data and monitoring the access and usage of keys.
17
18Topics covered
19
20By the end of this lab you will be able to:
21
22Create an Encryption Key
23Create an S3 bucket with CloudTrail logging functions
24Encrypt data stored in a S3 bucket using an encryption key
25Monitor encryption key usage using CloudTrail
26Manage encryption keys for users and roles
27
28Prerequisites
29
30Some familiarity with access control management.
31
32It is strongly recommended to complete this lab using the Google Chrome web browser. If you cannot use Google Chrome then you will need to have a utility on your computer that can open gzip compressed files (*.gz).
33
34AWS Key Management Service (KMS)
35
36AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
37
38AWS CloudTrail
39
40AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
41
42Amazon S3
43
44Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere – web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry. S3 provides comprehensive security and compliance capabilities that meet even the most stringent regulatory requirements. It gives customers flexibility in the way they manage data for cost optimization, access control, and compliance. S3 is the only cloud storage solution with query-in-place functionality, allowing you to run powerful analytics directly on your data at rest in S3. And Amazon S3 is the most supported storage platform available, with the largest ecosystem of ISV solutions and systems integrator partners.
45
46Start Lab
47
48At the top of your screen, launch your lab by clicking Start Lab
49
50
51This will start the process of provisioning your lab resources. An estimated amount of time to provision your lab resources will be displayed. You must wait for your resources to be provisioned before continuing.
52
53 If you are prompted for a token, use the one distributed to you (or credits you have purchased). 
54
55Open your lab by clicking Open Console
56
57
58This will automatically log you into the AWS Management Console. 
59
60 Please do not change the Region unless instructed.
61
62
63
64Common login errors
65
66Error : Federated login credentials
67
68
69
70If you see this message:
71
72Close the browser tab to return to your initial lab window
73Wait a few seconds
74Click Open Console again
75
76You should now be able to access the AWS Management Console.
77
78
79
80Error: You must first log out
81
82
83
84If you see the message, You must first log out before logging into a different AWS account: 
85
86Click click here
87
88Close your browser tab to return to your initial Qwiklabs window
89Click Open Console again
90
91
92
93
94
95Task 1: Create Your KMS Master Key
96
97In this task you will create a KMS master key. A KMS master key enables you to easily encrypt your data across AWS services and within your own applications.
98
99In the AWS Management Console, on the Services menu, click Key Management Service.
100Click Create a key then configure:
101
102On the Configure key page, select  Symmetric
103
104Click Next
105
106
107On the Add labels page configure:
108
109
110Alias: 
111
112
113Description: 
114
115Click Next
116
117
118It is a good practice to describe what services the encryption key will be associated with in the description.
119
120On the Define key administrative permissions, select  the user or role you're signed into the Console with.
121
122This user is displayed at the top of the page, to the left of the region.
123
124Click Next
125
126
127Key Administrators are users or roles that will manage access to the encryption key.
128
129On the Define key usage permissions page, select  the user or role you're signed into the Console with.
130Click Next
131
132Key Users are the users or roles that will use the key to encrypt and decrypt data.
133
134On the Review and edit key policy page:
135
136Review the key policy
137Click Finish
138
139
140Copy the Key ID for myFirstKey to a text editor.
141
142You will use the Key ID later when looking at the log activity for this KMS key.
143
144
145
146Task 2: Configure CloudTrail to Store Logs In An S3 Bucket
147
148In this task you will configure CloudTrail to store log files in a new S3 bucket.
149
150On the Services menu, click CloudTrail.
151If you see the Get Started Now button, click it. If not, continue to the next step.
152In the navigation pane on the left, click Trails.
153In the Trails section, click Create trail then configure:
154
155
156Trail name: 
157
158
159Apply trail to all regions:  No
160
161
162Create a new S3 bucket:  Yes
163
164
165S3 bucket*: 
166
167Replace NUMBER with a random number
168
169
170
171Click Create
172
173
174
175
176Task 3: Upload an Image to Your S3 Bucket And Encrypt It
177
178In this task, you will upload an image file to your S3 bucket and encrypt it using the encryption key you created earlier. You'll use the S3 bucket you created in the previous task to store the image file.
179
180On the Services menu, click S3.
181Click mycloudtrailbucket*.
182Click  Upload
183
184This will bring you to the Select files dialog box.
185
186At (1) Select files:
187
188
189Click Add files
190
191Browse to and select an image file on your computer
192Click Next
193
194
195This will bring you to the (2) Set permissions dialog box.
196
197At (2) Set permissions, click Next
198
199
200This will bring you to the (3) Set properties dialog box.
201
202At (3) Set properties, configure:
203
204
205Encryption:  AWS KMS master-key
206
207Select a key: myFirstKey
208
209Click Next
210
211
212This will bring you to the Review dialog box.
213
214At (4) Review, click Upload
215
216
217The image file will be uploaded.
218
219Click on name of the image file.
220In the Overview tab for the file, record the Last modified time to your text editor.
221
222
223
224Task 4: Access The Encrypted Image
225
226In this task, you will try to access the encrypted image through both the AWS Management Console and the S3 link.
227
228In the Overview tab, click Open
229
230
231The image opens in a new tab/window.
232
233Amazon S3 and AWS KMS perform the following actions when you request that your data be decrypted.
