Exercise 2: Adding Multi-KMS-Key Support to the Document Bucket
In this section, you will configure the AWS Encryption SDK to use multiple KMS Keys that reside in different regions.
Background
Now your Document Bucket will encrypt files when you store
them, and will decrypt the files for you when you retrieve
them.
You're using one of your KMS Keys, Faythe. But what if you want to use multiple KMS Keys?
You might want to use a partner team's KMS Key, so that they can access documents relevant to them.
Perhaps you want the Document Bucket to have two independent regions to access the contents, for high availability, or to put the contents closer to the recipients.
Configuring multiple KMS Keys this way does not require re-encryption of the document data. That's because the data is still encrypted with a single data key, used exclusively for that document. Configuring multiple KMS Keys causes the AWS Encryption SDK to encrypt that data key again using the additional KMS Keys, and store that additional version of the data key on the encrypted message format. As long as there is one available KMS Key to decrypt any encrypted version of the data key, the document will be accessible.
(There are ways to configure the Encryption SDK to be more restrictive about which KMS Keys it will try -- but for now you'll start with the simple case.)
There's many reasons why using more than one KMS Key can be useful. And in this exercise, you're going to see how to set that up with KMS and the Encryption SDK.
You already have another KMS Key waiting to be used. When you deployed the Faythe KMS Key, you also deployed a second KMS Key, nicknamed Walter. In this exercise, we're going to configure Walter, and then use some scripts in the repository to add and remove permission to use each of Faythe and Walter. Doing so will change how your document is encrypted -- if you remove permission to both Faythe and Walter, you won't be able to encrypt or decrypt anymore! -- and let you observe how the system behavior changes when keys are accessible or inaccessible.
Each attempt to use a KMS Key is checked against that KMS Key's permissions. An audit trail entry is also written to CloudTrail.
Decryption attempts will continue for each version of the encrypted data key until the Encryption SDK either succeds at decrypting an encrypted data key with its associated KMS Key, or runs out of encrypted data keys to try.
For encryption, the Encryption SDK will attempt to use every KMS Key it is configured to attempt to produce another encryption of that data key.
You'll get to see all of this in action in just a minute, after a couple small code changes.
Let's Go!
Starting Directory
If you just finished Adding the Encryption SDK, you are all set.
If you aren't sure, or want to catch up, jump into the multi-kms-key-start
directory for the language of your choice.
1 |
|
1 |
|
1 |
|
1 |
|
Step 1: Configure Walter
1 2 3 4 |
|
1 2 3 4 5 6 7 |
|
1 2 3 4 5 6 7 |
|
1 2 3 4 |
|
What Happened?
When you launched your workshop stacks in Getting Started, along with the Faythe KMS Key, you also launched a KMS Key called Walter. Walter's ARN was also plumbed through to the configuration state file that is set up for you by the workshop. Now that ARN is being pulled into a variable to use in the Encryption SDK configuration.
Step 2: Add Walter to the KMS Keys to Use
1 2 3 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
|
1 2 3 4 5 6 |
|
What Happened?
In the previous exercise, you configured the Encryption SDK to use a list of KMS Keys that contained only Faythe. Configuring the Encryption SDK to also use Walter for encrypt, and to also try Walter for decrypt, required adding the ARN for Walter to the configuration list.
Checking Your Work
If you want to check your progress, or compare what you've done versus a finished example, check out the code in one of the -complete
folders to compare.
There is a -complete
folder for each language.
1 |
|
1 |
|
1 |
|
1 |
|
Try it Out
Adding the Walter KMS Key to the list of KMS Keys that the application will (attempt) to use was a couple of lines of code, but has powerful implications.
To help you explore the behavior of the system, there are some additional make
targets to change the permissions configuration of Faythe and Walter.
Using these targets, you can add and remove permission for the application to use Faythe and Walter to generate data keys, encrypt, and decrypt, and observe how the application behavior changes -- as well as what is logged to CloudTrail.
In ~/environment/workshop/exercises
, you'll find a Makefile
with several targets for you to experiment with:
make list_grants
will show you the current state of grants on your KMS Keysmake revoke_walter_grant
will remove the Grant providing permissions to use Walter in the applicationmake revoke_faythe_grant
will remove the Grant providing permissions to use Faythe in the applicationmake revoke_grants
will remove the Grants for both KMS Keysmake create_grants
will add Grants to use either or both KMS Key, as needed
Note: When you create or revoke a grant there might be a brief delay, usually less than five minutes, until the grant is available throughout AWS KMS.
Important when you revoke permissions to the first KMS Key in the list for a keyring (which is Faythe by default), you will need to change the keyring configuration to use Walter as your generator to resume operations. See documentation of Generator KMS Keys for more.
You can also observe the impact of changing Granted permissions by monitoring CloudTrail. Note that log entries take a few minutes to propagate to CloudTrail, and that Faythe and Walter are in different regions, so you will need to look at CloudTrail in the region for each one.
- Faythe is in
us-east-2
, so check CloudTrail in that region with these links:- GenerateDataKey operations in CloudTrail in us-east-2
- Decrypt operations in CloudTrail in us-east-2
- Encrypt operations in CloudTrail in us-east-2
- Note: To observe Encrypt calls using Faythe, explore some of the configuration and permissions changes suggested below.
- Walter is in
us-east-1
, so check CloudTrail in that region with these links:
Try out combinations of Grant permissions for your application and watch how the behavior changes:
- Revoke permission to use Faythe, and watch calls move to Walter in CloudTrail and in your application
- With permission to use Faythe revoked, try retrieving an older document protected by Faythe
- Revoke permissions to both Faythe and Walter -- now operations fail
- Encrypt some data with both Faythe and Walter active, and revoke permission to either one -- notice that application operations continue to work
- Change the configuration order of Faythe and Walter, and watch how call patterns change to use the two KMS Keys
- Revoke permission to Walter, and encrypt some data with Faythe. Then, add permission back to Walter, revoke permission to use Faythe, and try to decrypt that data
- What other interesting access patterns can you imagine?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
1 2 3 4 5 6 7 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
1 2 3 4 5 6 7 |
|
1 2 3 4 5 6 7 8 |
|
Explore Further
Want to dive into more content related to this exercise? Try out these links.
- AWS KMS: Key Grants
- AWS KMS: Key Policies
- AWS KMS: Cross-account KMS Key Usage
- Blog Post: How to decrypt ciphertexts in multiple regions with the AWS Encryption SDK in C
Next exercise
Ready for more? Next you will work with Encryption Context.