OpenCourser brand icon
Sign in
We may earn an affiliate commission when you visit our partners.
Course image
Udemy logo

AWS Key Management Service - KMS Fundamentals

4.6 Filled star Filled star Filled star Filled star Half star
Based on 82 ratings
see reviews
Brian Choi

Welcome to Amazon Web Service’s Key Management Service Fundamentals course. If you are building a solution in AWS that works with sensitive data, you will probably need to encrypt your data which is becoming a common requirement. If this is you, you’ve come to the right course. That’s because the Key Management Service is a core technology in AWS that plays a crucial role for any data encryption solution.

The major topics in this course include

Read more

Welcome to Amazon Web Service’s Key Management Service Fundamentals course. If you are building a solution in AWS that works with sensitive data, you will probably need to encrypt your data which is becoming a common requirement. If this is you, you’ve come to the right course. That’s because the Key Management Service is a core technology in AWS that plays a crucial role for any data encryption solution.

The major topics in this course include

  • Customer Master Key

  • Key Ownership models

  • Symmetric keys

  • Access management

  • Integration with S3 and Elastic Block Store (EBS)

  • Deleting Key

  • Rotating Key

  • Limits

  • Cost

There are a lot of demonstrations in this course and I encourage you to follow along to help you learn by doing.

This course is intended for a technical audience with some familiarity with AWS. Ideal learners are software engineers, solution architects and anyone who is building in AWS with interest in data encryption. If you have some basic understanding of AWS’s Identity and Access Management, it would be helpful on this course. Otherwise, the only other prerequisite is your curiosity and willingness to learn.

Feel free to browse the course description and look forward to helping you learn about Key Management Service.

Enroll now

What's inside

Learning objectives

  • Aws key management service fundamentals and using customer master key to encrypt data
  • Access management for configure who can do what with master keys
  • Examples of using master keys to encrypt data on aws s3 and ebs
  • Best practice for data encryption and managing master key in key management service

Syllabus

Understand the main purpose of Key Management Service and what is customer master key. You will understand basic concept of cryptography, scope and ownership model customer master key.
Read more

Welcome to Key Management Service Fundamentals course.  In this lesson, we'll outline the main topics of the course, tools used in the demonstrations and resources available to you. 

In this lecture, we'll cover the basic concept of cryptography and the role of a master key.  We'll look at what is Advanced Encryption Standard and why it's important that KMS uses this algorithm.  There are 2 main types of keys in KMS which are symmetric and asymmetric keys.  We'll cover what is the difference and when to use each type of keys using an illustration.  We'll formally introduce Customer Master Key which is the primary resource in AWS's Key Management Service.

  • Cryptography Basics

  • Advanced Encryption Standard (AES-256)

  • Symmetric Key

  • Asymmetric Key

  • Customer Master Key

AWS Key Management Service can do a lot of things but it's important to understand what it is not.  In this lecture, we'll cover when to use KMS and when not to use KMS. 

In this lecture, we’ll look at different ownership models available for customer master keys in the Key Management Service. When you use Key Management Service, it's important to understand who has ownership of it. Different ownership models controls who can create, change and delete the keys. We'll cover what are your responsibilities vs. AWS responsibilities in each model.

  • Who owns master key

  • Customer Managed

  • AWS Managed

  • Custom Key Store

  • Hardware Security Modules

In this lecture, we’ll cover AWS accounts and regions and what it means for customer master keys that are managed by KMS.  We'll look at the scope of the customer master key in context of an AWS account and region and how this impacts your solution.    

  • Customer Master Key scope

  • AWS Region

  • AWS Account

  • AWS Services Integration

We'll create a new symmetric customer master key using AWS console.  Then, we'll use a Python application with Boto3 SDK to encrypt and decrypt data using our new symmetric key. 

  • Step by step how to create symmetric key using AWS console wizard

  • Sample Python application to encrypt and decrypt text

  • Set up credential to authenticate Python application to AWS account

  • Run application to encrypt and decrypt text using symmetric key.

Key Management Service has feature to upload your own key material to create a symmetric key.  In this lecture, we'll cover what is a key material, why you may consider this option and what is your responsibility if you choose this option.  We'll create a new customer master key by importing a new key material and demonstrate step by step how to upload your own key material. 

