Create an Encryption Key Using AWS KMS Service

  1. Login into this link: [https://us-east-2.console.aws.amazon.com/kms/home?region=us-east-2#/kms/keys](https://www.google.com/url?q=https://us-east-2.console.aws.amazon.com/kms/home?region%3Dus-east-2%23/kms/keys&sa=D&ust=1555721506856000. aws image24
  2. Select Create Key. aws image17
  3. Select Next. aws image5
  4. Select Next. aws image29
  5. Give permissions to IAM roles or users to use this key in encryption.
  6. Select Finish. aws image10

Sample JSON File for setting up IAM roles:

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::735646515482:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::735646515482:user/mohamed.khaled@incorta.com"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::735646515482:user/mohamed.khaled@incorta.com"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::735646515482:user/x@incorta.com"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

© Incorta, Inc. All Rights Reserved.