img img
Practice Exams:
View All
  • Home
  • SCS-C01 Amazon AWS Certified Security Specialty – Domain 5 – Data Protection part 6

SCS-C01 Amazon AWS Certified Security Specialty – Domain 5 – Data Protection part 6

  1. Importing Key Material to KMS

Hey everyone and welcome back. In today’s video we will be discussing about importing key material in Kms. Now, Customer Master Key basically contains a key material which is used to encrypt and decrypt the data. Now, whenever we create a CMK, by default AWS automatically creates a key material for that specific CMK. However, we do have an option to create a CMK without the key material and then import our own key material into CMK. So it’s basically we can generate this specific key material which in turn is used to encrypt and decrypt the data. So this key material can be generated by the customer and it can be imported to a CMK. So let’s go ahead and look into how exactly can we achieve that. So within the Kms console, let’s go ahead and create a new key.

Now, while creating a new key, let’s call it as Kplabs Hyphen External. And within the advanced options you will see there are three options which are available. One is the Kms. So by default, if you do not touch this advanced option section and you click on Next automatically, the default option of Kms is selected. That basically means that AWS will create the key material for you. However, you can also select the external over here where you can supply your own key material. So we’ll select external and I’ll click on the checkbox on the bottom which basically says that I understand the security, availability and durability implication of using an imported key. Do remember that if you are generating your own key material, you have to take care of that as well. So I’ll click on next.

Let’s click on next. So I’ll just select one user as the key administrator. Let’s click on next. We’ll ignore the key usage permission and I’ll click on Finish. Now, if you see this time it basically gave a new console. So here it is basically asking us to download the wrapping key and the import token. And these are very important when you want to import your own key material. So let’s do one thing, let’s download the wrapping key and the import token. So I’ll click on the button of download wrapping key and import token. All right, so basically this is a zip file. Let me click on OK. Now, this zip file basically has two important files. One is the wrapping key and second is the import token. So let me extract this. I’ll extract both of these files to my desktop.

So within my desktop these are the two files and basically wrapping key is something that we’ll need to encrypt our key material. Now, throughout the lab of today we’ll make use of two commands. Now, these two commands are basically used to generate the key material and encrypt that key material with a wrapping key. So let’s run the first command. So this is OpenSSL. So you need to have this package installed. You can basically run these commands within the EC two instances as well. I am running this in docker for my personal lab setup. So if I quickly do a LS, iPhone L, this is the plaintext key material file which is generated now in the second command basically what we are doing is we are taking so within the in we are taking the plaintext key material bin file and the output is encrypted keymaterial bin.

So basically we need to encrypt our key material and in order to encrypt it we are basically have an in key and the in key is public key dot bin. So this public key dot bin is nothing but our wrapping key which we had downloaded. So let’s do one thing. I’ll come out of the docker container again the commands that I’ll be running here, they are specific to docker. If you are running this in easy to instances then the commands would be the basic SCP commands that you would typically run. So what I need to do is I have to copy the wrapping key. So this wrapping key, I’ll copy it to my container and I’ll put it in the temp directory. So in case you have easy to instance you need to make use of the SCP. Anyways, we do have a great docker course which is upcoming Next. So do stay tuned for that. I’m really excited for that specific course.

Anyways, so let’s go back to our docker container. And now we have one file which is the plaintext key material. So let’s copy the wrapping key which we had stored in the temp directory to this specific directory where our plaintext key material file is present. And the next thing that we’ll do is we’ll rename this specific wrapping key. So I’ll rename this to public key bin. So let’s rename this. All right, so now if I do LS, iPhone L, there are two files. One is public key bin and second is plaintext key material bin. So plaintext key material bin is something which will get encrypted with this wrapping key. So now let’s copy the second command and I’ll paste the second command here. All right, now if you do a LS, you will see that there is a new file called as encrypted key material bin which is present.