  • What is a key material

  • How to create a key material

  • How to upload a key material to create a symmetric key

  • Key material relationship to Customer Master Key

  • Re-importing a key material

  • Deleting key material

  • Backup and restore consideration

Understanding who can do what in KMS is essential to building a secure solution.  In this lecture, we look at 3 ways you can manage access and common use cases.

  • Key Policy

  • IAM Policy

  • Grant

  • Key Administrator use case

  • Key user use case

This lesson look at the basic structure of a key policy and the statements inside.  Specifically, we look at a statement that governs what the root user can do and its function to apply IAM policy to the customer master key.  We'll use AWS Command Line Interface (CLI) to demonstrate the effects of this first very important policy statement. 

  • Root User authorization

  • Enable IAM Policy in a key policy

In this lecture, we'll look at how to configure key policy and IAM policy to access for key administrators and users.  We'll create key policy for administrator and user use case.  Then we'll create similar IAM policy to demonstrate how these policies can be used together to control access to the customer master key.  Finally, we'll discuss pro's and con's of using key policy and IAM policy.  We'll use AWS CLI to demonstrate the effects of the policy on access for both user and administrator of the key.   

  • KMS actions for administrators and users

  • Using key policy to set permissions

  • Using IAM policy to set permissions

  • Pro's and con's of using key policy and IAM policy

Grant is another way to configure who can do what in addition to key policy and IAM policy.  Grants allow you to configure access programmatically without modifying the policy statements.  We'll use Python application to create grant and AWS CLI to demonstrate how to use the grant.  We'll also see demonstration of how configure grants to principals across AWS account

  • What is a grant

  • How to create grant

  • When to use grant

  • Using grants for principals across accounts 

let's test your knowledge on KMS access management.

In this lesson, we’ll look at what it means to encrypt and decrypt data stored in the Simple Storage Service or S3. Encrypting data at rest is a common use case because S3 is a very popular service where you can store virtually unlimited objects organized into buckets.

In this lecture, we'll look at 5 different ways to encrypt data at rest in S3.  We'll upload items to an S3 bucket configured with different keys and see how S3 encrypts data at rest on the server side.   

  1. S3 owned key (SSE-S3)

  2. Customer Managed Key (SSE-KMS)

  3. AWS Managed Key (SSE-KMS)

  4. Customer Provided Key (SSE-C)

  5. Client Side Encryption

In this lecture we'll look at how to use S3 bucket policy to control server side encryption method and key when putting objects into S3.  The demonstration uses Python application using boto3 SDK.  We'll configure a bucket policy to demonstrate the effect on the put operation and resulting encrypted.  We'll also look at some tips on what not to do on the bucket policy to enforce that all objects are encrypted using the same customer master key.   

In this lecture, we’ll discuss what is envelope encryption and data keys. It turns out that when S3 encrypt objects on the server side, it doesn’t actually use the master key directly. It uses what’s called a data key and a technique called envelope encryption.

  • What is envelop encryption

  • Data key

  • Master key relationship to data key

  • Envelope encryption advantage

In this lesson, we’ll learn how server side encryption with KMS works when you turn on versioning and replication in S3.  We'll demonstrate how S3 encrypts each version of the objects using specified server side encryption method using envelop encryption technique.  Another common use case is a cross region replication for S3 bucket with server side encryption.  The demonstration will set up a S3 cross region replication with server side encryption to see what customer master keys are used.  We'll also look at the role of default encryption and key policy when replicating object across regions.

Elastic Block Storage (EBS) is commonly used as primary storage for EC2 or RDS.  One of the common use case is to encrypt the data stored in EBS using Customer Master Key.  In this lecture, we'll discuss what is EBS and explain how it uses data key in memory to perform cryptographic operations.  We'll also discuss how EBS achieves the performance using this technique rather than envelop encryption used in S3.    

One of the features of EBS is to take a snapshot and detach it from an EC2 instance.  Then you can restore the snapshot of the EBS to another EC2 instance.  In this lecture, we'll discuss how to do this when the data on the EBS encrypted using a customer master key.

