
New Training: Plan for Data Encryption at AWS
In this 8-video skill, CBT Nuggets trainer Bart Castle teaches you how to manage data encryption operations at Amazon Web Services (AWS). Learn how to plan for the use of KMS and HSM services. Gain an understanding of the encryption key management options available at AWS and common KMS key management and encryption activities, such as creating, deleting, labeling, and auditing keys and key usage. Watch this new AWS training.
Learn AWS with one of these courses:
- AWS Certified Security – Specialty
- AWS Certified Solutions Architect – Associate
- AWS Certified SysOps Administrator – Associate
- AWS Certified Developer – Associate
This training includes:
- 8 videos
- 44 minutes of training
You’ll learn these topics in this skill:
- Data Encryption: Basics
- Data Encryption: Resources
- KMS Keys: Types
- KMS Keys: Rotation
- Hardware Security Modules
- HSM Options
- KMS Disable and Delete: Unlabeled Keys
- KMS Disable and Delete: CloudTrail Logs
What You Need To Know Before Using AWS KMS
AWS has a service for storing and managing customer cryptographic keys called Key Management Service (KMS). This service helps developers create, organize, and control keys in a programmatic fashion. There are a couple of things you need to be aware of before using AWS's KMS, though.
KMS can create both symmetric and asymmetric master keys. These keys are created in the AWS console using the CreateKey operation. Cryptographic keys can be created for a variety of encryption methods. Properties for keys cannot be changed once they are created, though policies for those keys can be changed and updated as needed.
If you intend to use other AWS resources with KMS for encryption, such as encrypting data at rest within S3, you must use a symmetric key. AWS does not support using asymmetric keys for encrypting data with other AWS resources currently. Asymmetric keys can still be used programmatically with other libraries and resources outside of AWS, though.
KMS also provides functionality for automatically managing and rotating customer master keys as well. This feature is optional, but once activated, KMS will automatically rotate master keys once per year and update attached aliases for those keys. KMS will store older keys that were rotated out in perpetuity until those older keys are manually deleted.
If needed KMS is capable of handling simple encryption maintenance for things like S3 managed or service-default managed keys, too.
Lastly, once a new key has been created, AWS requires that you give it an alias. Aliases are not assigned by the CreateKey operation automatically, so be sure to assign one when creating a new key.

Download