Lab 10 kms

10-kms/Practice-10.1/PlaintextFile

@@ -0,0 +1 @@
+This is my secret file

10-kms/Practice-10.1/cmk_key.yml

@@ -0,0 +1,55 @@
+Description: AWS CMK Key
+
+Resources:
+  myKey:
+    Type: 'AWS::KMS::Key'
+    Properties:
+      Description: A symmetric encryption KMS key
+      EnableKeyRotation: true
+      PendingWindowInDays: 20
+      KeyPolicy:
+        Version: 2012-10-17
+        Id: key-default-1
+        Statement:
+          - Sid: Enable IAM User Permissions
+            Effect: Allow
+            Principal:
+              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
+            Action: 'kms:*'
+            Resource: '*'
+          - Sid: Allow administration of the key
+            Effect: Allow
+            Principal:
+              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs"
+            Action:
+              - 'kms:Create*'
+              - 'kms:Describe*'
+              - 'kms:Enable*'
+              - 'kms:List*'
+              - 'kms:Put*'
+              - 'kms:Update*'
+              - 'kms:Revoke*'
+              - 'kms:Disable*'
+              - 'kms:Get*'
+              - 'kms:Delete*'
+              - 'kms:ScheduleKeyDeletion'
+              - 'kms:CancelKeyDeletion'
+            Resource: '*'
+          - Sid: Allow use of the key
+            Effect: Allow
+            Principal:
+              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs"
+            Action:
+              - 'kms:DescribeKey'
+              - 'kms:Encrypt'
+              - 'kms:Decrypt'
+              - 'kms:ReEncrypt*'
+              - 'kms:GenerateDataKey'
+              - 'kms:GenerateDataKeyWithoutPlaintext'
+            Resource: '*'
+
+  myAlias:
+    Type: 'AWS::KMS::Alias'
+    Properties:
+      AliasName: alias/ndambi
+      TargetKeyId: !Ref myKey

10-kms/Practice-10.1/file.txt

@@ -0,0 +1 @@
+This is my secret file

10-kms/Practice-10.1/scripts

@@ -0,0 +1,14 @@
+aws kms encrypt \
+    --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \
+    --plaintext fileb://file.txt \
+    --output text \
+    --query CiphertextBlob | base64 \
+    --decode > encryptedFile
+
+aws kms decrypt \
+    --ciphertext-blob fileb://encryptedFile \
+    --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \
+    --output text \
+    --query Plaintext | base64 \
+    --decode > PlaintextFile
+

10-kms/Practice-10.2/NewFile.txt

@@ -0,0 +1 @@
+Test Client-Side encryption

10-kms/Practice-10.2/go.mod

@@ -0,0 +1,10 @@
+module kms
+
+go 1.19
+
+require (
+	github.com/aws/aws-sdk-go v1.44.103 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.16.16 // indirect
+	github.com/aws/smithy-go v1.13.3 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+)

10-kms/Practice-10.2/go.sum

@@ -0,0 +1,22 @@
+github.com/aws/aws-sdk-go v1.44.103 h1:tbhBHKgiZSIUkG8FcHy3wYKpPVvp65Wn7ZiX0B8phpY=
+github.com/aws/aws-sdk-go v1.44.103/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go-v2 v1.16.16 h1:M1fj4FE2lB4NzRb9Y0xdWsn2P0+2UHVxwKyOa4YJNjk=
+github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k=
+github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA=
+github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

10-kms/Practice-10.2/s3_client_side_download.go

@@ -0,0 +1,55 @@
+package main
+
+import (
+    "fmt"
+    "io/ioutil"
+    "log"
+
+	"github.com/aws/aws-sdk-go/aws"
+    "github.com/aws/aws-sdk-go/aws/session"
+    "github.com/aws/aws-sdk-go/service/s3"
+    "github.com/aws/aws-sdk-go/service/s3/s3crypto"
+	"os"
+)
+
+var (
+    bucket = "kms-bucket-ndambi"
+    key    = "clientside.txt"
+)
+
+func main() {
+    sess := session.New(&aws.Config{
+		Region:      aws.String("us-east-1"),})
+
+    client := s3crypto.NewDecryptionClient(sess)
+
+    input := &s3.GetObjectInput{
+        Bucket: &bucket,
+        Key:    &key,
+    }
+
+    result, err := client.GetObject(input)
+    // Aside from the S3 errors, here is a list of decryption client errors:
+    //   * InvalidWrapAlgorithmError - returned on an unsupported Wrap algorithm
+    //   * InvalidCEKAlgorithmError - returned on an unsupported CEK algorithm
+    //   * V1NotSupportedError - the SDK doesn’t support v1 because security is an issue for AES ECB
+    // These errors don’t necessarily mean there’s something wrong. They just tell us we couldn't decrypt some data.
+    // Users can choose to log this and then continue decrypting the data that they can, or simply return the error.
+    if err != nil {
+        log.Fatal(err)
+    }
+
+    // Let's read the whole body from the response
+    b, err := ioutil.ReadAll(result.Body)
+    if err != nil {
+        log.Fatal(err)
+    }
+    //fmt.Println(string(b))
+
+	file, err := os.Create("NewFile.txt")
+	if err != nil {
+		fmt.Println(err)
+		return
+	}
+	fmt.Fprintf(file, "%v\n", string(b))
+}

10-kms/Practice-10.2/s3_client_side_upload.go

@@ -0,0 +1,55 @@
+/* 
+Licensed under the MIT-0 license https://github.com/aws/mit-0
+*/
+package main
+
+import (
+    "log"
+    "strings"
+
+    "github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/session"
+    "github.com/aws/aws-sdk-go/service/kms"
+    "github.com/aws/aws-sdk-go/service/s3"
+    "github.com/aws/aws-sdk-go/service/s3/s3crypto"
+)
+
+var (
+    cmkId  = "fbc58ad0-2bac-40fe-96ee-5ebd24d2f006"
+    bucket = "kms-bucket-ndambi"
+    key    = "clientside.txt"
+)
+
+func main() {
+	sess, err := session.NewSession(&aws.Config{
+		Region:      aws.String("us-east-1"),
+		Credentials: credentials.NewSharedCredentials("", "default"),
+	})
+    // This is our key wrap handler, used to generate cipher keys and IVs for
+    // our cipher builder. Using an IV allows more “spontaneous” encryption.
+    // The IV makes it more difficult for hackers to use dictionary attacks.
+    // The key wrap handler behaves as the master key. Without it, you can’t
+    // encrypt or decrypt the data.
+    keywrap := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkId)
+    // This is our content cipher builder, used to instantiate new ciphers
+    // that enable us to encrypt or decrypt the payload.
+    builder := s3crypto.AESGCMContentCipherBuilder(keywrap)
+    // Let's create our crypto client!
+    client := s3crypto.NewEncryptionClient(sess, builder)
+
+    input := &s3.PutObjectInput{
+        Bucket: &bucket,
+        Key:    &key,
+        Body:   strings.NewReader("Test Client-Side encryption"),
+    }
+
+    _, err = client.PutObject(input)
+    // What to expect as errors? You can expect any sort of S3 errors, http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html.
+    // The s3crypto client can also return some errors:
+    //  * MissingCMKIDError - when using AWS KMS, the user must specify their key's ARN
+    if err != nil {
+        log.Fatal(err)
+    }
+}
+