Skip to content

2.1

Jump to bottom
Paul Duvall edited this page Nov 13, 2019 · 30 revisions

2.1 Create KMS Keys in Console

Review and ensure that you have setup your development environment before going through the steps below.

Create a Customer Master Key in AWS KMS

  1. Go to the KMS Console.
  2. Click Customer managed keys and click the Create key button.
  3. Enter ceoa-2-key Alias and a Description and click Next.
  4. Click Next on the Add tags page.
  5. On the Define key administrative permissions page, select a checkbox next to a user or users who can adminster this key and click Next.
  6. On the Define key usage permissions page, select a checkbox next to a user or users who can use this key and click Next.
  7. On the Review and edit key policy page, review the JSON policy and click Finish.
  8. Make note of the ARN for the KMS key you created.
  9. Click on the KMS key you just created (ceoa-2-key).
  10. Click the Key rotation tab.
  11. Select the Automatically rotate this CMK every year checkbox and click the Save button.

Disable a KMS CMK

  1. Click on the ceoa-2-key KMS key.
  2. Click on the Key actions button.
  3. Select Disable from the menu selection.
  4. When the window pops up, select the Confirm that you want to disable this key checkbox and then click on the Disable key button.

Schedule a KMS CMK for delection

  1. Click on the ceoa-2-key KMS key.
  2. Click on the Key actions button.
  3. Select Schedule key deletion from the menu selection.
  4. When the window pops up, enter 7 in the Waiting period (in days) text field.
  5. Select the Confirm that you want to delete this key in 7 days checkbox and then click on the Schedule deletion button.

AWS managed keys

  1. From the KMS Console, click on the AWS managed keys link.
  2. Review the managed keys provided by AWS. You cannot modify these keys and they automatically rotate every three years.

Custom key stores

  1. From the KMS Console, click on the Custom key stores link.
  2. You can store your KMS customer master keys (CMKs) in a custom key store instead of the standard KMS key store (i.e. not the AWS KMS serice). Using a hardware security module (HSM) is the way to manage these keys. AWS CloudHSM is a managed HSM on the AWS Cloud. It provides cost effective hardware key management at cloud scale for sensitive and regulated workloads (e.g. those needing assymetric encryption).

Clone this wiki locally