# Lesson 5: Managing Encryption Keys with AWS KMS and Boto3

Welcome to another exciting lesson of our course - **Mastering Cloud Engineering with AWS and Python**. Today, we delve into managing encryption keys with the **AWS Key Management Service (AWS KMS)**.  

In previous lessons, we covered securing AWS resources and managing secrets using **AWS Secrets Manager** and **AWS SSM Parameter Store**. Now, we will extend that knowledge by learning how to **create, control, and use AWS KMS keys** and how to **encrypt and decrypt data** using AWS KMS.

---

## Understanding AWS KMS
The **AWS Key Management Service (AWS KMS)** is a managed service that helps you create and manage cryptographic keys for data protection. It supports various key types, including:

### AWS KMS Keys:
AWS KMS keys are the core resources in AWS KMS, used to encrypt up to 4 KB of data directly and manage other cryptographic operations. There are two types of AWS KMS keys:

- **AWS Managed KMS Keys**:  
  - Automatically created and managed by AWS for specific integrated services.  
  - Used for default service encryption and lifecycle operations like key rotation.

- **Customer Managed KMS Keys**:  
  - Created and managed by you.  
  - Offers more control, including policy management, key rotation, and auditing.  
  - Unlike AWS-managed KMS keys, these incur usage charges.

### Data Keys:
- Generated by AWS KMS and used to encrypt your data outside of KMS.
- Data keys are encrypted under an AWS KMS key and can be decrypted to plaintext only when needed.

### Asymmetric Keys and Key Pairs:
For operations requiring separate keys for encryption and decryption or digital signing, AWS KMS supports **asymmetric KMS keys**, generating a **public and private key pair**.

AWS KMS is designed for security, meeting compliance requirements with its **hardware security modules (HSMs)** that are **FIPS 140-2 validated**, making it suitable for managing sensitive data across AWS services.

> **Note**: The term **customer master key (CMK)** is an old term that means the same as **AWS KMS key**.

---

## AWS KMS Keys vs Data Keys: A Document Storage Example
To grasp the distinction between **AWS KMS keys** and **data keys**, consider a secure document storage service.

### **Use of AWS KMS Keys**
- **Central Management and Policy Control**:  
  AWS KMS keys enable centralized control over encryption policies.
- **Audit and Compliance**:  
  AWS CloudTrail logs help track key usage for security audits.

### **Use of Data Keys**
- **Efficient Document Encryption**:  
  AWS KMS keys are not suited for encrypting large data directly. Instead, **data keys** encrypt the actual documents.
- **Document Encryption Process**:
  - AWS KMS key generates a **data key**.
  - The plaintext version encrypts the document.
  - The encrypted data key is stored alongside the document.
- **Secure Access and Sharing**:
  - Encrypted data keys are decrypted using AWS KMS keys before decrypting the document.

This **hybrid encryption approach** ensures **high-level management with AWS KMS keys** while maintaining **efficiency using data keys**.

---

## Creating an AWS KMS Key
AWS KMS keys encrypt and decrypt up to 4 KB of data. To create a KMS key, specify parameters like **Description**, **KeyUsage**, and **Origin**.

```python
import boto3

kms = boto3.client('kms')

kms_key_response = kms.create_key(
    Description='Sample KMS Key for Course',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS'
)
```

### **KeyUsage Parameter**
- `ENCRYPT_DECRYPT`: For encryption and decryption.
- `SIGN_VERIFY`: For digital signing operations.
- `GENERATE_VERIFY_MAC`: For message authentication codes (MACs).
- `GENERATE_KEY_PAIR`: For asymmetric cryptographic operations.

### **Origin Parameter**
- `AWS_KMS`: Key material is generated and managed within AWS KMS.
- `EXTERNAL`: Key material is imported from an external source.
- `AWS_CLOUDHSM`: Key material is generated in AWS CloudHSM but used within AWS KMS.
- `EXTERNAL_KEY_STORE`: Key material is managed externally but used in AWS KMS.

---

## Describing a Key Using AWS KMS
Retrieve metadata about an AWS KMS key:

```python
key_description = kms.describe_key(KeyId=key_id)
print(key_description)
```

**Response Parameters**:
- **KeyId**: Unique identifier.
- **Arn**: Amazon Resource Name.
- **CreationDate**: Date the key was created.
- **KeyUsage**: Allowed cryptographic operations.
- **KeyState**: State of the key (`Enabled`, `Disabled`, etc.).
- **Origin**: Source of key material.

