1
00:00:00,360 --> 00:00:01,403
‫Let's get to KMS.

2
00:00:01,403 --> 00:00:04,030
‫I will type KMS into the find services

3
00:00:04,030 --> 00:00:06,810
‫and we're getting into the key management service.

4
00:00:06,810 --> 00:00:09,630
‫As we can see, we have three types of keys.

5
00:00:09,630 --> 00:00:12,150
‫We have the customer managed keys, which you can create

6
00:00:12,150 --> 00:00:13,850
‫but they will cost you some money

7
00:00:13,850 --> 00:00:15,620
‫or you have the AWS manage keys

8
00:00:15,620 --> 00:00:19,200
‫and they're created for the services of AWS

9
00:00:19,200 --> 00:00:20,373
‫and the custom key store

10
00:00:20,373 --> 00:00:23,020
‫which is going to use a CloudHSM cluster

11
00:00:23,020 --> 00:00:25,113
‫that you need to create, own and manage.

12
00:00:26,061 --> 00:00:27,900
‫So using CloudHSM is expensive.

13
00:00:27,900 --> 00:00:28,790
‫So I'm not going to do this

14
00:00:28,790 --> 00:00:30,923
‫because this is not part of the feature,

15
00:00:30,923 --> 00:00:31,950
‫but as you can see we can get the option

16
00:00:31,950 --> 00:00:33,950
‫of using a custom key store.

17
00:00:33,950 --> 00:00:36,660
‫Now using the managed keys of AWS is interesting

18
00:00:36,660 --> 00:00:37,710
‫I wanna show you how it works.

19
00:00:37,710 --> 00:00:41,290
‫So for example, let's use the AWS/EBS key.

20
00:00:41,290 --> 00:00:43,660
‫So let's go into the EC2 console

21
00:00:43,660 --> 00:00:45,440
‫and we'll try to use that key.

22
00:00:45,440 --> 00:00:48,240
‫So in this example, I'm going to create a volume.

23
00:00:48,240 --> 00:00:50,830
‫So let me go on the volumes on the left hand side,

24
00:00:50,830 --> 00:00:52,500
‫I'm going to create a volume.

25
00:00:52,500 --> 00:00:55,800
‫It's going to be a one gigabyte volume

26
00:00:55,800 --> 00:00:57,940
‫and I'm going to encrypt this volume.

27
00:00:57,940 --> 00:01:00,920
‫Now I have an option either I choose a master key

28
00:01:00,920 --> 00:01:03,590
‫that is a default master key of AWS for the service

29
00:01:03,590 --> 00:01:07,480
‫which did response to the key right here, okay?

30
00:01:07,480 --> 00:01:08,750
‫Or I could use my own key

31
00:01:08,750 --> 00:01:11,374
‫but currently I don't have any keys.

32
00:01:11,374 --> 00:01:12,207
‫So the only option I have

33
00:01:12,207 --> 00:01:15,460
‫is to use this default AWS master key.

34
00:01:15,460 --> 00:01:17,390
‫So this is good, I wanna use this key

35
00:01:17,390 --> 00:01:18,980
‫and click on create volume.

36
00:01:18,980 --> 00:01:21,200
‫And now we have created an encrypted volume.

37
00:01:21,200 --> 00:01:25,600
‫So it is properly protected against for example,

38
00:01:25,600 --> 00:01:27,660
‫attacks if they're trying to decrypt it.

39
00:01:27,660 --> 00:01:28,688
‫Okay, so this is an example

40
00:01:28,688 --> 00:01:32,190
‫where this is a voluntary opt-in for the encryption.

41
00:01:32,190 --> 00:01:33,874
‫But if you remember, I said that for example,

42
00:01:33,874 --> 00:01:36,890
‫for CloudTrail or for Glacier S3

43
00:01:36,890 --> 00:01:39,410
‫encryption was enabled by default.

44
00:01:39,410 --> 00:01:42,630
‫So if I go into CloudTrail and try to use a demo-trail

45
00:01:42,630 --> 00:01:45,630
‫as we can see if we go into the encryption

46
00:01:45,630 --> 00:01:47,330
‫even though it says disabled here

47
00:01:47,330 --> 00:01:50,530
‫the encryption is actually enabled in the S3 buckets.

48
00:01:50,530 --> 00:01:54,290
‫So let's see, and have a look at the S3 bucket itself.

49
00:01:54,290 --> 00:01:56,730
‫So in S3, then we go to CloudTrail,

50
00:01:56,730 --> 00:01:59,070
‫go to EUS1, find this file.

51
00:01:59,070 --> 00:02:00,840
‫So I'll go down in my buckets.

52
00:02:00,840 --> 00:02:02,930
‫And if you look at this file right here,

53
00:02:02,930 --> 00:02:05,710
‫if you look at the property for the encryption

54
00:02:05,710 --> 00:02:08,090
‫it says encryption AES256,

55
00:02:08,090 --> 00:02:09,510
‫which means that this CloudTrail file,

56
00:02:09,510 --> 00:02:13,520
‫even though it said disabled here for the encryption,

57
00:02:13,520 --> 00:02:16,360
‫it actually was enabled in Amazon S3.