So in the Kms console we have to upload this specific encrypted key material bin file. So let’s quickly move this through the temp directory. I’ll come out of the docker container and I’ll copy this specific file to my desktop. All right, now within my desktop you will see that I have an encrypted key material bin which is present. So within the Kms console we can do a Next. Now, before we do a Next, do remember this warning will say that the wrapping key and the import token will expire in 24 hours. So whatever key material that you want to generate and encrypt, make sure you do it within the 24 hours period. So let’s click on next. And this time you have to upload the key material and the import token. So let’s click on choose file.

And here I’ll select the encrypted key material over here. And within the import token, I’ll select the import token. All right, so these are the two files. We can go ahead and we can click on upload key material. And you see it says that your key material was imported into CMK. And this is the key which is generated. All right. So you see the origin is of type external and then you can use make use of CMK. Now, one important part to remember over here is that if your key material is not encrypted properly, you will not be able to generate the key. You will get the error during the previous screen itself. So with this we’ll conclude this video. I hope this video has been informative for you and I look forward to seeing you in the next video.

  1. KMS ViaService

Hey everyone and welcome back. Now, in today’s video we will be discussing about Kms VR service. Now, the Kms via service condition key limits the use of a specific CMK to the request which is specified from a very specific AWS service. Now, if you look into the condition element here, so you have a condition of Kms via service and you have specified two service which is easy to and RDS. Now, depending upon whether there is an allow or a denied, then the API call can either be allowed or deny. So let’s say that you have a denial. Then that would basically mean that any request which is coming from EC two or RDS towards that specific CMK would be denied for that specific principle. So let’s do one thing.

Let’s take a quick demo so the concept becomes much more easier for us to understand. Now, for today’s demo, we have a CMK. The name of the CMK is demo key. Now, if you look into the policy associated with the demo key over here, let me maximize the screen and let’s do an edit. Now, this policy has two statements which are available. The first is it allows the principle of route for all the Kms operation on all the resource. All right? So this is the first statement and this is basically the default one that would typically come. Now, there is a second statement here and this second statement is associated with the Kms VR service. Now, what we are doing here is we have an effect of deny on the principle of Alice user.

All right? So this is the Alice user and we are doing an effect of deny on all the Kms action. And we are specifying a condition of Kms via service for EC. Two US east, one Amazon Aws. com. So what will happen here is that any call which is being made with the principal of Alice via the EC two would be denied. So let’s take two examples here. First example is when you go ahead and create an encrypted EBS volume. Now, whenever you go ahead and create that encrypted EBS volume and since you are using a Kms via service, then the service in case EPS will assume the principal here. So whenever you create an EBS volume, so EBS comes under EC two, so that call will be denied. So Alice user will not be able to create any encrypted things if that service is under EC two.

If it is not under EC two, then Alice user will be able to do that. So let’s try it out. So currently I am logged in via the Alice user. And let’s do one thing before we do it via Alice user, let’s try it via a different administrator user so we know how things are working. So let’s go to volumes. In fact, let me minimize the screen. Let’s go ahead and create a new volume here. I’ll create the volume with a size of one GIB and let’s enable encryption and the master key will specify the demo key over here. Once done, let’s also add a name tag and let’s call it as another user and I’ll go ahead and create a volume. All right. So now you see there is a new ebay volume called as another User, which is created perfectly. Now, this specific volume is encrypted and it is making use of a demo key.

Now, from the specific policy that we were discussing over here, this operation is perfectly allowed because it comes under this specific statement. The first statement over here. However, when we make use of a principal Alice, it basically is more tuned towards the second statement over here. Now, from the Alice user, let’s do a refresh here and you should see one EBS volume. So let’s go ahead and create a new EBS volume. I’ll keep the size as one GB. Again, we’ll make use of encryption, we’ll use a demo key and let’s add a tag with the name of Alice user. Now, before we run it, let me quickly show you the permissions associated with Alice user. So you have an Alice I am user and the Alice im user has an administrator access over here.

All right? So the user has full access which is available. Now let’s go ahead and create a volume. All right, when you do a close, let’s refresh and you see the volume is not being created. So during the creation stage itself, the service request fails and even if you refresh after a few minutes you will see that the ebay volume will not get created primarily because Alice user is not allowed to call that specific CMK. Whenever the service is under EC two, however, you can make use of the same CMK. So let’s take an example. Let’s open up the RDS and within here let’s go ahead and use Aurora for our testing purpose. Let’s go a bit down within the cluster identify, I’ll call it as KPI’s encrypted. We’ll just auto generate the credentials here.