  • Launch new EC2

  • Restore EBS to another EC2

  • Consequence of deleting customer master key

  • How do you attach EBS to an EC2

  • Configure Customer Master Key to encrypt EBS

  • How encryption works in an extremely high read/write scenario using EBS

Deleting a CMK is a very permanent business. It’s so serious that AWS forces you to wait at least 7 days before it is actually deleted.  In this lecture, we'll discuss what actually happens when you delete a customer master key and its consequences.  We'll also cover special consideration if you decide to import your own key material.

It is good practice to rotate your keys tp avoid extensive reuse.  In this lecture, we'll discuss how to rotate your key and what that means to the data that was encrypted using the old key. 

  • Automatic rotation

  • Manual rotation

  • What happens to the data previously encrypted with old key 

  • Limitations

Alias is another resource type in the Key Management Service. In this lecture, we'll discuss what is an alias and it's purpose.  We'll demonstrate how to create an alias and associate it with a customer master key.  Then we'll see how to use alias to reference customer master key.

In this lesson, we’ll discuss the limits and cost associated with Key Management Service. Like all services in AWS, there are limits and it’s important to understand them when you go to build a real world solution.  Broadly speaking, there are 2 types of limits in KMS which are resource limit and request limit.  We'll cover each types, how to adjust them and regional considerations.  We'll also review the types of keys because the limits vary by types of keys. 

The pricing model is another important topic we'll cover.  There are cost associated with resources itself such as customer master key per month.  Then there are usage cost for number of requests to the customer master key.  We'll look at 2 examples: S3 bucket and EBS encryption.  Both services accomplish encryption at rest using KMS but cost can be very different. 

Congratulations. You’ve completed the Amazon Web Service’s Key Management Service Fundamentals course.  I want to thank you for taking this course and would appreciate your feedback. Your feedback will help me improve on my journey in learning and producing future courses. Thanks again and best wishes. Keep learning and keep building.

Traffic lights

Read about what's good
what should give you pause
and possible dealbreakers
Provides practical demonstrations using the AWS console, Python, and the Boto3 SDK, which allows learners to gain hands-on experience with KMS functionalities
Explores integration with S3 and EBS, which are essential services for data storage and management in AWS environments, making it highly relevant for practical application
Assumes a basic understanding of AWS Identity and Access Management (IAM), which may require learners without this knowledge to acquire it beforehand
Covers key rotation strategies, including automatic and manual rotation, which are critical for maintaining long-term security and compliance in AWS environments
Discusses the implications of deleting customer master keys, which is crucial for understanding data security and disaster recovery scenarios in AWS
Examines different key ownership models, including customer-managed, AWS-managed, custom key store, and hardware security modules, which is essential for understanding key management responsibilities

Save this course

Create your own learning path. Save this course to your list so you can find it easily later.
Save

Reviews summary

Aws kms fundamentals and usage

According to learners, this course offers a solid introduction to AWS Key Management Service (KMS). Many highlight its effectiveness in providing a clear and concise overview of KMS concepts and its integration with key AWS services like S3 and EBS. Students particularly appreciate the practical demonstrations, which help in understanding the real-world application of KMS. While it serves as an excellent starting point for those new to KMS with some prior AWS knowledge, some reviews suggest it focuses primarily on foundational aspects and may not delve into highly advanced or niche configurations.
Targeted towards technical AWS users.
"As a developer, I found the course highly relevant to my work."
"It's clearly designed for a professional audience building on AWS."
"Assumes some AWS background, which is appropriate for the topic."
Primarily covers fundamental KMS topics.
"While thorough on fundamentals, it doesn't go deep into every advanced feature."
"This course is best for learning the basics, not for becoming a KMS expert."
"It's a great overview but left me wanting more detail on complex scenarios."
Builds a strong base in KMS fundamentals.
"I feel like I have a solid foundation in KMS after taking this course."
"It covers all the necessary fundamentals to get started with AWS encryption."
"Perfect for understanding the core principles of KMS like CMKs and policies."
Practical demos aid in understanding core concepts.
"The hands-on demonstrations were incredibly helpful for grasping the material."
"Seeing the KMS features implemented in the demos solidified my learning."
"I liked the step-by-step approach in the practical examples."
Provides a clear and concise overview of KMS.
"This course gave me a really clear understanding of KMS basics."
"I found the explanations very straightforward and easy to follow."
"A great concise introduction to AWS key management concepts."