234
235Amazon S3 sends the encrypted data key to AWS KMS
236AWS KMS decrypts the key by using the appropriate master key and sends the plaintext key back to Amazon S3
237Amazon S3 decrypts the ciphertext and removes the plaintext data key from memory as soon as possible
238
239Close the window/tab that shows your image.
240Copy the S3 Object URL at the bottom of the page to your text editor.
241
242The S3 Object URL should look similar to https://mycloudtrailbucket10619.s3-us-west-2.amazonaws.com/Eiffel.jpg
243
244Paste the S3 Object URL that you copied earlier into a new browser/window.
245Press Enter.
246What does the page show?
247
248It should show Access Denied. This is because, by default public access is not allowed.
249
250
251
252In the S3 Management Console, on the Overview tab for your image, click Make public
253Refresh the screen for the new tab/window that you opened earlier.
254What do you see?
255
256Because the image is encrypted, you are not able to view it using the public link. You should see a message saying Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
257
258If you are uploading or accessing objects encrypted by SSE-KMS, you need to use AWS Signature Version 4 for added security. Signature Version 4 is the process to add authentication information to AWS requests. When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the access key that you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself. For more information on this process read this blog post: blog post
259
260Close the new/tab window.
261
262
263
264Task 5: Monitor KMS Activity Using CloudTrail Logs
265
266In this task, you will access your CloudTrail log files and view logs related your encryption operations.
267
268In the AWS Management Console, click the Amazon S3 link to return to the S3 root.
269Click the mycloudtrailbucket*.
270Drill-down through the AWSLogs folders till you get to a folder that contains log file(s).
271
272The path should look similar to: Amazon S3 > AWSLogs > 197167081626 > CloudTrail > us-west-2 > 2019 > 07 > 10
273
274If you don't see any log files, click the refresh  button every few seconds till you see a log file.
275
276The log files will have an extension of *.json.gz
277
278
279
280Do you see a log file who's Last modified date is later than the time stamp for the image file you downloaded?________
281If there isn't a log file who's Last modified data is later than the time stamp for the uploaded imaged file, continue to click the refresh  button every few seconds till there is.
282
283It can take up to 5 minutes to see a log file that has a Last modified time stamp that is greater than the time stamp of the image file that you uploaded.
284
285Click the latest log file in the list.
286In the Overview tab, click Open.
287If you see a pop-up security warning, confirm that you want to open the file. If not, continue to the next step.
288
289 Your browser security settings may simply ignore the pop-up. If you do not see any file being opened and do not see a pop-up alert, you should enable pop-ups within in your browser's settings section.
290
291If you are not using Google Chrome or Firefox, you may need to download and decompress the gz compressed file using a local utility on your own computer. Once the .gz file is decompressed you will then need to open it in a text editor.
292
293The log file is in a JSON format and contains each API call that has been logged by CloudTrail. Depending upon the browser you are using the log file might look slightly different.
294
295Search for the following in your log file:
296
297Your encryption Key ID that you copied to your text editor
298The name of the file that you upload. (You should the name of the file in the same log file that contains your encryption Key ID)
299
300 If you cannot locate the items above, wait five more minutes for the next log file to appear and open that log file. The first log file may not contain the logs that you are looking for.
301
302This is a log file that was opened in Firefox. By default, it shows the log file in JSON format which is a very nice format to view the log file in.
303
304In this log file you can see the following:
305
306A request was invoked by S3
307The eventSource is KMS
308This event generated a data key
309Effile.jpg was the name of the file that was Encrypted
310The encryption KeyID is displayed
311
312
313
314
315
316Task 6: Manage Encryption Keys
317
318In this task you will manage encryption keys for users and roles.
319
320On the Services menu, click Key Management Service.
321Click myFirstKey.
322
323On this page, you can alter the keys description, Add or Remove Key Administrators and Key Users, allow external users to access the key and place the key into annual rotation.
324
325In the Key users section, select  the user or role that you are signed in with.
326Click the Remove
327
328You have removed the user’s permission to use this key.
329
330In the Key users section, click the Add then:
331
332Select  the user or role that you are signed in with
333Click Add
334
335
336This shows how you can control which IAM users or roles can use KMS Keys that you create. The same add and remove steps are used to control which IAM users can manage KMS keys.
337
338End Lab
339
340Follow these steps to close the console, end your lab, and evaluate the experience.
341
342Return to the AWS Management Console.
343On the navigation bar, click awsstudent@<AccountNumber>, and then click Sign Out.
344Click End Lab
345Click OK
346(Optional):
347
348Select the applicable number of stars 
349
350Type a comment
351
352Click Submit
353
3541 star = Very dissatisfied
3552 stars = Dissatisfied
3563 stars = Neutral
3574 stars = Satisfied
3585 stars = Very satisfied
359
360
361
362You may close the dialog if you don't want to provide feedback.
363
364Conclusion
365
366 Congratulations! You now know how to:
367
368Created an Encryption Key
369Created an S3 bucket with CloudTrail logging functions
370Encrypted and image and stored it in your S3 bucket
371Viewed the encrypted image using the AWS Management Console
372Monitored encryption key usage using CloudTrail
373Managed encryption keys for users and roles
374
375Additional Resources
376
377Amazon Key Management Service Pricing
378AWS Training & Certification
379
380For feedback, suggestions, or corrections, please email us at aws-course-feedback@amazon.com.