Assignment 5 1 Protecting Data in Your Application - max-gallagher/SYS-360 GitHub Wiki

Task 1: Creating an AWS KMS key

  • In AWS go to Key Management Service and then to Customer Managed Keys

image

  • Create a new Symmetric key and name it "MYKMSKEY"

  • Add voclabs as an administrator

image

  • On define key usage permissions once again select voclabs

  • select finish on the review tab then the key is made

Task 2: Storing an encrypted object in an S3 bucket

  • Download the clock image from this website and name it clock.png

  • Go to amazon s3 and navigate to the bucket titled "imagebucket"

image

  • Go to properties, then scroll to default encryption and verify that it is enabled.

  • Upload the clock image to the bucket and and under properties go to server-side encryption settings

    • Click specify an encryption key then for encryption key type choose SSE-KMS and choose from your AWS KMS keys and select MyKMSKey

image

  • Upload the file

Attempting public access to the encrypted object

  • Attempt public access to the encrypted object

  • In the Object overview section at the top of the page, copy the Object URL to your clipboard

  • Open the URL in browser and it should give you the access denied error

image

image

  • Modify the public access permissions for the bucket.

  • Navigate back to imagebucket and go to the permissions tab

  • In the block public access section clear out "Block all public access"

image

  • Modify the access settings for the object

    • While still under the permissions tab edit "Object Ownership"
    • Choose ACLs enabled

  • Navigate back to clock.png in the objects section and choose actions then select "Make public using ACL"

image

  • Attempt to navigate to the object URL from earlier and you should now be getting the invalid argument error instead of the access denied error

image

Task 4: Attempting signed access to the encrypted object

  • Open clock.png from the bucket

image

  • Take note of the URL as it has credentials in it following the AMZ characters

Task 5: Monitoring AWS KMS activity by using CloudTrail

  • Access cloud trail by searching it up in the services bar up top

  • Navigate to the even history section

  • Filter event history to only show AWS KMS reports by filtering by event source and searching kms.amazonaws.com

  • Choose the link for the GenerateDataKey event name

  • Look at the event record section and analyze the details found in it

  • Now exist the GenerateDataKey event and move to the decrypt event and analyze that as well

Task 6: Encrypting the root volume of an existing EC2 instance

  • Navigate to the EC2 Console and go to the LabInstance Instance

  • Go to the storage tab and under the block devices section notice that the volume that is attached is not currently encrypted

image

  • Stop the instance

  • Go back to the storage tab and clock on the volume ID of the attached volume

  • Click actions and create a snapshot using your name as the Key and "Unencrypted Root Volume" as the value

  • Now lets encrypt the volume

  • Go to elastic block store on the left drop down and select snapshots

  • Choose the snapshot you just took and under actions click create volume of snapshot

  • Under encryption set the KMS key we created earlier and then create the volume

  • Under elastic block store go to volumes and for the volume that is currently in use edit the name and enter "Old Unencrypted Root Volume"

  • Name the new volume "New encrypted root volume"

  • Detach the old volume and attach the new volume

image

Task 7: Disabling the encryption key and observing the effects

  • Go to the AWS KMS console then to customer managed keys

  • Select the key from earlier and the under actions select disable and confirm that you want to disable the key

  • Attempt to start the EC2 instance and then refresh, it should immediately stop its self again

  • Now try and access clock.png and the image should fail to open with the KMS.DisabledExcepetion error

image

  • Now go to cloud trail event history and take a look at the DisableKey event and the StartInstances event

  • Lastly take a look at the CreateGrant event

  • Return to the AWS KMS console, and re-enable the MyKMSKey customer managed AWS KMS key.

  • Return to the Amazon EC2 console, and successfully start the LabInstance again.

Deliverables

Task 1 Screenshot of the Key you created

image

Task 2: Screenshot of clock.png properties with SSE settings

image

image

Task 3: Screenshot of "Invalid Argument" Error

image

Task 4: Screenshot of URL with creds info when accessing decrypted file

image

Task 5: Screenshot of Decrypt Event in Cloudtrail

image

Task 6: Screenshot of Instance - Storage Tab showing the volume is encrypted with a KMS key

image

Task 7: Screenshot showing the CreateGrant event with the Decrypt operation and errorCode

image

image