Activities

Be better prepared before your course. Deepen your understanding during and after it. Supplement your coursework and achieve mastery of the topics covered in AWS Key Management Service - KMS Fundamentals with these activities:
Review Cryptography Basics
Solidify your understanding of fundamental cryptographic concepts before diving into KMS.
Browse courses on Cryptography Basics
Show steps
  • Read articles or watch videos explaining symmetric and asymmetric encryption.
  • Practice encrypting and decrypting data using online tools.
  • Review the differences between various encryption algorithms.
Read 'Serious Cryptography'
Deepen your understanding of cryptography with a practical guide.
View Putting Knowledge to Work on Amazon
Show steps
  • Read the chapters related to symmetric and asymmetric encryption.
  • Experiment with the code examples provided in the book.
  • Research real-world applications of the cryptographic techniques discussed.
Practice IAM Policy Creation
Reinforce your understanding of IAM policies by creating policies that grant specific permissions to KMS keys.
Show steps
  • Create IAM policies that allow users to encrypt and decrypt data using a specific KMS key.
  • Create IAM policies that restrict access to KMS keys based on user roles.
  • Test the IAM policies to ensure they function as expected.
Four other activities
Expand to see all activities and additional details
Show all seven activities
Create a KMS Access Management Diagram
Visualize the different access management options in KMS to better understand how they interact.
Show steps
  • Research the different access management options in KMS: key policies, IAM policies, and grants.
  • Create a diagram that illustrates how these options can be used to control access to KMS keys.
  • Explain the diagram in a short presentation or blog post.
Encrypt S3 Bucket with KMS
Apply your knowledge by encrypting an S3 bucket using KMS and testing the encryption.
Show steps
  • Create a new S3 bucket.
  • Create a KMS key.
  • Configure the S3 bucket to use the KMS key for encryption.
  • Upload and download files to the bucket to verify the encryption.
Document KMS Best Practices
Solidify your understanding by creating a document outlining best practices for using KMS.
Show steps
  • Research KMS best practices from AWS documentation and other sources.
  • Organize the best practices into a clear and concise document.
  • Include examples and explanations to illustrate each best practice.
Read 'AWS Certified Security Specialty Exam Guide'
Prepare for AWS certification and deepen your KMS knowledge.
View AWS Certified Cloud Practitioner Study Guide... on Amazon
Show steps
  • Review the chapters related to encryption and key management.
  • Take the practice exams to assess your understanding.
  • Focus on areas where you need improvement.