For the instance type, let’s use the bus table one and we’ll just select at t two small we’ll not select multi easy since it is for testing. And within the additional configuration, let’s go ahead and enable the encryption and we’ll make use of the democrat over here we’ll just disable enhanced monitoring which is not really required. So once you have done that, you can go ahead and create a database. So this specific database we are creating from the Alice user with the demo key. So let’s quickly wait to see if things are getting creative as expected. All right, so it says successfully created a database called KP Labs iPhone encrypted. And if you look into the configuration option, you see the encryption as enable and the Kms key is demo key.

So that basically means that Alice user was able to successfully create a RDS which has the encryption enabled with the demo key as the CNK. So I hope at a high level overview you understood what this policy is all about. So just to revise, I also have that policy within the Atom editor so that it becomes easier for us to look into. Now, what we have done is that we have one statement over here. That statement has a principle of Alice user and the Kms VR service is EC two. Now here, make sure you remember that what happens is that whenever Alice User goes ahead and creates something under easy to like an EBS and makes use of encryption with the demo key so whenever the call is made, then the Kms knows that this specific EBS encryption call is being made via the principle of Alice User.

So this is how it can figure out that since Alice User has made the call of EBS snapshot via the service of EC Two and since within the condition over here, the condition is denied, hence the outcome would be denied and the encrypted EBS volume will not be created. However, same case as we have seen for RDS, alice User was able to successfully create a RDS which is encrypted with the same demo key. Things work because RDS is not under the EC Two service, it comes under RDS US East One and this is the reason why RDS was successfully created. So that’s the high level overview about the Kms via service. I hope this video has been informative for you and I look forward to seeing the next video.

  1. Migrating Encrypted KMS Data Across Regions

Hey everyone and welcome back. Now, in today’s video, we will be discussing about migrating Kms encrypted data across AWS regions. Now, one very important part to remember here is that the Kms keys are regionspecific. Now, since the region specific, you cannot call a Kms CMK from one region for the services which are residing in a different region region altogether. So let’s say that you have an EBS volume in a Singapore region and you have a Kms key in the North Virginia region. So this is a Kms key in North Virginia. This is the EBS volume in Singapore. Now, EBS volume in Singapore cannot call the Kms Key which is residing in the North Virginia region for any CMK operations. So that EBS volume can only call the Kms Key which is within that region. So this is one important part to remember.

Now, the challenge happens specifically while you are migrating the data across regions. So let’s say that you have an EBS Snapshot in the North Virginia region. Now, you want to migrate that EBS Snapshot in a Singapore region. Now, since that EBS Snapshot was encrypted with the Kms of the North Virginia region, it will not directly work in a Singapore region. So that used to be a big issue. Now, what AWS allows us to do out of the box is that while we are migrating encrypted things like encrypted EBS snapshot, we can change the CMK to that of the destination region. So let’s do one thing. Let’s jump into the practical understand this specific use case post which we’ll be discussing about few more important pointers. Now, I’m in my EBS console over here.

Let’s go ahead and create a volume. I create a volume of size one GB in the Availability Zone of one A and we’ll enable encryption and we’ll select a master key. All right? Let’s go ahead and create a volume. All right. So now you have an EBS volume. Now, this EBS volume is encrypted with the Kms Key which has the alias of Demo key. Now, we already know that the CM kids are region specific. So let’s also open the Kms CMK. All right? So this is the Demo key. Now, this Demo key is associated with the North Virginia region and the EBS Snapshot which was created in North Virginia region is encrypted with this specific Demo key. Now, generally what happens is that whenever you go ahead and initialize the EC to instance with the encrypted EBS volume then the decryption request would be sent to this specific CMK.

