Step-by-Step Guidance

Welcome to the Step-by-Step Guidance version of this project. Let's do this!

📣 If you're EVER stuck - ask the NextWork community. Students like you are already asking questions about this project.

Want a complete demo of how to do this project, from start to finish? Check out our 🎬 walkthrough with Natasha 🎬

We're kicking things off by creating a key in AWS Key Management Service (KMS). This key will encrypt data in a DynamoDB table.

In this step, you're going to:

• Create a key for encryption.
• Set up the admins and users of that key.

💡 What is encryption?
Encryption is a process that uses algorithms to convert data into a secure format called ciphertext. Only authorised users can decrypt and restore the data to its original, readable state. Otherwise, it looks like a scrambled piece of text like bihtueg34509ua!

Software developers use encryption to secure user data, transactions, files and more.

In fact, many apps, websites, and devices use encryption behind the scenes. When you visit a site with "https" in the URL, your connection is encrypted. When you upload files to a cloud storage service like S3 or Google Drive, the service automatically encrypts your data. When you're having a call over Zoom or WhatsApp, the platform is also using encryption to protect your audio and video.

Navigate to KMS

• Log in to the AWS Management Console as your IAM Admin user.

• Search for Key Management Service

💡 What is AWS KMS?
AWS Key Management Service (KMS) is a secure vault for your encryption keys. You use KMS to create, manage, and use encryption keys that protect the data in your AWS resources.

💡 What are encryption keys?
During the encryption process, the encryption algorithm reads an encryption key. This key tells the algorithm exactly how it would transform plain text into the jumbled up format called cipher text. For example, the key could tell the algorithm to swap out certain parts of the data or shuffle the order of data to break up patterns.

Fun fact: Encryption keys themselves look like cipher text that only the algorithm can understand, like A7F3E5C4B1D2. The longer the key, the harder it is to crack the encrypted message!

💡 Why would I need a vault for encryption keys?
A vault for encryption keys, aka a key management system, helps you manage all your encryption keys, like what it encrypts or who has access, in one place. Your keys are safe in a KMS, so you wouldn't have to worry about losing them or someone stealing them. You can also use a KMS to create new keys needed for encryption or decryption.

On top of the security benefits, a KMS gives you logs on every time a key was used. This helps companies/developers meet compliance requirements for data security!

Create a Key

• In the left navigation pane, select Customer managed keys.

💡 What are AWS managed keys vs. customer managed keys?
AWS offers two main types of keys: AWS managed keys and customer managed keys.

AWS managed keys are automatically created and managed by AWS to encrypt data in the services you use. They're convenient because everything's managed for you, but you have less control over how they work and who has access.

Customer managed keys (CMKs), on the other hand, give you full control. You can adjust how it encrypts data and manage who can access the key.

For this project, we're using a CMK so you can experience the full power of KMS.

• Select Create key.

• Keep Symmetric for the key type.

💡 What is symmetric encryption?
Symmetric encryption use a single encryption key to both lock (encrypt) and unlock (decrypt) your data. They are generally faster and more efficient for encrypting large amounts of data, which is why we're using one for our DynamoDB table.

💡 What's the difference between symmetric and asymmetric encryption?
Asymmetric encryption works with a pair of keys: a public key to encrypt and a private key to decrypt. It’s often used when you need to securely share data between multiple parties, like sending information over the internet.

• Keep Encrypt and decrypt for the key usage.

💡 What does key usage mean?
Key usage means what your key is designed to do. For example, a key can be used for encrypting data, decrypting data, or generating and verifying digital signatures (a way to prove your data is authentic and hasn’t been altered).

The key usage you pick fundamentally changes the format and structure of your key, so they're only compatible with the algorithms that match the key usage type.

Extra for Experts: The other option you see is Generate and verify MAC (Message Authentication Code), which is a way to use a single key to share data with another party. A MAC is a small piece of data created from a message and a secret key. When you send a message with a MAC, the receiver uses the same secret key to generate a MAC for the received message. If the two MAC messages are identical, it confirms that the message hasn’t been changed by someone else.