Career center

Learners who complete AWS Key Management Service - KMS Fundamentals will develop knowledge and skills that may be useful to these careers:
Cloud Security Engineer
A Cloud Security Engineer is responsible for designing, implementing, and managing security measures in cloud environments. This role involves ensuring data confidentiality, integrity, and availability, which directly aligns with the core concepts covered in this course. The course's focus on encryption using AWS Key Management Service helps a cloud security engineer understand how to protect sensitive data effectively and manage keys properly. A Cloud Security Engineer will use the content in this course daily: understanding customer master keys, symmetric keys, access management, and integration with services like S3 and EBS are crucial for secure data management in AWS.
See salaries and explore the career path for Cloud Security Engineer
Solutions Architect
A Solutions Architect designs and plans cloud-based solutions. This requires a thorough understanding of how to secure data within these systems. This course provides a strong foundation in using AWS Key Management Service, enabling a solutions architect to design solutions that meet encryption needs. The course's coverage of customer master keys, key ownership models, access management, and integration with services like S3 and EBS is highly relevant to the role. An architect must know why, when, and how to deploy encryption in their designs, and this course helps build that knowledge.
See salaries and explore the career path for Solutions Architect
Data Security Analyst
A Data Security Analyst focuses on protecting data assets from unauthorized access and breaches. Understanding how to encrypt data and manage encryption keys is central to this work. This course provides a detailed overview of the AWS Key Management Service, which is essential for a Data Security Analyst working with data in an AWS environment. This course will help a Data Security Analyst understand how to manage customer master keys, symmetric keys, access controls, and integration with services like S3 and EBS. Learning how to manage the lifecycle of keys, including rotation and deletion, is also invaluable.
See salaries and explore the career path for Data Security Analyst
DevOps Engineer
A DevOps Engineer is often responsible for automating the deployment and management of cloud infrastructure, including security configurations. This course is valuable because it introduces them to AWS Key Management Service, a crucial component for securing data in AWS. The course teaches key areas such as customer master keys, access management, and integrating with services like S3 and EBS, which are frequently encountered by DevOps Engineers. A DevOps engineer working with AWS environments will find this course to be very useful.
See salaries and explore the career path for DevOps Engineer
Cloud Engineer
Cloud Engineers implement and manage cloud infrastructure. Data security is a vital part of this. This course helps a cloud engineer understand encryption using the AWS Key Management Service, which can be directly applied to their daily responsibilities. The course provides practical skills in managing customer master keys, access controls, and integrating KMS with services like S3 and EBS. A Cloud Engineer should be familiar with best practices for data encryption, as taught in this course.
See salaries and explore the career path for Cloud Engineer
Security Consultant
A Security Consultant advises organizations on how to improve their security posture, including data protection. This course may be useful for a Security Consultant who works with clients using AWS by giving them foundational knowledge of encryption using Key Management Service. The course's contents, including customer master keys, access management, and integration strategies, could be very useful to a Security Consultant. Since a consultant needs to provide informed guidance, this course helps them understand the nuances of AWS data protection.
See salaries and explore the career path for Security Consultant
Software Developer
A Software Developer building applications in AWS needs to understand how to secure data, especially when working with sensitive information. This course may be helpful to a software developer because it covers how to use AWS Key Management Service for encryption, a critical component of many secure applications. Learning about customer master keys, symmetric key management, access controls, and integration with services like S3 and EBS improves a developer's ability to build secure applications within the AWS ecosystem. Developers can use the course's demos to guide their own work.
See salaries and explore the career path for Software Developer
System Administrator
System Administrators who manage AWS infrastructure need a foundation in security practices, including data encryption. This course may be useful for a System Administrator working with AWS; it should help them understand and use AWS Key Management Service to protect data in the cloud. Understanding customer master keys, access management, and integration with services like S3 and EBS, makes them far more able to secure systems they work on. This course would give them a grounding in key management.
See salaries and explore the career path for System Administrator
Network Engineer
While a Network Engineer's primary focus is on network infrastructure, securing data as it traverses the network is also a concern. This course may be useful for a Network Engineer by providing them a foundation in encryption. Key Management Service fundamentals covered in this course, such as customer master key management and access control, help build a stronger understanding of encryption. Also helpful are sections on integration with S3 and EBS services, which might rely on a network.
See salaries and explore the career path for Network Engineer
Database Administrator
A Database Administrator must ensure data is protected at rest and in transit. This course may be helpful for a database administrator, especially when databases are hosted on AWS. Knowledge of AWS Key Management Service, as covered in the course, can help a Database Administrator properly encrypt data in AWS services like S3 and EBS that can be used for backing up databases. This course should support better data security for databases hosted in AWS, which may form part of a Database Administrator's responsibilities.
See salaries and explore the career path for Database Administrator
IT Manager
An IT Manager overseeing cloud operations needs to be aware of security practices and data protection requirements. This course may be helpful for them in overseeing secure data practices in their organization. This includes an understanding of AWS Key Management Service. The course content, covering customer master keys, key ownership, and access management, provide a suitable base for managers ensuring that their teams are following best practices. An IT Manager should be broadly familiar with this space.
See salaries and explore the career path for IT Manager
Project Manager
A Project Manager with projects in AWS cloud environments should have a general understanding of data encryption and security. This course may be helpful for Project Managers by familiarizing them AWS Key Management Service. While they might not implement security themselves, it can be useful for them to understand concepts like customer master keys, key ownership, and access management. This helps Project Managers better coordinate with technical teams and stakeholders, especially when security requirements are important.
See salaries and explore the career path for Project Manager
Compliance Officer
A Compliance Officer is primarily concerned with ensuring an organization adheres to regulations and security standards. This course may be useful for a Compliance Officer who needs an understanding of how data is secured in cloud environments using AWS. The course’s overview of AWS Key Management Service, including customer master keys, access management, and integration with S3 and EBS, should inform compliance strategies. A Compliance Officer needs to understand the controls that AWS offers, and this course can help build that foundation.
See salaries and explore the career path for Compliance Officer
Technical Writer
While not a technical role itself, a Technical Writer who writes documentation for AWS services may find this course useful. Understanding the concepts covered in this course aids in creating accurate and comprehensive documentation for software engineers, solutions architects, and other technical roles. The course's content covering customer master keys, access management, and integration with S3 and EBS helps a technical writer more fully understand the subject matter. This familiarity means they can more accurately document the service features.
See salaries and explore the career path for Technical Writer
Technical Sales
A Technical Sales professional who sells cloud solutions should have an understanding of security practices. While not directly using the technology, a Technical Sales role often involves communicating the value and security features of a cloud service, like encryption. This course may be helpful because it teaches the fundamentals of AWS Key Management Service, including customer master keys, key ownership models and integration with services like S3 and EBS. This can improve the quality of their sales conversations.
See salaries and explore the career path for Technical Sales