---

## Encrypting and Decrypting Data using AWS KMS
Encrypting a string:

```python
encrypt_response = kms.encrypt(
    KeyId=key_id,
    Plaintext='Hello, AWS!'
)
ciphertext = encrypt_response['CiphertextBlob']
```

Decrypting the ciphertext:

```python
decrypt_response = kms.decrypt(
    KeyId=key_id,
    CiphertextBlob=ciphertext
)
plaintext = decrypt_response['Plaintext'].decode('utf-8')
```

---

## Working with Data Keys
Using **data keys** for secure encryption workflows:

### **Generating a Data Key**
```python
data_key_response = kms.generate_data_key(
    KeyId=key_id,
    KeySpec='AES_256'
)

plaintext_data_key = data_key_response['Plaintext']
encrypted_data_key = data_key_response['CiphertextBlob']
```

### **Generating an Encrypted Data Key Without Plaintext**
```python
encrypted_data_key_only = kms.generate_data_key_without_plaintext(
    KeyId=key_id,
    KeySpec='AES_256'
)['CiphertextBlob']
```

### **Decrypting an Encrypted Data Key**
```python
plaintext_data_key_for_use = kms.decrypt(
    CiphertextBlob=encrypted_data_key
)['Plaintext']
```

---

## AWS KMS Key Rotation
Key rotation enhances security by automatically generating new cryptographic material **every year** for **customer-managed keys**.

### **Enable Key Rotation**
```python
kms.enable_key_rotation(KeyId=key_id)
```

### **Check Key Rotation Status**
```python
rotation_status = kms.get_key_rotation_status(KeyId=key_id)
is_rotation_enabled = rotation_status['KeyRotationEnabled']
print(f"Key Rotation Enabled: {is_rotation_enabled}")
```

---

## Scheduling AWS KMS Key Deletion
Schedule a KMS key for deletion with a grace period:

```python
delete_response = kms.schedule_key_deletion(
    KeyId=key_id, 
    PendingWindowInDays=7
)
print(f"Key scheduled for deletion with a waiting period of {delete_response['PendingWindowInDays']} days.")
```

---

## Summary and Next Steps
Congratulations! 🎉 You’ve learned:
- What **AWS KMS** is.
- How to **create, control, and use AWS KMS keys**.
- The difference between **AWS KMS keys** and **data keys**.
- How to **encrypt and decrypt data**.
- How to **enable key rotation** and **schedule key deletion**.

### **Next Steps**
In upcoming practice exercises, you will apply these concepts using **Boto3** to manage keys in AWS KMS.

🚀 Keep practicing and experimenting to master AWS KMS!


## Creating a Customer Master Key in AWS KMS

As a precursor, you've acquired a solid understanding of how to manage keys in AWS KMS using Python Boto3. In this task, you will leverage this knowledge and put it into practice. Your mission is to run a provided Python script that creates an AWS KMS key using AWS Key Management Service (KMS). While running the script, observe the output for a better understanding of how the key is created.

Important Note: Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

```python
import boto3

# Initialize KMS client
kms = boto3.client('kms')

# Creating an AWS KMS key
cmk_response = kms.create_key(
    Description='Sample KMS key for Course',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS'
)

# Extract Key Id
key_id = cmk_response['KeyMetadata']['KeyId']
print('Created key with Key ID: ', key_id)

```

## Creating a Customer Master Key in AWS KMS

As a precursor, you've acquired a solid understanding of how to manage keys in **AWS KMS** using **Python Boto3**. In this task, you will leverage this knowledge and put it into practice. Your mission is to run the provided Python script that creates an **AWS KMS key** using **AWS Key Management Service (KMS)**.  

While running the script, **observe the output** for a better understanding of how the key is created.

> **Important Note:**  
> Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the **reset button** located in the **top right corner**. However, keep in mind that **resetting will erase any code changes**.  
> To preserve your code during a reset, consider copying it to the clipboard.

### **Python Script to Create a Customer Master Key (CMK)**
```python
import boto3

# Initialize KMS client
kms = boto3.client('kms')

# Creating an AWS KMS key
cmk_response = kms.create_key(
    Description='Sample KMS key for Course',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS'
)

# Extract Key ID
key_id = cmk_response['KeyMetadata']['KeyId']
print('Created key with Key ID:', key_id)
```

### **What This Script Does**
1. **Initializes the AWS KMS client** using `boto3`.
2. **Creates a new AWS KMS key** with:
   - A description: `'Sample KMS key for Course'`
   - Key usage: `'ENCRYPT_DECRYPT'`
   - Origin: `'AWS_KMS'`
3. **Extracts the Key ID** from the response.
4. **Prints the Key ID** to the console.

