Introduction to AWS Key Management Service

In this lab, I will learn how to do the following

  • Create an Encryption key
  • Create an S3 bucket with CloudTrail logging functions
  • Encrypt data stored in an S3 bucket using an encryption key.
  • Monitor encryption key usage using CloudTrail.
  • Manage encryption keys for users and roles.

Region Check

First I must check that my region is supported for this service.


I can see that Sydney is supported and I can carry on.

For best practice, I am also logged into my admin account not my ‘GOD’ account.



Setup an Encryption Key

Setting up the Encryption key is done through IAM’s dashboard.


Once I clicked that I was presented with…


Lets get started!

encrypt region.PNG

Once I was in the menu I noticed that the region was not Sydney so I made sure to change that ASAP. I then clicked “Create Key”

creating key names.PNG

I then had to create an Alias and description for my key, that lab instructed me on the following.

Alias: testKeyOne

Description: KMS Key for S3 Data

I then noticed the user I had to assigned to this does not exist yet… so off I go to do that!

The student had to be called awsstudent, so here they student.PNG

Now I added him to the Key Administrators role and Key usage permissions

confrim aws.PNG

Preview of the Key Policy


I copied this key to a notepad file for later.

Create an S3 bucket, add CloudTrail to it and encrypt data in the bucket

First I needed to go to the CloudTrail Service.


I then had set up my Trail


I had to choose a unique S3 bucket name so I went with testbucket-net702-nw (NW being my initials) and just like that the trial was created.


Encrypt Data in an S3 Bucket

I now need to go into S3 and find the bucket that was created when I made the Trail.


I then needed to upload something to the bucket, so I just uploaded a PNG image


I then had to add server wide encryption to my image, the lab’s way of doing this is outdated so I had to find it myself which I did, then I chose my Key as the master key, then uploaded it.


Monitor and manage KMS Key usage

Now I need to go into the S3 bucket I made and find the CloudTrail Folder.


Inside I have to find the last modified file which is a JSON file giving details of my encryption that I have used. seeing as I don’t fully understand the information in this text I will not post it on the blog.

Manage Encryption Keys

Now I am going to remove a user from the key and add them back again, this is all done through the IAM service.

This slideshow requires JavaScript.

The only issues I had wrong with this was that the Lab was outdated and some of the menus were completely off, besides that it was fine.




Post Author: Techdox

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.