This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
Key Management Service (KMS) is an Amazon Web Services (AWS) service that is used to manage public/private SSL key pairs, for encryption and decryption.
At a high level, there are 3 types of keys.
- Server Side Encryption Amazon Managed (sse-amz)
- Server Side Encryption Key Management Service (sse-kms) (this article)
- Server Side Encryption Customer (sse-c)
The aws kms create-key command can be used to create a new KMS key. By default, this will create a Server Side Encryption Customer Managed using Key Management Service (sse-kms) symmetric key (not an asymmetric key).
~]$ aws kms create-key
{
"KeyMetadata": {
"AWSAccountId": "123456789012",
"KeyId": "cb5302aa-e14b-4ad1-9d4b-4794a64f0b65",
"Arn": "arn:aws:kms:us-east-1:123456789012:key/cb5302aa-e14b-4ad1-9d4b-4794a64f0b65",
"CreationDate": "2023-06-15T20:47:19.616000-05:00",
"Enabled": true,
"Description": "",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"KeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"MultiRegion": false
}
}
Almost always, you will want to give the key an alias too which can be done with the aws kms create-alias command.
aws kms create-alias --alias-name alias/my-symmetric-key --target-key-id e35ad552-7cad-4db1-ab55-2c4b932ac2c4
Here is an example of how you could use your Customer Managed Key. In this example, Python is used to upload a file to an S3 Bucket using a Customer Managed Key.
#!/usr/bin/python3
import boto3
import os
client = boto3.client('s3')
client.upload_file("/tmp/foo.txt",
"my-bucket-abc123",
"foo.txt",
ExtraArgs={"ServerSideEncryption": "aws:kms",
"SSEKMSKeyId": "e35ad552-7cad-4db1-ab55-2c4b932ac2c4"})
Did you find this article helpful?
If so, consider buying me a coffee over at 