AWScloud~30 mins

KMS for key management in AWS - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

KMS for key management

📖 Scenario: You are setting up a secure environment in AWS. You need to create a KMS (Key Management Service) key to encrypt your sensitive data safely.

🎯 Goal: Build an AWS CloudFormation template that creates a KMS key with a description and enables key rotation.

📋 What You'll Learn

Create a KMS key resource with the exact logical ID MyKmsKey

Set the Description property to "My first KMS key"

Enable automatic key rotation by setting EnableKeyRotation to true

Add a KeyPolicy that allows the root user full access

💡 Why This Matters

🌍 Real World

KMS keys are used to encrypt sensitive data in AWS services like S3, EBS, and RDS. Managing keys securely is critical for protecting data.

💼 Career

Cloud engineers and security specialists often create and manage KMS keys to enforce encryption policies and comply with security standards.

Progress0 / 4 steps

Create the KMS key resource

Create a resource called MyKmsKey of type AWS::KMS::Key in the Resources section of the CloudFormation template.

AWS

{
  "Resources": {
    // Add the MyKmsKey resource here
  }
}

Need a hint?

Use the Resources section to define MyKmsKey with the correct type.

Add a description to the KMS key

Inside the MyKmsKey resource, add a Properties section with a Description set to "My first KMS key".

AWS

{
  "Resources": {
    "MyKmsKey": {
      "Type": "AWS::KMS::Key",
      // Add Properties with Description here
    }
  }
}

Need a hint?

Properties hold configuration details like Description.

Enable automatic key rotation

Inside the Properties of MyKmsKey, add EnableKeyRotation set to true to enable automatic key rotation.

AWS

{
  "Resources": {
    "MyKmsKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "Description": "My first KMS key",
        // Add EnableKeyRotation here
      }
    }
  }
}

Need a hint?

EnableKeyRotation is a boolean property inside Properties.

Add a key policy allowing root user full access

Inside the Properties of MyKmsKey, add a KeyPolicy that allows the root user full access. Use the exact policy structure with "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root" } }, and "Action": "kms:*" on "Resource": "*".

AWS

{
  "Resources": {
    "MyKmsKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "Description": "My first KMS key",
        "EnableKeyRotation": true,
        // Add KeyPolicy here
      }
    }
  }
}

Need a hint?

The KeyPolicy is a JSON object with Version and Statement array. The Statement must allow root user full access.