How to create an encryption key in AWS Key Management Service

In today's digital world, security is key. Encryption is the power that allows us to know our data is protected.

Community based encryption keys are great, but often these are simply not as secure as they could be. What can an Amazon Encryption Key be used for? It can be used for a lot of things, but especially when you are also creating an S3 bucket. AWS (Amazon Web Services) has managed keys, but for companies and private businesses it might just be beneficial to create your own and even rotate the keys on a regular basis.

(What is an S3 bucket also called Cloud Object storage?)

NOTE: Rotating keys is a smart thing, but always make sure to document where an encryption key or KMS is applied initially. This will help when it is time to ratate encryption keys.

To create your own key you can do the following:

1) Log into your AWS Account.

2) You can either in the upper left corner of the AWS account click the "Services" dropdown and go to KMS or you can search for KMS also called Key Management service in the "Search box" of the AWS console.

3) Click on Key Management Service. It will take you to a screen that looks like the following:

4) Click on the "Create a key" orange button to get started.

5) On the "Configure Key" page you will have a couple of options.

* Symmetric: which is used to both encrypt and decrypt. This option is a single encryption key and is easy to manage. However, then there is:

* Asymmetric: which creates a public and private key pair that can be used for encryption and decryption, but can also be used to sign or verify operations.

Most businesses who have private infrastructures in AWS most likely will use Symmetric.

Select Symmetric and then click the "Next" button on the bottom right.

6) On the next page you will need to name the key. This alias will come in handy when searching for it to apply to such things as S3 bucket or even to use in an AWS IAM Policy.

(What is an AWS IAM Policy?)

Make sure that you properly name the key. As this is a Test, I started it with test. As the purpose was Vocal, I made that second. Application I made sure was Test also, but if you are creating a key for a particular purpose or server you may want to match it to something more applicable. Lastly, a numeric code. This can be something like a charge code or just an organizational code for record keeping.

Remember, proper common sense organizing of any IT Infrastructure is a good thing in todays vast digital world between servers on-prem at your company, in a datacenter, or even in the cloud. Try to avoid similar naming so you do not get each environment confused with the other.

On the same page is an option to "Add tag" Why is it goot to add tags? For many reasons, but the key thing is common sense organization of resources and common sense organization of those resources.

NOTE: You will notice as the writer I mention common sense a lot. Fact is problem solvers want to get ahead of potential problems. You want to think outside of the box in order to avoid problems that could occur. It is good to always tag who is the Owner, Any Charge Code or Organizational Code, and even contact information for the owner of the resource such as an email address, or even a phone number or office number. This may seem like much, but trust me when I say you will find it easier to know who owns what resource especially when you have to potentially troubleshoot that resource in the future.

Once done adding tags, click "Next" button at the bottom.

7) On the next page, you will have the opportunity to select "Key Administrators". AWS has a number of options by default that can be used. One example is "AWSServiceRoleForBackup". Overall these permissions are applicable to the KMS resources. If you or your organization use multiple encryption keys for a varying degree of resources, you may want to assign a particular user who has access to the AWS account or a particular Role depending on how the KMS key is applied to resources and encryption needs.

If your business is going to s actively using the Key and expect to be using it for some time, uncheck the box next to "Allow key administrators to delete the key" at the bottom. This might just help avoid accidental deletion.

Once assigned, click "Next" button.

( Managing access to your AWS KMS resources )

8) On the next screen you can Define key usage permissions. This also allows you to select both IAM users as well as various roles.

If you have multiple AWS accounts and this key that is being created is to be used with them as well, you can select "Add another AWS account" but you will need to make sure that you have the ID of the other AWS account. Otherwise, do not select this option and just click the "Next" button.

9) Last page gives you the chance to review. You can review the Key configuration, the Alias and description, and the Tags.

Please be aware that you can also review the Key Policy. If you are familiar with this type of coding, you can actually edit this policy directly on the review page. For those that are not familiar, simply click Finish.

Once the KMS Key is completed, you will be able to use it with things like IAM Policies, with S3 Bucket and more.

NOTE: AWS has default encryption for S3 buckets.

With the KMS created you can take control and instead of choosing AWS default level encryption when creating an S3 bucket, but select "AWS Key Management Service Key (SSE-KMS)" and choose from a drop down one of the keys you you have control over in order to better secure your S3 bucket and protect the data that it stores.

Thank you for reviewing this "How to". AWS is an exciting field and I encourage any person interested in Information Technology and the cloud to read up on Amazon Web Services. Additionally, I encourage each read to check out resources from Cloudera like:

"Create a New encryption Key on AWS".