Hands-On Guide: Working with AWS Key Management Service (KMS)

In this hands-on lab, we’re diving into the practical world of the AWS Key Management Service (KMS). We’ll walk you through the steps to create a customer master key, generate data keys, and understand the concepts of encryption and decryption using KMS.

Lab Objectives

In this lab, we will:

  1. Create a customer master key (CMK) using AWS Key Management Service.
  2. Generate a data key using the generate-data-key operation in AWS CLI.
  3. Understand how key policies work and their significance.
  4. Gain insights into encryption and decryption processes.

Step-by-Step Guide

Step 1: Create a Customer Master Key (CMK)

  1. Log in to your AWS Management Console.
  2. Navigate to the Key Management Service (KMS).
  3. Click on “Create key” and provide a key name and an optional description.
  4. Configure advanced options such as key material origin (leave it as KMS), key usage permissions, and key administrators.
  5. Review the key policy, which usually includes root account permissions.
  6. Click “Finish” to create the key.

Step 2: Generate a Data Key

  1. Open your command prompt or terminal.
  2. Configure AWS CLI credentials using the aws configure command.
  3. Execute the following AWS CLI command to generate a data key
      aws kms generate-data-key --key-id <key-arn> --key-spec AES_256
  4. Step 3: Understanding Key Policies
  1. Open the KMS console and locate the key you created.
  2. Explore the key policy section to see the default permissions.
  3. You can modify key policies to grant specific users or roles permissions for encryption and decryption.

Step 4: Encryption and Decryption

  1. Using the plain text data key generated earlier, encrypt your data.
  2. To decrypt the data, use the encrypted data key along with the customer master key.


Congratulations! You’ve successfully completed the lab, gaining hands-on experience with the AWS Key Management Service. You’ve learned how to create a customer master key, generate data keys, and understand the essentials of key policies. Encryption and decryption processes are now within your grasp, all thanks to the powerful capabilities of AWS KMS.

In this lab, you’ve unlocked the potential of secure data handling using KMS. The skills you’ve acquired here will prove invaluable as you continue your journey towards mastering AWS services and enhancing data security.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top