This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
Key Management Service (KMS) is an Amazon Web Services (AWS) service that is used to manage public/private SSL key pairs, for encryption and decryption.
The aws kms list-keys command can be used to list your KMS keys. This will return both:
- AWS managed keys
- Customer managed keys
~]$ aws kms list-keys
{
"Keys": [
{
"KeyId": "2b32ca5b-ccaf-493b-b95f-d780d8e65eda",
"KeyArn": "arn:aws:kms:us-east-1:123456789012:key/2b32ca5b-ccaf-493b-b95f-d780d8e65eda"
},
{
"KeyId": "6ad1f21e-efa1-4884-bba2-fa3fbd1110ec",
"KeyArn": "arn:aws:kms:us-east-1:123456789012:key/6ad1f21e-efa1-4884-bba2-fa3fbd1110ec"
},
{
"KeyId": "a8cd1fa6-a162-47ef-8cf9-a5cc95bc8cd7",
"KeyArn": "arn:aws:kms:us-east-1:123456789012:key/a8cd1fa6-a162-47ef-8cf9-a5cc95bc8cd7"
},
{
"KeyId": "cb5302aa-e14b-4ad1-9d4b-4794a64f0b65",
"KeyArn": "arn:aws:kms:us-east-1:123456789012:key/cb5302aa-e14b-4ad1-9d4b-4794a64f0b65"
},
{
"KeyId": "f0c9f7f5-1956-4b8d-bb2f-e0f9aa951309",
"KeyArn": "arn:aws:kms:us-east-1:123456789012:key/f0c9f7f5-1956-4b8d-bb2f-e0f9aa951309"
}
]
}
Then the aws kms describe-key command can be used to show more details about a specific key.
~]$ aws kms describe-key --key-id e35ad552-7cad-4db1-ab55-2c4b932ac2c4
{
"KeyMetadata": {
"AWSAccountId": "123456789012",
"KeyId": "e35ad552-7cad-4db1-ab55-2c4b932ac2c4",
"Arn": "arn:aws:kms:us-east-1:123456789012:key/e35ad552-7cad-4db1-ab55-2c4b932ac2c4",
"CreationDate": "2024-03-06T02:56:19.107000+00:00",
"Enabled": true,
"Description": "",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "RSA_2048",
"KeySpec": "RSA_2048",
"EncryptionAlgorithms": [
"RSAES_OAEP_SHA_1",
"RSAES_OAEP_SHA_256"
],
"MultiRegion": false
}
}
For example, objects in an S3 Bucket by default are encrypted with KMS, which can be seen with the s3api get-bucket-encryption command.
~]$ aws s3api get-bucket-location --bucket my-bucket-abcdefg
{
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
},
"BucketKeyEnabled": true
}
]
}
}
Let's say you use the aws s3api list-buckets command to list your S3 Buckets as johndoe.
~]$ aws s3api list-buckets --profile johndoe
{
"Buckets": [
{
"Name": "my-bucket-abcdefg",
"CreationDate": "2023-06-02T02:22:19+00:00"
}
],
"Owner": {
"DisplayName": "john.doe",
"ID": "ab0e0a41234567893a77c82240d5abcdc41ff11c123456789c777a5123443743"
}
}
If johndoe caller identity is in the same AWS as the S3 Bucket, then the aws/s3 Key Management Services (KMS) policy includes the kms:Decrypt action to decrypt the object in the S3 Bucket. cool!
{
"Version": "2012-10-17",
"Id": "auto-s3-2",
"Statement": [
{
"Sid": "Allow access through S3 for all principals in the account that are authorized to use S3",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "123456789012",
"kms:ViaService": "s3.us-east-1.amazonaws.com"
}
}
},
{
"Sid": "Allow direct access to key metadata to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*"
],
"Resource": "*"
}
]
}
Did you find this article helpful?
If so, consider buying me a coffee over at 