Reading list

We've selected two books that we think will supplement your learning. Use these to develop background knowledge, enrich your coursework, and gain a deeper understanding of the topics covered in AWS Key Management Service - KMS Fundamentals.
Cover image
AWS Certified Cloud Practitioner Study Guide With...
Save
Is designed to help individuals prepare for the AWS Certified Security Specialty exam. It covers a wide range of security topics, including encryption, access control, and compliance. It is useful for reinforcing your understanding of KMS and its role in securing AWS environments. This book is commonly used as a reference for AWS security professionals.
AWS Certified Cloud Practitioner Study Guide With...
Paperback
$$
AWS Certified Cloud Practitioner Study Guide With...
Kindle Edition
$$
Cover image
Putting Knowledge to Work
Save
Provides a practical and modern introduction to cryptography. It covers various cryptographic techniques and protocols, including symmetric and asymmetric encryption, hashing, and digital signatures. It is useful for understanding the underlying principles behind KMS and its applications. This book is more valuable as additional reading to deepen understanding.
Putting Knowledge to Work
Paperback
Check
Putting Knowledge to Work
Kindle Edition
Check

Share

Help others find this course page by sharing it with your friends and followers:
Facebook
LinkedIn
Reddit
X
Link
Email

Similar courses

Similar courses are unavailable at this time. Please try again later.
Course image
Rating
4.6 Filled star Filled star Filled star Filled star Half star
Effort
3 total hours
Via
Udemy
Instructor
Brian Choi
Language
English
Traffic lights
Read about what's good
what should give you pause
and possible dealbreakers
Provides practical demonstrations using the AWS console, Python, and the Boto3 SDK, which allows learners to gain hands-on experience with KMS functionalities
Explores integration with S3 and EBS, which are essential services for data storage and management in AWS environments, making it highly relevant for practical application
Assumes a basic understanding of AWS Identity and Access Management (IAM), which may require learners without this knowledge to acquire it beforehand
Covers key rotation strategies, including automatic and manual rotation, which are critical for maintaining long-term security and compliance in AWS environments
Discusses the implications of deleting customer master keys, which is crucial for understanding data security and disaster recovery scenarios in AWS
Examines different key ownership models, including customer-managed, AWS-managed, custom key store, and hardware security modules, which is essential for understanding key management responsibilities
Share this
Share to help others discover this course.
Facebook LinkedIn X Reddit Link Email
Begin learning today
Enroll now to gain full access to AWS Key Management Service - KMS Fundamentals.
Enroll now
Save for later
Add this course to your list. Find it anytime.
Save
Our mission

OpenCourser helps millions of learners each year. People visit us to learn workspace skills, ace their exams, and nurture their curiosity.

Our extensive catalog contains over 50,000 courses and twice as many books. Browse by search, by topic, or even by career interests. We'll match you to the right resources quickly.

Find this site helpful? Tell a friend about us.

Affiliate disclosure

We're supported by our community of learners. When you purchase or subscribe to courses and programs or purchase books, we may earn a commission from our partners.

Your purchases help us maintain our catalog and keep our servers humming without ads.

Thank you for supporting OpenCourser.

© 2016 - 2025 OpenCourser