AWS IAM Users and Groups: Encrypt and Decrypt Data using KMS via the CLI

In our previous post we went through the process on controlling access using the CLI for IAM, to Create a IAM Policy, Associating the Policy to a Group and Creating Users within the group to inherit the policy, in order to get access to S3.

In this tutorial we will use KMS to Decrypt and Encrypt Data using our KMS Key via the CLI.

Create the Master KMS Key for Encryption:

$ aws kms create-key --region eu-west-1 --description 'Key For Encryption'

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "01234567-abcd-12ab-9876-a1b2c3d4e5f6",
        "Description": "Key For Encryption",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1498420509.125,
        "Arn": "arn:aws:kms:eu-west-1:123456789012:key/01234567-abcd-12ab-9876-a1b2c3d4e5f6",
        "AWSAccountId": "123456789012"
    }
}

Create a Alias, that acts as a Display Name for the created key:

$ aws kms create-alias --alias-name alias/my-key --target-key-id 01234567-abcd-12ab-9876-a1b2c3d4e5f6

To verify, let's list our aliases:

$ aws kms list-aliases

{
    "Aliases": [
        {
            "AliasArn": "arn:aws:kms:eu-west-1:123456789012:alias/my-key",
            "AliasName": "alias/my-key",
            "TargetKeyId": "01234567-abcd-12ab-9876-a1b2c3d4e5f6"
        }
    ]
}

Now we will create our Group, then associate the IAM Policy which will authorize users to Encrypt and Decrypt using the KMS Key.

Create the Group:

$ aws iam create-group --group-name EncryptionGroup

{
    "Group": {
        "Path": "/",
        "CreateDate": "2017-06-11T20:16:39.870Z",
        "GroupId": "AGPAJHTDNQKH3ABCD1235",
        "Arn": "arn:aws:iam::123456789023:group/EncryptionGroup",
        "GroupName": "EncryptionGroup"
    }
}

Create the IAM Policy that will be Attached to the Group:

In this group policy we will only allow the calling of Encryption and Decryption using KMS:

$ cat encryption-kms.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt"
            ],
            "Resource": "*"
        }
    ]
}

Create The IAM Policy:

Create the IAM Policy by associating the Policy Document to the IAM Policy Name:

$ aws iam create-policy --policy-name kms-encryption-policy --policy-document file://./encryption-kms.json

{
    "Policy": {
        "PolicyName": "kms-encryption-policy",
        "CreateDate": "2017-06-11T12:53:03.665Z",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "PolicyId": "ANPAJEL3K3TCEDEFG2KSY",
        "DefaultVersionId": "v1",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:policy/kms-encryption-policy",
        "UpdateDate": "2017-06-11T12:53:03.665Z"
    }
}

Attach The Policy to the Group:

Attach the IAM Policy to the Group by Specifying the Policy ARN Received from the previous API call:

$ aws iam attach-group-policy --group-name EncryptionGroup --policy-arn arn:aws:iam::123456789012:policy/kms-encryption-policy

if it was a scenario where you would like to apply a policy to a specific user:

$ aws iam attach-user-policy --user-name tmp-user1 --policy-arn arn:aws:iam::123456789012:policy/kms-encryption-policy

Creating 2 Users:

Create 2 Users that we will assign to our Group:

$ aws iam create-user --user-name tmp-user1
$ aws iam create-user --user-name tmp-user2

Add the Users to the Group:

Add the 2 Users that we created to our Group

$ aws iam add-user-to-group --group-name EncryptionGroup --user-name tmp-user1 
$ aws iam add-user-to-group --group-name EncryptionGroup --user-name tmp-user2

Review by Getting Group Info:

Review the Group Info to make sure everything looks as expected:

$ aws iam get-group --group-name EncryptionGroup

{
    "Group": {
        "Path": "/",
        "CreateDate": "2017-06-11T12:48:34Z",
        "GroupId": "AGPAJDK4URLF7P32YQ2BP",
        "Arn": "arn:aws:iam::123456789012:group/EncryptionGroup",
        "GroupName": "EncryptionGroup"
    },
    "Users": [
        {
            "UserName": "tmp-user1",
            "Path": "/",
            "CreateDate": "2017-06-11T12:57:11Z",
            "UserId": "AIDAJOIEUY3UNM7H6NPNQ",
            "Arn": "arn:aws:iam::123456789012:user/tmp-user1"
        },
        {
            "UserName": "tmp-user2",
            "Path": "/",
            "CreateDate": "2017-06-11T12:56:29Z",
            "UserId": "AIDAJJC2BERXOQRVGBIKK",
            "Arn": "arn:aws:iam::123456789012:user/tmp-user2"
        }
    ]
}

