Tech with Tyler
LinkedInGitHubYouTube
  • 👋Welcome!
    • whoami
    • !!! Disclaimer !!!
  • 🎓Academy
    • AWS Security Cookbook
      • AWS Control Tower
        • Lab: Deploying AWS Control Tower via Terraform
        • Lab: Blocking Regions with AWS Control Tower
      • AWS CloudTrail
      • AWS GuardDuty
        • Lab: Deploying AWS GuardDuty via Terraform
        • Lab: Logging GuardDuty Findings to S3
        • Lab: Adversary Simulation Detection with Stratus Red Team and GuardDuty
      • AWS Organizations
        • Lab: Deploying AWS Organizations via Terraform
      • AWS Root Account Management
        • Lab: Deploying AWS Root Account Management via Terraform
      • AWS Service Control Policies (SCPs)
        • Lab: Deploying AWS Service Control Policies (SCPs) via Terraform
      • TBD - Coming Soon!
        • [TBD] AWS Account Factory
        • [TBD] AWS Identity Center
    • My content on Cybr
      • Course - Terraform on AWS: From Zero to Cloud Infrastructure
      • Lab - Create Static AWS S3 Website with Terraform
      • Lab - Secure EC2 Access with SSM Session Manager and KMS
      • Lab - Encrypt and Decrypt Data with KMS and Data Encryption Keys
    • My content on PwnedLabs
      • Cyber Range - Electra
      • Lab - Abusing Identity Providers in AWS
      • Lab - Prowler and AWS Security Hub
      • Blog - Abusing Identity Providers in AWS
      • Blog - Building Security Guardrails with AWS Resource Control Policies
      • Blog - Defending Against the whoAMI Attack with AWS Declarative Policies
    • My content on YouTube
      • AWS Security Engineering
      • Linux in 60 Seconds!
  • ☁️Cloud Security
    • AWS Attacks and Techniques
      • Enumerate AWS Account IDs
      • Enumerate AWS IAM Users
      • Enumerate (Unauthenticated) IAM Users and Roles
      • Enumerate AWS Public Resources
      • Enumerate Secrets in AWS
      • Generate AWS Console Session
      • Generate IAM Access Keys from CloudShell
      • Password Spraying AWS IAM Users
      • Subdomain Takeovers
    • AWS Privilege Escalation
      • Identity Access Management (IAM)
      • IAM Trust Policies
      • Key Management Service (KMS)
      • Lightsail
      • OpenID Connect (OIDC)
      • S3
      • Secrets Manager
      • Security Token Service (STS)
    • AWS General Info
      • Amazon Bedrock
      • EC2
      • KMS
      • S3
      • SNS Topic
    • AWS CLI Cheat Sheet
    • Capture the Flags (CTFs)
      • Flaws.Cloud
        • Level 1
        • Level 2
        • Level 3
        • Level 4
        • Level 5
        • Level 6
      • PwnedLabs
        • Escalate Privileges by IAM Policy Rollback
        • Exploiting Weak S3 Bucket Policies
        • Leveraging S3 Bucket Versioning
        • S3 Enumeration Basics
        • Pillage Exposed RDS Instances
        • EC2 SSRF Attack
        • Hunt for Secrets in Git Repos
      • Cybr
        • Challenge - Secrets Unleashed
    • Tools
      • Tooling Index
      • dsnap
      • Pacu
      • s3-account-search
      • GoAWSConsoleSpray
      • aws_consoler
      • cloudenum
  • 📦Containers & Orchestration
    • Kubernetes
  • 👨‍💻Coding & CLI Tooling
    • CLI Tools
      • AWS CLI
      • Git
      • GitHub Copilot (CLI)
      • Homebrew
      • jq
      • ngrok
      • ssh
    • Coding and Scripting
      • Bash
      • Python
    • Terminal Customization
  • ⚙️DevSecOps
    • CI/CD
      • GitLab
    • Hashicorp Terraform
    • Hashicorp Vault
    • IAC Scanning
      • tfsec
    • Secrets Scanning
      • Trufflehog
  • 🎁Miscellaneous
    • Jenkins
  • 💻Operating Systems
    • Linux
      • APT Package Manager
      • CLI Tools Cheat Sheet
      • Man Pages
      • Services
      • Users and Groups
  • 🏗️Projects
    • Active Directory Homelab Automation
    • AWS Cloud Resume Challenge
    • Proxmox Homelab as Code
  • 📌Other
    • Useful Resources
Powered by GitBook
On this page
  • Data Encryption & Decryption with KMS
  • Encrypting Data
  • Decrypting Data
  • Data Encryption & Decryption with KMS Data Encryption Key (DEK)
  • Generating a DEK
  • Encrypting Data with DEK
  • Decrypting Data with DEK
  • AWS Encryption SDK
  • Encrypting Data with Encryption SDK (CLI)
  • Decrypting Data with Encryption SDK (CLI)

Was this helpful?

