1

00:00:07,189  -->  00:00:12,389
Welcome back to Backspace Academy. In
this hands-on lab we're going to be

2

00:00:12,389  -->  00:00:17,460
running through how to create an
encryption key using the KMS service and

3

00:00:17,460  -->  00:00:22,800
then use that key to encrypt data. So
make sure that you've downloaded the lab

4

00:00:22,800  -->  00:00:29,640
notes that come to the course. Now the
KMS service it's located in the IAM

5

00:00:29,640  -->  00:00:33,540
management console so if you look for
KMS here you won't find it you need to

6

00:00:33,540  -->  00:00:40,260
go to IAM and from there you can scroll
down and select encryption keys

7

00:00:40,260  -->  00:00:44,250
so you can see here I've got some encryption
keys but they're all been created by

8

00:00:44,250  -->  00:00:48,930
different AWS services like cloud 9, s3
and all this sort of things so you can

9

00:00:48,930  -->  00:00:53,190
see those ones with the Amazon logo next
to them they're not ones that I have

10

00:00:53,190  -->  00:00:57,570
actually created myself. So what we need
to do is create one ourselves that we

11

00:00:57,570  -->  00:01:04,670
can use to encrypt data with. So we
create a key. Let's give that key a name

12

00:01:05,090  -->  00:01:08,070
and we won't bother about a description
with it

13

00:01:08,070  -->  00:01:13,740
and we click on next step and we won't
worry about putting a tag in we don't

14

00:01:13,740  -->  00:01:19,619
need that for now, okay so we need to
select some administrators, so I'm just

15

00:01:19,619  -->  00:01:26,759
going to select myself as an
administrator and we also need to select

16

00:01:26,759  -->  00:01:31,350
some people that can use this key to
encrypt data, so I'm just going to select

17

00:01:31,350  -->  00:01:37,619
myself again and next step, so there's
our key policy and we click on finish

18

00:01:37,619  -->  00:01:45,060
and that's how easy it is to create a
key to use on AWS, ok so now that I've

19

00:01:45,060  -->  00:01:50,610
created that key I can use that key to
encrypt data in Amazon s3, so what I'm

20

00:01:50,610  -->  00:01:56,340
going to do is jump into the s3
management console and I'm going to

21

00:01:56,340  -->  00:02:03,630
create a bucket, so I'm just going to
give this bucket a name and I click on

22

00:02:03,630  -->  00:02:08,240
next,
ok so now we've got some options here

23

00:02:08,240  -->  00:02:14,150
available so if we scroll down we can
see automatically encrypt objects when

24

00:02:14,150  -->  00:02:17,360
stored in Amazon s3 so that's what we
want to do something's going to click on

25

00:02:17,360  -->  00:02:22,090
that and what we want to do is that
we're not going to use the AWS s3

26

00:02:22,090  -->  00:02:27,770
managed key we're going to use the KMS
key that we created so we click on KMS

27

00:02:27,770  -->  00:02:35,239
and we select our key that we created
and there it is test-key and we'll

28

00:02:35,239  -->  00:02:41,110
save and there we can see so we've now
got that setup and we click on next and

29

00:02:41,110  -->  00:02:45,860
I'm just going to leave this as as
private I won't change the permissions

30

00:02:45,860  -->  00:02:51,350
of it and there we go so we can see here
now when we look at the the properties

31

00:02:51,350  -->  00:02:56,750
of it we can see here we've got default
encryption AWS KMS, so we'll create that bucket

32

00:02:56,750  -->  00:03:07,940
so just jump into that bucket now
and we're just going to upload some

33

00:03:07,940  -->  00:03:18,110
files so I'm just going to grab a little
file and upload it, ok so just going to

34

00:03:18,110  -->  00:03:24,650
upload one of our review PDFs and we've
got some options here for permissions

35

00:03:24,650  -->  00:03:29,600
I'll just leave that all as private, ok
so now we can select whether we want

36

00:03:29,600  -->  00:03:33,290
this to be encrypted or not and so we
can see here we can again we can select

37

00:03:33,290  -->  00:03:39,079
the AWS KMS I'm going to leave it as
none because I want to see what happens

38

00:03:39,079  -->  00:03:44,989
if I upload this until AWS not to
encrypt it so let's go we'll click on

39

00:03:44,989  -->  00:03:52,160
next and we can see here we've got
encryption no so let's see what happens

40

00:03:52,160  -->  00:04:01,130
so I upload this ok so that's been
uploaded, so if I click on that and I

41

00:04:01,130  -->  00:04:07,100
have a look at it and we look at the
properties we can see that in fact it

42

00:04:07,100  -->  00:04:15,470
has been encrypted, so even though we
told the s3 service to upload this

43

00:04:15,470  -->  00:04:19,250
without encryption it has automatically
encrypted that for us

44

00:04:19,250  -->  00:04:24,200
because we have defined at the bucket
level that anything that goes into this

45

00:04:24,200  -->  00:04:30,530
bucket must be encrypted and if you make
a mistake and don't and don't select

46

00:04:30,530  -->  00:04:34,490
encryption it doesn't matter it will be
automatically encrypted when it goes

47

00:04:34,490  -->  00:04:40,430
into this bucket so what I'm going to do
now is just download that and if I click

48

00:04:40,430  -->  00:04:45,230
on that what will happen is that it will
be downloaded unencrypted it or

49

00:04:45,230  -->  00:04:50,900
decrypted so what that means is that the
s3 service has managed everything for us

50

00:04:50,900  -->  00:04:54,860
when we don't really have to worry about
that at all and the KMS service has

51

00:04:54,860  -->  00:05:02,150
supplied the key and it's all quite
transparent for us so that's just how

52

00:05:02,150  -->  00:05:05,990
easy it is so what we do now is we've
finished up with this Labs so what I'll

53

00:05:05,990  -->  00:05:11,180
do is I'll just clean it all up so just
go back to the main index the demos on

54

00:05:11,180  -->  00:05:17,530
s3 and I'll just click on that and
delete bucket

55

00:05:29,980  -->  00:05:34,820
okay so the buckets been deleted so what
we need to do now is just get rid of

56

00:05:34,820  -->  00:05:40,520
that key so we can't just delete the key
we can delete the key but we can't do it

57

00:05:40,520  -->  00:05:45,260
in one hit so what we need to do is go
to key actions and schedule key deletion

58

00:05:45,260  -->  00:05:48,980
we can't just do it instantaneously and
we just have to put a waiting period in

59

00:05:48,980  -->  00:05:53,750
there so just put in seven days and
schedule that deletion and in seven days

60

00:05:53,750  -->  00:05:57,620
that will like that deletion will occur
so that brings us to the end of the lab

61

00:05:57,620  -->  00:06:03,280
and I hope you enjoyed it and I look
forward to seeing you in the next one