In this lab, I will learn how to do the following
- Create an Encryption key
- Create an S3 bucket with CloudTrail logging functions
- Encrypt data stored in an S3 bucket using an encryption key.
- Monitor encryption key usage using CloudTrail.
- Manage encryption keys for users and roles.
First I must check that my region is supported for this service.
I can see that Sydney is supported and I can carry on.
For best practice, I am also logged into my admin account not my ‘GOD’ account.
Setup an Encryption Key
Setting up the Encryption key is done through IAM’s dashboard.
Once I clicked that I was presented with…
Lets get started!
Once I was in the menu I noticed that the region was not Sydney so I made sure to change that ASAP. I then clicked “Create Key”
I then had to create an Alias and description for my key, that lab instructed me on the following.
Description: KMS Key for S3 Data
I then noticed the user I had to assigned to this does not exist yet… so off I go to do that!
The student had to be called awsstudent, so here they are.
Now I added him to the Key Administrators role and Key usage permissions
Preview of the Key Policy
I copied this key to a notepad file for later.
Create an S3 bucket, add CloudTrail to it and encrypt data in the bucket
First I needed to go to the CloudTrail Service.
I then had set up my Trail
I had to choose a unique S3 bucket name so I went with testbucket-net702-nw (NW being my initials) and just like that the trial was created.
Encrypt Data in an S3 Bucket
I now need to go into S3 and find the bucket that was created when I made the Trail.
I then needed to upload something to the bucket, so I just uploaded a PNG image
I then had to add server wide encryption to my image, the lab’s way of doing this is outdated so I had to find it myself which I did, then I chose my Key as the master key, then uploaded it.
Monitor and manage KMS Key usage
Now I need to go into the S3 bucket I made and find the CloudTrail Folder.
Inside I have to find the last modified file which is a JSON file giving details of my encryption that I have used. seeing as I don’t fully understand the information in this text I will not post it on the blog.
Manage Encryption Keys
Now I am going to remove a user from the key and add them back again, this is all done through the IAM service.
The only issues I had wrong with this was that the Lab was outdated and some of the menus were completely off, besides that it was fine.