• Select Next.
• Give your key an alias: nextwork-kms-key. This alias helps you easily identify your key later on.
• For the description, enter:

• Select Next.

• Select your own IAM Admin User as a key administrator.

💡 What is a key administrator?
Key administrators control who can access and use the encryption keys. They have control over the key's lifecycle and its policies, even if they might not use the key themselves.

💡 What does a key lifecycle mean?
A key lifecycle are the stages an encryption key goes through, from creation to deletion. Managing this lifecycle means you're setting rules for using, storing, and eventually deleting keys to secure them and the data they protect.

• Select Next.

• Select your own IAM Admin User as a key user.

💡 What is a key user?
A key user is someone who has permissions to use the key in cryptographic operations, like encrypting and decrypting data. Unlike administrators, key users don't have the permission to manage the key's settings or lifecycle.

• Scroll to the bottom of the page - notice that Other AWS accounts can get access to the key too!

💡 How can other AWS accounts get access?
Other AWS accounts can get access to your KMS keys through cross-account access policies.

This is useful for scenarios where resources are shared across different AWS accounts. For example, a freelance developer might build an app using their AWS account, while their client stores encrypted data in theirs. The client can share keys that give the app access to the data, without giving the developer access to their account.

• Select Next.

• Note that there's a Key policy panel at the bottom of the review page 👀

💡 Why is there a key policy for my key?
A key policy is a set of rules attached directly to a KMS key. These rules define who can access the key and what they can do with it.

When you set up your key's administrators and users in the console, AWS was simply converting your clicks to the necessary policy statements in the background.

• Select Finish.
• Success!

Now that we have our encryption key, let's create a DynamoDB table and secure it with our newly created key!

This makes sure that all data stored in the table is encrypted at rest, adding an extra layer of security.

💡 What does 'at rest' mean?
Data at rest means any data that's stored somewhere and not currently used or moved. This could be files on your computer's hard drive, information in a database, or backups stored in S3. When data is just sitting there, it’s considered "at rest."

This is different from data in transit (e.g. an email being sent over the internet) and data in use (e.g. a social media app showing a database of content).

Extra for Experts: Security engineers use a data's type and state (whether it's at rest, in transit, or in use) to apply the best encryption option. AWS KMS is designed to manage long-lived encryption keys for stored data i.e. data at rest. Data in transit relies on short-lived session keys generated by protocols like TLS (Transport Layer Security), and data in use requires real-time access, which is not what a key management system is used for.

In this step, you're going to:

• Create a DynamoDB table.
• Set up your table's encryption with KMS.

Create a Table

• In the AWS Management Console, search for DynamoDB
• Select DynamoDB.

💡 What is DynamoDB?
DynamoDB is one of AWS's database services. DynamoDB stands out as a fast and flexible way to store your data, which makes it a great choice for applications that need quick access to large volumes of data e.g. games.

If you enjoy using DynamoDB in this project, make sure to check out the Load Data into DynamoDB project!

• From your DynamoDB dashboard, select Create table.

• Give your table a name, such as nextwork-kms-table.

• Define a Partition key. For this project, let's use a single string attribute called id.

💡 Extra for Experts: What is a partition key?
A partition key is the heart of how DynamoDB organizes data. Think of it as a label that you can use to group similar items. Under the hood, the partition key is how DynamoDB spreads out your data across different servers for quick access and efficient querying.

• Under Table settings, keep Default settings.

• Select Create table.

• Wait for the table status to change to Active. This might take a few moments...

Encrypt Your Table

• Select your table nextwork-kms-table.
• Select Additional settings, which is the very last tab in your settings menu.

• Scroll down to Encryption, and select Manage encryption.

• Choose Stored in your account, and owned and managed by you.

💡 What are the different encryption options in DynamoDB?
DynamoDB offers a few different encryption options:

• Owned by Amazon DynamoDB: Amazon DynamoDB fully manages the key, so you have no access or visibility to the key. Great for basic encryption where you don't need any control.
• AWS managed key: AWS Key Management Service (KMS) manages the key, so it's not a customer managed key like what we created! You can see the key and its usage, but management is done by AWS.
• Stored in your account, and owned and managed by you: aka a customer managed key (CMK). You create and manage the key in KMS, giving you full control. This is the most secure option and the one we're using in this project.

