Encrypt-Data-with-AWS-KMSREADME(sec1).md
Project Link: View Project
Author: Esther Moaweni
Email: [email protected]
In this project, I will demonstrate how to create encryption keys with AWS KMS, encrypt a DynamoDB table using a customer-managed KMS key, add and retrieve data to test the encryption, observe how AWS blocks unauthorized access and grant a user permission to use the key for encryption operations.
Services I used include AWS KMS to create and manage encryption keys, DynamoDB to store and manage NoSQL data, IAM to control user permissions, and CloudShell to execute CLI commands for table creation and data loading. Key concepts I learnt include encryption, specifically transparent data encryption with customer-managed keys (CMKs), key policy management for fine-grained access control and DynamoDB table configuration with partition keys.
This project took me approximately 3-4 hours to complete, as creating the DynamoDB table, setting up the KMS key, configuring IAM policies, and testing encryption with the test user required careful setup and troubleshooting.
NextWork even better is...I chose to do this project today because I wanted to gain hands-on experience with AWS KMS and DynamoDB, learning how to implement encryption and access control to secure data in a scalable NoSQL database for cloud applications.
Encryption is the process of converting data into a secure, unreadable format using an algorithm and a key to protect it from unauthorized access. Companies and developers do this to safeguard sensitive information, like data in a DynamoDB table, ensuring compliance and preventing data breaches. Encryption keys are secret values used by the encryption algorithm to lock (encrypt) and unlock (decrypt) the data.
AWS KMS is a managed service in AWS that enables you to create, manage and control cryptographic keys for encrypting data in services like DynamoDB. Key management systems are important because they provide secure storage, rotation and access control for encryption keys, ensuring data protection.
Encryption keys are broadly categorized as symmetric and asymmetric. I set up a symmetric key because I want to use a single key to both encrypt and decrypt my data in DynamoDB.
My encryption key will safeguard data in DynamoDB, which is a NoSQL database service in AWS that stores data as items in tables, by encrypting the data at rest using AWS KMS to protect sensitive information from unauthorized access.
The different encryption options in DynamoDB include Amazon-owned keys, where DynamoDB fully manages the key with no user access or control. AWS-managed keys, managed by AWS KMS with visibility but no management control. And customer-managed keys (CMKs), created and managed by you in KMS for full control. I selected CMK because it offers the highest security and flexibility, allowing me to manage and control encryption for my DynamoDB table.
Rather than controlling who has access to the key, KMS manages user permissions by using IAM policies attached to the key, which specify which users or roles can perform specific actions (like kms:Decrypt or kms:Encrypt) on the key.
Despite encrypting my DynamoDB table, I could still see the table's items because I have permissions to use the customer-managed key (CMK) in AWS KMS, allowing DynamoDB to decrypt the data on my behalf. DynamoDB uses transparent data encryption, which means it automatically encrypts data at rest and decrypts it for authorized users or applications with the correct permissions.
I configured a new IAM user to test access to my DynamoDB table without KMS key permissions, simulating restricted access to encrypted data. The permission policies I granted this user are AmazonDynamoDBReadOnlyAccess to allow reading items from the DynamoDB table, but not kms:Decrypt or any KMS-related permissions.
After accessing the DynamoDB table as the test user, I encountered a permission denied error because the test user lacks kms:Decrypt permissions for the customer-managed key (CMK) used to encrypt the table, preventing decryption of the data.
To let my test user use the encryption key, I navigated to the AWS KMS console, selected my customer-managed key, went to the Key policy tab, clicked "Add" next to Key users, and added the IAM user nextwork-kms-user.
Using the test user, I retried accessing the DynamoDB table. I observed that the table's items were now visible in their decrypted form. This confirmed that the updated KMS key policy successfully granted the test user permission to decrypt the data.
Encryption secures data instead of relying solely on access control tools like IAM policies or security groups, which manage who can access resources but don't protect the data itself if accessed illicitly. I could combine encryption with IAM policies and security groups to ensure both data protection at rest (via KMS encryption) and restricted access to DynamoDB tables (via IAM roles and VPC security), providing layered security for my application’s sensitive data.