  1. Cloud Security
  2. AWS General Info

KMS

KMS overview and attacks

PreviousEC2NextS3

Last updated 4 months ago

Was this helpful?

Data Encryption & Decryption with KMS

KMS can directly encrypt/decrypt data but only up to 4096 bytes. Anything over this size limit requires leveraging a Data Encryption Key (DEK). Reference the for more as there are other use cases and types of keys.

Encrypting Data

When leveraging the AWS CLI (AWS SDK under the hood), the data is sent to the KMS service, and a KMS key is used to encrypt the data. The data is sent to the service because the KMS key cannot leave.

# encrypting plaintext data directly
aws kms encrypt --key-id <keyId> --plaintext <plaintextData>

# encrypting a file containing plaintext
aws kms encrypt --key-id <keyId> --plaintext fileb://<plaintextFile>

Decrypting Data

Again, the data is sent to the KMS service to be decrypted.

# decrypting ciphertext data directly
aws kms decrypt --key-id <kms-key-id> --ciphertext <ciphertextData>

# decrypting a file containing encrypted data
aws kms decrypt --key-id <kms-key-id> --ciphertext-blob fileb://<encryptedFile> --output text --query Plaintext | base64 --decode > <outputFileName>

Data Encryption & Decryption with KMS Data Encryption Key (DEK)

Data encryption keys can be generated when you need to encrypt / decrypt data larger than 4096 bytes. These keys are generated from a KMS key and the plaintext version performs the encryption. After the plaintext key encrypts the data, it should be deleted, and the encrypted version of the key stored alongside the encrypted data. The encrypted key contains metadata which describes the KMS key required to decrypt itself.

When generating a data encryption key using the AWS CLI (or AWS SDK) you must remember to delete the plaintext key otherwise an attacker can access your data. The AWS Encryption SDK can perform this task for you.

Generating a DEK

aws kms generate-data-key --key-id <kms-key-id> --key-spec AES_256                                                        
{
    "CiphertextBlob": "AQIDAHjBdOEYbwSwF+14[snip]",
    "Plaintext": "AzSMaOZqgt[snip]",
    "KeyId": "arn:aws:kms:us-east-1:<aws-account-id>:key/<kms-key-id>"
}

Store the CiphertextBlob and Plaintext like so.

echo "AQIDAHj..." | base64 --decode > encrypted_key
echo "AzSMaOZqgt..." | base64 --decode > plaintext_key

Encrypting Data with DEK

Since the AWS CLI cannot utilize data encryption keys, you must use another solution such as openssl.

openssl enc -in <fileToEncrypt> -out <newEncryptedFileName> -e -aes256 -k fileb://plaintext_key 

Now, the plaintext_key should be deleted and the encrypted_key stored alongside the encrypted data.

Decrypting Data with DEK

Now, use the KMS key to decrypt the the encrypted_key and store the plaintext key in a file, plaintext_key .

aws kms decrypt --ciphertext-blob fileb://encrypted_key --key-id <kms-key-id> --query Plaintext --out text | base64 --decode > plaintext_key

Again, leverage openssl or similar to decrypt the data.

openssl enc -in encrypted_large_file.txt -out decrypted_large_file.txt -d -aes256 -k fileb://plaintext_key

AWS Encryption SDK

Encrypting Data with Encryption SDK (CLI)

aws-encryption-cli --encrypt --input plaintext_sdk_example.txt --output encrypted_sdk_example.txt --wrapping-keys key=<kms-key-id> --commitment-policy require-encrypt-require-decrypt --metadata-output metadata

A metadata file is generated which details the encryption process such as the KMS key used, algorithm, and more.

cat metadata

    {"header": {"algorithm": "AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384", "commitment_key": "YVeJwji5Cx1NYBizsDfi3u6Z7yydR3DSvtVBmb985BE=", "content_type": 2, "encrypted_data_keys": [{"encrypted_data_key":[snip]

Decrypting Data with Encryption SDK (CLI)

aws-encryption-cli --decrypt --input encrypted_sdk_example.txt --output decrypted_sdk_example.txt --wrapping-keys key=<kms-key-arn> --metadata-output metadata_d --max-encrypted-data-keys 1 --buffer --commitment-policy require-encrypt-require-decrypt

The can be leveraged as a CLI tool or in code such as Python, Java, JavaScript, .NET, and C. Utilizing this SDK will handle KMS and DEKs for you, simplifying the process compared to the previous examples of generating DEKs and using 3rd party solutions like openssl.

☁️
official docs
AWS Encryption SDK