Now, since the CMK and EBS volumes are within the same region, it is perfectly well. However, if you move directly move let’s say you do a DD and you move that snapshot to a different region then you will not be able to call the CMK because CMK is a region specific. Now, what AWS allows us to do out of the box is that when you create a snapshot in fact, let me do that. Let’s create a quick snapshot. I’ll call it as Encrypted snapshot. So let’s open up the snapshot ID. All right. So you see the status is completed and the encryption is encrypted. So that basically means that the snapshot that you have taken from encrypted volume, that snapshot will also remain encrypted with the same CMK. Now, if you want to move this specific snapshot so let’s copy the snapshot and let’s say I want to copy to an Ireland region.

Now, if you would see within the master key, now I have to select the master key of the destination region. I cannot use the same CMK, which is the demo key in the destination region. All right? Now, all of these is handled transparently by AWS. So we do not really have to worry much about that. All right? But I hope you understood at a high level overview about the challenge about the use case associated with the Kms key being region specific and how you will have to change a CMK when you are moving things across regions. Now, similar to the EBS use case that we were discussing, it is also important for us to understand the details related to the encrypted RDS migration. Now, earlier, due to limitation of Kms being region specific as we were discussing right now, RDS used to only support migration of unencrypted RDS snapshots across regions.

So way earlier, you did not have an option to migrate the Encrypted snapshots primarily because of the constraint of Kms being region specific.  However, now things are much more easy where we can easily migrate even the encrypted RDS snapshots across the regions. However, in this case, also similar to EBS, we will have to select a new CMK of the destination region and AWS will transparently do the migration for us. Now, there are certain important points to remember while migration. The first is if you copy an encrypted snapshot within the same AWS region, then you can encrypt the copy of that snapshot with the same Kms encryption key as that of the original one. Or else if you’re migrating it to a different region, then you will have to specify a different Kms encryption key.

Or you can specify a different Kms encryption key. So this is specific to same region. So when you are doing within the same region, you can select a same encryption key or you can even select a different encryption key. Now, for cross region snapshots, we cannot make use of a same Kms key. So you must specify a different Kms CMK which belongs to a different region. This is very similar to the EPS use case that we were just discussing. Third, default encryption key cannot be used while copying of snapshots across AWS regions. Now, one very important part to remember specific to the RDS migration is that if you are making use of envelope encryption because in envelope encryption you generate the data keys now, those data keys are generally encrypted and are stored within the database.

Now, if you’re migrating your database across the region, then you will have to decrypt those data keys before migrating to a different region, because the encrypted data cannot be decrypted unless and until you have a plain text data key available. So make sure you understand this specific point. Now, if your concept related to envelope encryption is clear, you will be able to easily understand this point. And this is a good operational point to remember specific related to the migration of RDS. So that’s the high level overview about some of the important points to consider while you’re migrating the data, which is encrypted with Kms. I hope this video has been informative for you and I look forward to seeing the next video.

 

Related posts:

  1. 10 Hot Tech Jobs That Don’t Involve Coding
  2. How to Check and Configure Plugins in 5 Main Browsers?
  3. Microsoft Word: 5 Free Alternatives to Save Your Money
  4. Should You Say “Yes” or “No” to (ISC)2 CISSP Certification? What Will Be Your Answer?
  5. SY0-501 Section 3.4-Explain types of wireless attacks.
  6. Top 10 Business Analysis Techniques to Use in Order to Broaden Your Professional Horizon
  7. Top 5 Project Management Certifications That You Should Consider for Your Career Growth in 2020
  8. Top 7 Certifications for Your Time and Money
  9. Why CISSP Certification Is So Popular?
  10. Your Best Career Path With EC-Council Certification

Popular posts

Top Vendors On The IT Certification Market

Case Study Hillary’s HillRaisers raising cash for Obama inauguration

Top 5 Agile Certifications You Should Pursue in 2020

SY0-501 Section 1.1- Implement security configuration parameters on network devices and other technologies.

Your Best Career Path With EC-Council Certification

Job Opportunities For MCSE Certification

First Day at a New IT Job: Do’s and Don’ts to Master Your New Role

Reasons To Get Microsoft MCSA Certification

SY0-501 Section 3.2- Summarize various types of attacks.

SY0-501 Section 6.2- Given a scenario, use appropriate cryptographic methods.

Recent Posts

img