EC2 File Encryption with KMS and CLI

This lab is designed to teach you how to secure sensitive data on an Amazon EC2 instance by leveraging AWS Key Management Service (KMS) and the AWS CLI for encryption. You will set up a publicly accessible EC2 instance, configure an IAM user for secure access, create a KMS key for encryption, and then use the AWS Encryption CLI to encrypt files on the instance.

Summary:

In this lab, you learned how to set up an EC2 instance with a public subnet, create an IAM user and KMS key, and use the AWS CLI to encrypt files on the EC2 instance using the KMS key.

  • Launch an EC2 Instance in a Public Subnet

  • Create an IAM User

  • Create a KMS Key

  • Configure IAM User with CLI Access

  • Configure AWS CLI on EC2

  • Encrypt a File Using AWS CLI

  • Verify the Encryption

1. Launch an EC2 Instance in a Public Subnet:

  • Launch EC2:

    • Go to the EC2 dashboard and click "Launch Instance."

    • Select an Amazon Linux 2 AMI.

    • Select t2.micro as the instance type.

    • Under "Configure Instance," ensure you select a public subnet in your VPC.

    • Continue through the steps and launch the instance.

2. Create an IAM User:

  • Create User:

    • Go to the IAM dashboard.

    • Click "Users" and then "Add users."

    • Enter a name for the user (e.g., encryption-user).

    • Click "Next" to skip the rest of the steps, focusing on creating the user.

3. Create a KMS Key:

  • Search KMS:

    • In the AWS Management Console, search for "KMS" and open the Key Management Service.
  • Create a Key:

    • Choose "Create a key" and select "Symmetric."

    • Click "Next," give the key a name (e.g., encryption-key), and proceed to the next steps.

    • Under "Key administrators," give the user you created earlier (encryption-user) permission to administer the key.

    • Continue through the steps and finish the key creation.

4. Configure IAM User with CLI Access:

  • Create Access Key:

    • Go back to the IAM dashboard.

    • Select the user you created (encryption-user).

    • Go to the "Security credentials" tab and click "Create access key."

    • Copy the Access Key ID and Secret Access Key for later use.

5. Configure AWS CLI on EC2:

  • Connect to EC2 Instance:

    • Use SSH to connect to your EC2 instance.

    • Run the command ‘aws configure’.

    • Run the command ‘sudo yum install -y aws-encryption-cli’.

    • Create a file by using the command ‘vi file1.txt’.

    • Add some text to the file and save it using esc button and write :wq.

    • Copy the ARN of the KMS key you created.

    • Encrypt the file using following format of command: ‘aws-encryption-cli --encrypt --input file1.txt --output file1.enc --wrapping-keys key= ARN_OF_KMS_KEY.’

    • I have used this command as:

aws-encryption-cli --encrypt \

--input /home/ec2-user/file1 \

--output /home/ec2-user/encrypted.txt \

--metadata-output /home/ec2-user/metadata \

--encryption-context purpose=test \

--wrapping-keys key=

arn:aws:kms:us-east-1:009160049494:key/496c5d89-7147-4448-9b81-4fe87a3d7a42

6. Verify the Encryption:

  • List and View Files:

    • Use ls to list the files in the directory.

    • Use cat file1.enc to view the encrypted file.

  • Decrypt the File:

    • You can decrypt the file using the following command format:

aws-encryption-cli --decrypt --input file1.enc --output file1-decrypted.txt --wrapping-keys key=$ARN_OF_KMS_KEY