58
00:02:16,360 --> 00:02:18,260
‫I won't go over the details of why,

59
00:02:18,260 --> 00:02:21,040
‫but by default CloudTrail will encrypt all the files

60
00:02:21,040 --> 00:02:22,190
‫no matter what.

61
00:02:22,190 --> 00:02:25,110
‫Okay, so we've seen the services we need to opt-in

62
00:02:25,110 --> 00:02:28,620
‫for the encryption, then those that are enabled by default.

63
00:02:28,620 --> 00:02:30,060
‫And then finally, I want to show you

64
00:02:30,060 --> 00:02:31,710
‫about your customer managed keys.

65
00:02:33,139 --> 00:02:34,460
‫So it is possible for you to create a key.

66
00:02:34,460 --> 00:02:35,980
‫Now this will cost you some money.

67
00:02:35,980 --> 00:02:38,750
‫So if you don't want to have a key just watch me do.

68
00:02:38,750 --> 00:02:41,320
‫So it could be a symmetric key or an asymmetric key.

69
00:02:41,320 --> 00:02:43,900
‫I will keep it simple and use symmetric.

70
00:02:43,900 --> 00:02:45,680
‫And for the origin of the key

71
00:02:45,680 --> 00:02:50,390
‫we can generate it from KMS or we can have it external

72
00:02:50,390 --> 00:02:52,540
‫so we need to import our own key,

73
00:02:52,540 --> 00:02:55,090
‫or as I said we can have the key generated

74
00:02:55,090 --> 00:02:57,980
‫from a custom key store, which is CloudHSM.

75
00:02:57,980 --> 00:03:00,370
‫And in which case, all the encryption and the decryption

76
00:03:00,370 --> 00:03:02,300
‫will happen within CloudHSM.

77
00:03:02,300 --> 00:03:06,220
‫So for this, I'm going to create my own key, my own KMS key

78
00:03:06,220 --> 00:03:08,210
‫and then I can display an alias for that key.

79
00:03:08,210 --> 00:03:13,210
‫So I'll call it demokey, and then I'll click on next.

80
00:03:13,220 --> 00:03:15,730
‫Then you can define key administrators and key users

81
00:03:15,730 --> 00:03:16,690
‫which I will skip.

82
00:03:16,690 --> 00:03:21,420
‫So we'll just click on next and again, click on next, okay.

83
00:03:21,420 --> 00:03:22,940
‫And I will review this key policy.

84
00:03:22,940 --> 00:03:24,480
‫This looks good, I will finish it.

85
00:03:24,480 --> 00:03:25,990
‫And remember, this will cost you $1

86
00:03:25,990 --> 00:03:27,490
‫if you do this with this with me.

87
00:03:27,490 --> 00:03:31,310
‫So now I have my demokey and this key is enabled.

88
00:03:31,310 --> 00:03:33,220
‫Now I can do a key rotation.

89
00:03:33,220 --> 00:03:36,100
‫So if I go to key rotation, I can tick this box

90
00:03:36,100 --> 00:03:37,870
‫to make sure this key changes every year

91
00:03:37,870 --> 00:03:40,190
‫which is for enhanced security.

92
00:03:40,190 --> 00:03:42,080
‫And I can also leverage that key.

93
00:03:42,080 --> 00:03:45,660
‫So back into EBS, if I go and create a volume now

94
00:03:45,660 --> 00:03:48,240
‫and try to create another one gigabyte volume

95
00:03:48,240 --> 00:03:50,220
‫this time if I encrypt this volume,

96
00:03:50,220 --> 00:03:54,170
‫the master key can either be the default key managed by AWS

97
00:03:54,170 --> 00:03:57,250
‫for the service or we can use my demokey

98
00:03:57,250 --> 00:03:59,563
‫and use that for encrypting my EBS volume.

99
00:04:00,710 --> 00:04:02,150
‫So click and create volume.

100
00:04:02,150 --> 00:04:03,420
‫Here I am, I'm done.

101
00:04:03,420 --> 00:04:05,740
‫And now I have two volumes in here.

102
00:04:05,740 --> 00:04:08,140
‫They're both encrypted, but they're encrypted differently.

103
00:04:08,140 --> 00:04:09,960
‫So they're both encrypted

104
00:04:09,960 --> 00:04:12,370
‫but this time we are using our own key

105
00:04:12,370 --> 00:04:15,547
‫and in this one, we're using the key managed by AWS.

106
00:04:15,547 --> 00:04:17,150
‫Okay, so that's it for this lecture

107
00:04:17,150 --> 00:04:18,880
‫just a short introduction.

108
00:04:18,880 --> 00:04:21,110
‫Finally, if you just wanna clean up after yourself

109
00:04:21,110 --> 00:04:23,760
‫just make sure to delete these volumes.

110
00:04:23,760 --> 00:04:25,260
‫And if you have created a key,

111
00:04:25,260 --> 00:04:26,970
‫again it will cost you $1 a month

112
00:04:26,970 --> 00:04:29,470
‫but you can still do a disabling of the key

113
00:04:29,470 --> 00:04:31,740
‫and then schedule this key deletion.

114
00:04:31,740 --> 00:04:34,390
‫That's it for me, I will see you in the next lecture.