• Select the KMS key you created in the previous step (nextwork-kms-key) from the dropdown menu.

• Select Save changes.

• Scroll back down the Additional Settings tab, where you should see an updated Encryption panel.

Let's add some data to our newly encrypted table! This will let us test the encryption and see how it protects our data in action.

In this step, you're going to:

• Add data to your DynamoDB table.
• Verify whether you can see the encrypted data.

Add Data

• Back in your table's settings page, select Actions.
• Select Create item.

💡 What's an item?
In DynamoDB, an item is a single data record in a table.

• Let's add a simple item! Next to the id attribute, enter 1
• Select Create item.

• In the left hand side bar, select Explore items.

• Refresh your tab.
• Sweet! Confirm that you can see the new item.

💡 Why can I see the item?
Even though the data is encrypted, you as a user have permissions to use the encryption key in KMS.

DynamoDB is designed to decrypt the data on your behalf. When data is requested by an authorized user (like you) or an authorized application, DynamoDB retrieves the encrypted data, decrypts it with the key, then shows you the decrypted format so you can use it instantly. This security feature is called transparent data encryption.

Transparent data encryption makes sure that your data is secure at rest, yet still accessible to authorized users that have the right permissions.

To truly appreciate the power of KMS encryption, let's create a test IAM user without permissions to use our KMS key.

💡 Why create a user without KMS access?
We want to check if a user without access to our KMS key can view the data in DynamoDB. This will confirm if encryption is working as expected, and simulate a real-world scenario where different users have different access levels.

What do you think your test user will see when they access the DynamoDB table?

In this step, you're going to:

• Create a test user using IAM.
• Grant the user full access to DynamoDB but not to your KMS key.

Create the IAM User

• Open the IAM console.

• Select Users in the left navigation pane.
• Select Create user.
• Enter a username, such as nextwork-kms-user.
• Check Provide user access to the AWS Management Console - optional. This will let us log in as the test user and see the KMS key's effect later.
• Uncheck Users must create a new password at next sign-in - Recommended, to save ourselves time when we log in as the test user.

• Select Next.
• Select Attach existing policies directly.
• Add AmazonDynamoDBFullAccess as a permission policy.

• Select Next.
• Select Create user.
• 🚨 Stop!

• Make sure to select Download .csv file to save a backup of your user's login details. You won't get this option again once you click out of this page.
• Keep this tab on your screen for the next step.

Now for the moment of truth! Let's test what happens when our test user, who doesn't have KMS key permissions, tries to access the encrypted DynamoDB table.

In this step, you're going to:

• Log into AWS as the test user.
• Try to view items in the encrypted DynamoDB table.

Log In

• Still in your test user's page, copy the Console sign-in URL.

• Open a new incognito window in your browser.

💡 Why are we using an incognito window?
We're about to go back and forth between using your test user and your IAM Admin User!

If you log into your test user in an incognito window, you can stay logged in to both users at the same time. No need to log out each time you switch between them.

🙋‍♀️ How do I open a new incognito window?
To open a new incognito window, you can use the shortcut Ctrl+Shift+N on Windows/Linux, or Command+Shift+N on macOS in most browsers.

• Head to the console sign-in URL you copied.
• Log in as your new IAM user (nextwork-kms-user). You can find your IAM username and password by copying from the IAM user page, or by opening the .csv file you downloaded.

• Once you've signed in, make sure you're in the same Region as your IAM Admin User. You can check and change the region in the top right corner of the AWS console.

Test Access to Encrypted Data

• Head to the DynamoDB console.
• Head to the Explore items tab.

• Select the nextwork-kms-table table.
• You should see an error message indicating that access is denied!

💡 Why is my access denied?
The new IAM user you're logged in as (nextwork-kms-user) does not have the permission to decrypt the data.

Since the DynamoDB table is encrypted with a specific AWS KMS key, and your user does not have permission to use this key, the system prevents access for data security.