Run the script and **observe the output** to understand the key creation process in AWS KMS. 🚀


## Generating a Data Key with KMS

We're now moving forward! In this task, you'll extend the functionality of a Python script for generating a data key in AWS KMS. The provided script initiates a boto3 client for KMS, creates an AWS KMS key, and extracts the key_id from the KMS key response. Your task is to complete the script by adding functionality to generate a data key using the generate_data_key method. Run your updated script and observe the response.

Important Note: Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to your clipboard.

```python
import boto3

# Initialize KMS client
kms = boto3.client('kms')

# Creating an AWS KMS key
kms_key_response = kms.create_key(
    Description='Sample KMS Key for Course',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS'
)

# Extract Key Id
key_id = kms_key_response['KeyMetadata']['KeyId']

# TODO: Generate a data key 

```

## Generating a Data Key with KMS

We're now moving forward! 🚀 In this task, you'll extend the functionality of a Python script to **generate a data key** in **AWS KMS**.

The provided script:
- **Initiates** a `boto3` client for AWS KMS.
- **Creates an AWS KMS key**.
- **Extracts the `key_id`** from the KMS key response.

### **Your Task**
Complete the script by adding functionality to **generate a data key** using the `generate_data_key` method.  
After implementing the missing part, **run your updated script and observe the response**.

> **Important Note:**  
> Running scripts can modify the resources in our AWS simulator.  
> To revert to the initial state, use the **reset button** in the **top right corner**.  
> However, resetting will erase any code changes. To **preserve your code**, consider copying it to your clipboard.

### **Python Script: Generate a Data Key**
```python
import boto3

# Initialize KMS client
kms = boto3.client('kms')

# Creating an AWS KMS key
kms_key_response = kms.create_key(
    Description='Sample KMS Key for Course',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS'
)

# Extract Key ID
key_id = kms_key_response['KeyMetadata']['KeyId']
print("Created KMS Key with ID:", key_id)

# TODO: Generate a data key
data_key_response = kms.generate_data_key(
    KeyId=key_id,
    KeySpec='AES_256'
)

# Extracting the plaintext and encrypted versions of the data key
plaintext_data_key = data_key_response['Plaintext']
encrypted_data_key = data_key_response['CiphertextBlob']

print("Generated Data Key (Plaintext):", plaintext_data_key)
print("Generated Data Key (Encrypted):", encrypted_data_key)
```

### **What This Script Does**
1. **Initializes the AWS KMS client** using `boto3`.
2. **Creates a new AWS KMS key** with:
   - A description: `'Sample KMS Key for Course'`
   - Key usage: `'ENCRYPT_DECRYPT'`
   - Origin: `'AWS_KMS'`
3. **Extracts the Key ID** from the response.
4. **Generates a data key** using the `generate_data_key` method.
5. **Prints the plaintext and encrypted versions** of the data key.

### **Why Use Data Keys?**
AWS KMS **keys** are used to **generate data keys** because:
- AWS KMS keys **can't encrypt large amounts of data directly** (4 KB limit).
- **Data keys** allow you to encrypt larger datasets **securely and efficiently**.
- The **plaintext data key is used for encryption**, while the **encrypted data key is stored safely**.

Run the script and **observe the output** to understand how data keys are generated! 🚀


## Describing a Customer Master Key Metadata

You're making fantastic progress! In this task, you'll enhance an existing Python script by incorporating a feature that fetches metadata of an AWS KMS Key. The provided script creates a KMS key, generates a data key, and stores the key_id. Now, you are required to add functionality to describe the created KMS key using the describe_key operation and print its KeyState. Carefully observe how the data flows and the output to strengthen your grasp on AWS KMS operations.

Hint: The KeyState is nested inside KeyMetadata in the response from the describe_key operation.

Important Note: Running scripts can modify resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top-right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

```python
import boto3

# Initialize KMS client
kms = boto3.client('kms')

# Creating a KMS key
cmk_response = kms.create_key(
    Description='Sample KMS Key for Course',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS'
)

# Extract Key Id
key_id = cmk_response['KeyMetadata']['KeyId']

# Generate data key
data_key_response = kms.generate_data_key(
    KeyId=key_id,
    KeySpec='AES_256'
)

# TODO: Use describe_key to fetch metadata, extract 'KeyState' from 'KeyMetadata', and print it

```

## Describing a Customer Master Key Metadata

You're making fantastic progress! 🚀  

In this task, you'll enhance an existing Python script by incorporating a feature that **fetches metadata** of an **AWS KMS Key**.  

### **Current Script Functionality**
- **Creates a KMS key**.
- **Generates a data key**.
- **Stores the `key_id`**.

### **Your Task**
Extend the script by:
- Using the `describe_key` operation.
- Extracting the **KeyState** from `KeyMetadata`.
- Printing the **KeyState** to observe the KMS key status.

