- Lab
-
Libraries: If you want this lab, consider one of these libraries.
- Cloud
- Security
Securing Data at Rest with KMS Envelope Encryption
In this lab, you will use AWS Key Management Service (KMS) to create a Customer Managed Key (CMK), generate data encryption keys, and perform envelope encryption. You will encrypt and decrypt data using the AWS CLI, enable automatic key rotation, and audit all key usage through CloudTrail event history.
Lab Info
Table of Contents
-
Challenge
Generate a DEKs with KMS
- Create a customer-managed CMK in the KMS console
- Use the GenerateDataKey API (via CloudShell) to obtain a plaintext DEK and its encrypted copy
-
Challenge
Encrypt/Decrypt S3 via SDK
- Encrypt a sample file using the AWS CLI command and the customer-managed CMK
- Decrypt the ciphertext using AWS CLI and verify the output matches the original
-
Challenge
Rotate CMKs and Audit Key Usage in CloudTrail
- Enable automatic annual key rotation on the CMK
- Review CloudTrail event history to locate KMS events
- Confirm the key ARN and principal in the event records match the lab resources
Real skill practice before real-world application
Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.
Learn by doing
Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.
Follow your guide
All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.
Turn time into mastery
On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.