💡 What does the troubleshooting in the banner say?
You don't have permission to kms:Decrypt means your user isn’t allowed to decrypt the data. This highlights how KMS works - a KMS key can be accessible to many users, but only those with the right permissions can use it to do specific actions like encryption or decryption.

In our case, we can give the test user the permission to see that a KMS key is available in your AWS environment, but they still wouldn't have the permissions to decrypt the data it protects.

This behavior is different from other types of keys, like EC2 instance access keys, which can be used as long as you have access to them.

💡 What can an administrator do with that information?
With the access denial information, the key administrator can understand which permissions are missing for your user, and adjust the key's IAM policies! That's what we're doing in the secret mission...

Welcome to your 🤫 exclusive 🤫 secret mission!

Your mission, should you choose to accept it, is to give your test user access as the administrator.

💎 Get ready to:

• Modify your KMS key's policy as the administrator.
• Verify that the test user can decrypt data with the key.
• Showcase your secret mission in your project documentation.

✋ STOP

Before diving into the steps for deleting your resources, why not challenge yourself to delete everything in this project on your own?

Keeping track of your resources, and deleting them at the end, is absolutely a skill that will help you reduce waste in your account.

🛑 STEPS BELOW:

• Head back to the window with your IAM Admin User logged in.

Delete the DynamoDB Table

• In the DynamoDB console, select Tables from the left hand sidebar.
• Select your nextwork-kms-table table.
• Select Delete.

💡 What are these warnings about?

• Delete all CloudWatch alarms: Keep this checked ✅ Deleting any CloudWatch alarms associated with this table will save you from unnecessary charges.
• Create an on-demand backup: Keep this unchecked ❌ You can create a backup of your table to save for the long term, so you restore your data to its exact state before deleting it. Additional charges apply for on-demand backup and restore, so we won't use this option.

• Type confirm to confirm the deletion, then select Delete.

Schedule KMS Key Deletion

• In the KMS console, select Customer-managed keys from the left hand sidebar.
• Select your nextwork-kms-key key.
• Select Key actions.
• Select Schedule key deletion.

• Under Waiting period, update the number of days to 7 to remove the key asap.

💡 What is a waiting period?
The waiting period in AWS KMS is the time between you scheduling the deletion of a key and the key actually getting deleted. This delay gives you a window to cancel the deletion if it was scheduled by mistake or if you decide you still need the key. AWS requires a minimum waiting period of 7 days, but it can be extended to a maximum of 30 days.

💡 Why does a waiting period exist?
Deleting a KMS key is a bit of a big deal - once the key is gone, any data encrypted under that key also becomes unrecoverable unless you have a backup or another way to decrypt it. This could lead to data loss if the deletion was a mistake or if you don't have backups.

Having a waiting period buys you the time to make sure no essential data is still encrypted under that key. It's also a great time for updating or reconfiguring any apps/systems to use a different key for the same data.

• Tick the confirmation checkbox.
• Select Schedule deletion.

Delete the IAM User

• In the IAM console, select Users from the left hand sidebar.
• Select nextwork-kms-user
• Select Delete.

• Enter your user's name nextwork-kms-user
• Select Delete user.

• In your local computer, delete the .csv file containing your user's access details. The file should be called nextwork-kms-user_credentials.csv in your Downloads folder.

Nice work! You've just built some solid skills in encryption, Amazon KMS and protecting your database.

You've learned how to:

• 🔑 Create and manage encryption keys in KMS.
• 🗄️ Encrypt a DynamoDB table using an encryption key.
• ➕ Add data to your encrypted table.
• 🧑‍💼 Use a test user to validate your encryption.
• 💎 Give your test user encryption access.

🚀 p.s. Does it say "Still tasks to complete!" at the bottom of the screen?

This means you still have screenshots left to upload, or questions left to answer!

1. Press Ctrl+F (Windows) or Command+F (Mac) on your keyboard.
2. Search for the text Return to later.
3. Jump straight to your incomplete tasks!
4. 🙋‍♀️ Still stuck? Ask the community!