> **Hint:** The `KeyState` is **nested inside** `KeyMetadata` in the response from `describe_key`.

> **Important Note:**  
> Running scripts can modify resources in our AWS simulator.  
> To revert to the initial state, use the **reset button** in the **top-right corner**.  
> However, resetting **erases all code changes**. To **preserve your code**, copy it to the clipboard.

---

### **Python Script: Describe KMS Key Metadata**
```python
import boto3

# Initialize KMS client
kms = boto3.client('kms')

# Creating a KMS key
cmk_response = kms.create_key(
    Description='Sample KMS Key for Course',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS'
)

# Extract Key ID
key_id = cmk_response['KeyMetadata']['KeyId']
print("Created KMS Key with ID:", key_id)

# Generate data key
data_key_response = kms.generate_data_key(
    KeyId=key_id,
    KeySpec='AES_256'
)

# TODO: Use describe_key to fetch metadata, extract 'KeyState' from 'KeyMetadata', and print it
key_metadata = kms.describe_key(KeyId=key_id)
key_state = key_metadata['KeyMetadata']['KeyState']

print("Key State:", key_state)
```

---

### **What This Script Does**
1. **Initializes the AWS KMS client** using `boto3`.
2. **Creates a new AWS KMS key**.
3. **Extracts the Key ID** from the response.
4. **Generates a data key** using the `generate_data_key` method.
5. **Uses `describe_key` to retrieve key metadata**.
6. **Extracts and prints the `KeyState`**, which indicates the key's current status.

### **Understanding `KeyState`**
The `KeyState` field represents the **current status** of an AWS KMS key. Possible values include:
- **Enabled**: The key is active and can be used for cryptographic operations.
- **Disabled**: The key is inactive and cannot be used.
- **PendingDeletion**: The key is scheduled for deletion.
- **PendingImport**: The key is waiting for key material import.
- **Unavailable**: The key is temporarily unavailable.

---

### **Next Steps**
Run the script and **observe the output** to see how AWS KMS key states change over time! 🚀


## Enabling Rotation for AWS KMS Keys

Continuing on your key management journey, this task will assert your understanding of enabling key rotation using AWS KMS with Python Boto3. The starter script creates a KMS key and provides a key ID that you can interact with, but it does not enable key rotation. Your task is to expand the interface and add a command line to enable key rotation on the provided key, then verify that rotation has been enabled by describing the key and printing the KeyRotationEnabled attribute. Run the script and view the result of your added feature.

Important Note: Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

```python
import boto3

# Initialize KMS client
kms = boto3.client('kms')

# Creating a KMS key
kms_response = kms.create_key(
    Description='Sample KMS key for Course',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS'
)

# Extract Key Id
key_id = kms_response['KeyMetadata']['KeyId']

# TODO: Enable key rotation for the created KMS key

# TODO: Verify the key rotation by describing the key and printing the 'KeyRotationEnabled' attribute


```

## Enabling Rotation for AWS KMS Keys

Continuing on your key management journey, this task will **reinforce your understanding** of enabling key rotation using **AWS KMS with Python Boto3**.

### **Current Script Functionality**
- **Creates an AWS KMS key**.
- **Extracts the key ID** for further operations.

### **Your Task**
Expand the script by:
1. **Enabling key rotation** for the created AWS KMS key using `enable_key_rotation`.
2. **Verifying the key rotation status** by describing the key.
3. **Printing the `KeyRotationEnabled` attribute** to confirm the change.

> **Important Note:**  
> Running scripts can modify resources in our AWS simulator.  
> To revert to the initial state, use the **reset button** in the **top right corner**.  
> However, resetting **erases all code changes**. To **preserve your code**, copy it to the clipboard.

---

### **Python Script: Enable Key Rotation in AWS KMS**
```python
import boto3

# Initialize KMS client
kms = boto3.client('kms')

# Creating a KMS key
kms_response = kms.create_key(
    Description='Sample KMS key for Course',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS'
)

# Extract Key ID
key_id = kms_response['KeyMetadata']['KeyId']
print("Created KMS Key with ID:", key_id)

# TODO: Enable key rotation for the created KMS key
kms.enable_key_rotation(KeyId=key_id)
print("Key rotation enabled for KMS Key ID:", key_id)

# TODO: Verify the key rotation by describing the key and printing the 'KeyRotationEnabled' attribute
rotation_status = kms.get_key_rotation_status(KeyId=key_id)
print("Key Rotation Enabled:", rotation_status['KeyRotationEnabled'])
```

---

### **What This Script Does**
1. **Initializes the AWS KMS client** using `boto3`.
2. **Creates a new AWS KMS key**.
3. **Extracts the Key ID** for further use.
4. **Enables key rotation** using `enable_key_rotation`.
5. **Verifies and prints the key rotation status** using `get_key_rotation_status`.