Create Access Keys for the Users:

In this example we will only create access-keys for tmp-user1:

$ aws iam create-access-key --user-name tmp-user1

{
    "AccessKey": {
        "UserName": "tmp-user1",
        "Status": "Active",
        "CreateDate": "2017-06-11T13:05:40.858Z",
        "SecretAccessKey": "SECRET",
        "AccessKeyId": "AKIAIBY7UYQX5KVAOO7Q"
    }
}

Configure Credentials:

If this will be the main user you can configure your credentials by running:

$ aws configure

If you are running multiple accounts, you can append the following to ~/.aws/credentials :

$ cat /home/user/.aws/credentials
[tmp-user1]
aws_access_key_id = AKIAI123456789VAOO7Q
aws_secret_access_key = SECRET

After your credentials is set, you should be able to encrypt and decrypt data, using KMS.

First lets create our plaintext file:

$ echo "foo" > data.txt

Encrypting the Data:

We can encrypt the data using the key-id or the alias, encrypting the data using the key-id:

$ aws kms --profile tmp-user1 \
--region eu-west-1 \
encrypt --key-id 01234567-abcd-12ab-9876-a1b2c3d4e5f6 \
--plaintext file://./data.txt \
--query CiphertextBlob \
--output text | base64 -d > enc_data.txt

Or, Encrypt using the Alias:

$ aws kms --profile tmp-user1 \
--region eu-west-1 \
encrypt --key-id alias/my-key \
--plaintext file://./data.txt \
--query CiphertextBlob --output text | base64 -d > enc_data.txt

Decrypting the Data:

$ aws kms --profile tmp-user1 --region eu-west-1 decrypt --ciphertext-blob fileb://./enc_data.txt \
--query Plaintext \
--output text | base64 -d
foo

Cleaning Up:

Detach the Group Policy:

$ aws iam detach-group-policy --group-name EncryptionGroup --policy-arn arn:aws:iam::123456789012:policy/kms-encryption-policy

Delete the IAM Policy:

$ aws iam delete-policy --policy-arn arn:aws:iam::123456789012:policy/kms-encryption-policy

or, if it was for a user Detach the User Policy:

$ aws iam detach-user-policy --user-name tmp-user1 --policy-arn arn:aws:iam::123456789012:policy/kms-encryption-policy

Then Delete the IAM Policy

$ aws iam delete-policy --policy-arn arn:aws:iam::123456789012:policy/kms-encryption-policy

Removing the Users from the Group:

After the policy has been detached from the group, we still have our users associated with our group, so we must remove our users from group first.

$ aws iam remove-user-from-group --group-name EncryptionGroup --user-name tmp-user1
$ aws iam remove-user-from-group --group-name EncryptionGroup --user-name tmp-user2

Deleting the users:

In order to call the DeleteUser operation, we first need to delete the access keys before we can delete the entity:

$ aws iam list-access-keys --user-name tmp-user1

{
    "AccessKeyMetadata": [
        {
            "UserName": "tmp-user1",
            "Status": "Active",
            "CreateDate": "2017-06-11T13:05:40Z",
            "AccessKeyId": "AKIAIBY7UYQX5KVAOO7Q"
        }
    ]
}

Delete the Access Keys:

$ aws iam delete-access-key --user-name tmp-user1 --access-key-id AKIAIBY7UYQX5KVAOO7Q

Finally, delete the users:

$ aws iam delete-user --user-name tmp-user1
$ aws iam delete-user --user-name tmp-user2

Delete the Group:

$ aws iam delete-group --group-name EncryptionGroup

Resource:

• http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam

Related Posts:

• https://sysadmins.co.za/how-to-control-access-with-aws-iam-for-users-and-groups-using-the-cli-for-granting-s3-access/