AWScloud~5 mins

KMS for key management in AWS - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Managing secret keys safely is important to protect your data. AWS KMS helps you create and control encryption keys easily without handling them yourself.

When you want to encrypt sensitive data like passwords or credit card numbers in your app.

When you need to control who can use encryption keys in your team or company.

When you want to audit how and when keys are used for security reviews.

When you want to rotate encryption keys automatically to keep them secure.

When you want to integrate encryption with other AWS services like S3 or RDS.

Commands

This command creates a new encryption key in AWS KMS with a description and a tag to identify its purpose.

Terminal

aws kms create-key --description "Example key for encrypting app data" --tags TagKey=Purpose,TagValue=AppEncryption

Expected OutputExpected

{ "KeyMetadata": { "AWSAccountId": "123456789012", "KeyId": "abcd1234-5678-90ef-ghij-klmnopqrstuv", "Arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ef-ghij-klmnopqrstuv", "CreationDate": 1686000000.0, "Enabled": true, "Description": "Example key for encrypting app data", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Enabled", "Origin": "AWS_KMS" } }

→

--description - Adds a human-readable description to the key

→

--tags - Adds metadata tags to help organize keys

This command lists all the KMS keys in your AWS account so you can see the keys you have created.

Terminal

aws kms list-keys

Expected OutputExpected

{ "Keys": [ { "KeyId": "abcd1234-5678-90ef-ghij-klmnopqrstuv", "KeyArn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ef-ghij-klmnopqrstuv" } ] }

This command encrypts the text "Hello World" using the specified KMS key and saves the encrypted data to a file.

Terminal

aws kms encrypt --key-id abcd1234-5678-90ef-ghij-klmnopqrstuv --plaintext "Hello World" --output text --query CiphertextBlob | base64 --decode > encrypted.dat

Expected OutputExpected

No output (command runs silently)

→

--key-id - Specifies which key to use for encryption

→

--plaintext - The data to encrypt

This command decrypts the encrypted data file back to the original plaintext using the KMS key.

Terminal

aws kms decrypt --ciphertext-blob fileb://encrypted.dat --output text --query Plaintext | base64 --decode

Expected OutputExpected

Hello World

→

--ciphertext-blob - Specifies the encrypted data file to decrypt

Key Concept

If you remember nothing else, remember: AWS KMS lets you safely create, use, and control encryption keys without handling the raw keys yourself.

Common Mistakes

Using the wrong key ID when encrypting or decrypting data

The command will fail or produce unusable data because the key does not match.

Always copy the exact KeyId from the create or list command output and use it in encryption and decryption commands.

Not specifying the plaintext correctly in the encrypt command

The command may encrypt empty data or fail, leading to confusion.

Use the --plaintext flag with the exact string you want to encrypt, enclosed in quotes.

Forgetting to decode base64 output when encrypting or decrypting

The encrypted or decrypted data will be unreadable or corrupted if base64 encoding is not handled properly.

Use base64 decode commands as shown to convert data to and from binary safely.

Summary

Create a KMS key with a description and tags to identify its use.

List your keys to confirm the key ID for encryption and decryption.

Encrypt plaintext data using the key and save the encrypted output.

Decrypt the encrypted data back to plaintext using the same key.