---

### **Understanding Key Rotation in AWS KMS**
**Key rotation** in AWS KMS helps improve security by:
- Automatically generating **new cryptographic material** every year.
- Keeping the **same key ID**, so applications using the key remain unaffected.
- Helping meet **compliance requirements** for security best practices.

However, note that:
- **Customer-managed KMS keys** support **automatic rotation**.
- **AWS-managed KMS keys** are rotated every **three years** by AWS but cannot be manually configured.

---

### **Next Steps**
Run the script and **observe the output** to confirm that key rotation has been enabled! 🚀


This is your final challenge, where you will need your knowledge about AWS Key Management Service (KMS) to complete the task. For this task, you are asked to write an entire Python script from scratch. The script needs to create an AWS KMS key, generate a data key, encrypt some sample data locally, describe the key created, list all keys, enable key rotation for the AWS KMS key, and finally, schedule the AWS KMS key for deletion. Run the script and observe the flow of the process to reinforce your understanding of AWS KMS.

Important Note: Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

```python
# TODO: Prepare an entire script that does the following:
# Create an AWS KMS key
# Generate a data key
# Encrypt some data
# Describe the key
# List all Keys -- Hint: you can use the list_keys() function on the client
# Enable key rotation for the AWS KMS key
# Schedule the AWS KMS key for deletion

```

Here is a complete Python script that accomplishes all the required tasks using AWS Key Management Service (KMS) with **Boto3**:

```python
import boto3
import base64

# Initialize KMS client
kms = boto3.client('kms')

# 1. Create an AWS KMS Key
kms_response = kms.create_key(
    Description='Final Challenge KMS Key',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS'
)

# Extract Key ID
key_id = kms_response['KeyMetadata']['KeyId']
print("Created KMS Key with ID:", key_id)

# 2. Generate a Data Key
data_key_response = kms.generate_data_key(
    KeyId=key_id,
    KeySpec='AES_256'
)

plaintext_data_key = data_key_response['Plaintext']
encrypted_data_key = data_key_response['CiphertextBlob']

print("Generated Data Key (Encrypted):", base64.b64encode(encrypted_data_key).decode())

# 3. Encrypt Sample Data Locally
sample_data = b"Hello, AWS KMS!"
encrypted_sample_data = bytes(a ^ b for a, b in zip(sample_data, plaintext_data_key[:len(sample_data)]))

print("Encrypted Sample Data:", base64.b64encode(encrypted_sample_data).decode())

# 4. Describe the KMS Key
key_metadata = kms.describe_key(KeyId=key_id)
print("Key Description:", key_metadata['KeyMetadata']['Description'])
print("Key State:", key_metadata['KeyMetadata']['KeyState'])

# 5. List All KMS Keys
all_keys = kms.list_keys()
print("List of All KMS Keys:")
for key in all_keys['Keys']:
    print(f" - Key ID: {key['KeyId']}")

# 6. Enable Key Rotation
kms.enable_key_rotation(KeyId=key_id)
rotation_status = kms.get_key_rotation_status(KeyId=key_id)
print("Key Rotation Enabled:", rotation_status['KeyRotationEnabled'])

# 7. Schedule the KMS Key for Deletion
kms.schedule_key_deletion(
    KeyId=key_id,
    PendingWindowInDays=7  # Minimum 7 days before deletion
)

print(f"KMS Key {key_id} is scheduled for deletion in 7 days.")
```

---

### **What This Script Does**
1. **Creates an AWS KMS key** and extracts the `Key ID`.
2. **Generates a data key** (plaintext and encrypted versions).
3. **Encrypts a sample string locally** using XOR (for demonstration purposes).
4. **Describes the created KMS key** and prints its metadata.
5. **Lists all AWS KMS keys** in the account.
6. **Enables key rotation** for the AWS KMS key.
7. **Schedules the key for deletion** after 7 days.

---

### **Notes**
- The encryption technique used here (`XOR with the data key`) is just a **simplified demonstration**. In real-world scenarios, **proper encryption libraries** like `cryptography` should be used.
- **Key rotation** is only available for **customer-managed keys**, not AWS-managed keys.
- **Scheduling a key for deletion** ensures a buffer period where the key can be recovered before being permanently removed.

---

### **Next Steps**
Run the script in an AWS environment, **observe the output**, and understand how **AWS KMS manages encryption, keys, and security policies**. 🚀