Questions tagged [amazon-kms]
AWS Key Management Service (KMS) is an encryption and key management service scaled for the cloud. KMS keys and functionality are used by other AWS services, and you can use them to protect data in your own applications that use AWS.
739
questions
342
votes
13
answers
476k
views
boto3 client NoRegionError: You must specify a region error only sometimes
I have a boto3 client :
boto3.client('kms')
But it happens on new machines, They open and close dynamically.
if endpoint is None:
if region_name is None:
# Raise a more ...
- 8,700
81
votes
3
answers
36k
views
How to use Async and Await with AWS SDK Javascript
I am working with the AWS SDK using the KMS libary. I would like to use async and await instead of callbacks.
import AWS, { KMS } from "aws-sdk";
this.kms = new AWS.KMS();
const key = await this....
- 19k
54
votes
3
answers
37k
views
What is Sid attribute use for in key policies?
Here is a documentation:
Sid – (Optional) The Sid is a statement identifier, an arbitrary string you can use to identify the statement.
Does it means that Sid parameter is just description?
- 32.4k
38
votes
7
answers
25k
views
Minimal KMS permissions to copy a database snapshot
I am trying to setup minimal permissions for doing aws rds copy-db-snapshot with a KMS encryption key:
$ aws rds copy-db-snapshot --source-db-snapshot-identifier rds-backup-share-
mysql --target-db-...
- 17.8k
32
votes
4
answers
96k
views
The ciphertext refers to a customer master key that does not exist,
I have a lambda which accesses the S3.
Before, this lambda program worked well. But recently I changed KMS key of S3 or some other security group setting, (lambda source code doesn't change)
There ...
- 11.8k
30
votes
5
answers
12k
views
Attempting to decrypt ciphertext within a Lambda function using KMS results in timeout
When decrypting ciphertext from the command line using the AWS CLI, the ciphertext gets decrypted without issues:
$ aws kms decrypt --ciphertext-blob fileb://encrypted-secrets --output text --query ...
- 6,846
22
votes
4
answers
14k
views
How exactly does encryption key rotation work?
How exactly does encryption key rotation work? I understand it's a very good practice to continuously rotate your encryption keys for security purposes, but rotating a key would require too much work.
...
- 519
21
votes
1
answer
10k
views
Does AWS RDS encryption with KMS affect performance?
Amazon states that
Encryption and decryption are handled transparently so you don’t have to modify your application to access your data
My application (Rails, MySQL, Elasticsearch) builds a lot ...
- 1,317
20
votes
4
answers
27k
views
How can I call Amazon's AWS kms decrypt function without using a binary file?
I have code that retrieves a string that was encrypted using Amazon's aws kms encrypt function. I would like to call aws kms decrypt to get back the unencrypted value, but I would like to do this ...
- 791
17
votes
4
answers
28k
views
The new key policy will not allow you to update the key policy in the future
The title says it all. I am getting this error whenever I try to create a KMS key via an AWS CloudFormation template. I am creating the template as an IAM user with administrative permissions, and I ...
- 2,387
16
votes
3
answers
23k
views
What is the purpose of kms:GenerateDataKey in AWS?
I'm writing a serverless function on AWS Lambda.
On certain instances I need to use kms:GenerateDataKey* permissions.
What exactly is the purpose of this. I checked the AWS documentation but it is ...
- 8,563
14
votes
2
answers
10k
views
AWS-CDK: Passing cross-stack references props between multi region (cross-region) stacks in AWS- CDK
I have to deploy one stack, let's call it the parent stack in one region
Them a second stack(child) needs to be deployed, in another region.
The region of the second stack(child stack) can not ...
- 1,244
13
votes
1
answer
26k
views
AWS IAM policy: Multiple Actions and Multiple Resources
It is question on AWS IAM policy, multiple Actions with Multiple Resources (presumably not related). I have parameter 'myparam' encrypted with 'mykey', and I have policy as below separate blocks, one ...
- 571
13
votes
1
answer
18k
views
Message "Did not have IAM permissions to process tags on AWS::KMS::Key resource" When Creating KMS Key Using Cloudformation
While creating a new KMS key using Cloudformation I see this message in the "Status Reason" column:
Did not have IAM permissions to process tags on AWS::KMS::Key resource
The cloudformation stack ...
- 12.5k
12
votes
2
answers
20k
views
How do I get AWS cross-account KMS keys to work?
I'm trying to set up cross-account access to allow for an external account to use my KMS key to decrypt data from an S3 bucket. I have the key, policies, roles set up with what I believe is the ...
- 1,569
12
votes
2
answers
13k
views
Getting the error in using Terraform for AWS: "The new key policy will not allow you to update the key policy in the future."
Running terraform for creatind a key policy in AWS KMS I am getting the error:
aws_kms_key.dyn_logs_server_side_cmk: MalformedPolicyDocumentException: The new key policy will not allow you to update ...
- 7,221
12
votes
2
answers
4k
views
How do I access the current user in a cloudformation template?
I want to create a KMS key using CloudFormation. I want to be able to provide the user executing the cloudformation YAML file (I'll call them "cloudformation-runner"), administrative access to the key ...
- 9,514
11
votes
4
answers
15k
views
What are the differences between AWS Cloud HSM and KMS?
I am trying to understand the key management services in AWS (Amazon Web Services) and I can see that Amazon recommends more AWS Key Management Service (KMS) over Cloud Hardware Security Module (Cloud ...
user11607387
11
votes
1
answer
5k
views
How to encrypt AWS Lambda environment variables using CloudFormation
I am working on an AWS CloudFormation template that includes a Lambda function with sensitive environment variables. I'd like to set up a KMS key and encrypt them with it, which is easy to do in the ...
- 467
10
votes
2
answers
23k
views
How to use Fn::If with array values in cloud formation templates
I am working on a cloud formation template for a KMS key. In the policy document I want to set the the principals depending on the stage (whether it is prod or test). I can use Fn:If easily if there ...
- 503
10
votes
2
answers
11k
views
NodeJS AWS KMS Decryption in Lambda
Let me start out by saying that it feels like this question is asked a lot, but none of the answers in the questions seem to resolve the issue I'm experiencing.
I am writing a lambda function in ...
- 2,131
10
votes
2
answers
12k
views
AWS SSM Parametes GET using KMS decryption
Scenario:
One of our scripts uses boto3 kms api to PUT and GET SSM parameters with KMS encryption and decryption. SSM param put works perfectly fine and parameters are added (with decryption as ...
- 2,063
10
votes
1
answer
13k
views
Difference between KMS encryption and S3 SSE
Is there any difference if I KMS encrypt a file and push that file to S3 bucket vs put the file to S3 bucket using SSE KMS encryption?
- 16.5k
10
votes
2
answers
4k
views
AWS Rest API without SDK
For a variety of reasons I can't use AWS SDKs and have to make rest calls to the APIs. I've figured out authentication but need to understand what resources to call. Most of the AWS documentation ...
- 3,374
9
votes
2
answers
38k
views
Use terrform to update a KMS Key Policy
Does anyone know how I would get Terraform to UPDATE an existing KMS Key policy?
I already have the KMS Key(s) created but I have a temporary IAM role that needs to use an existing KMS key. I would ...
- 709
9
votes
2
answers
13k
views
How to generate AWS S3 pre-signed URL using signature version 4
I am generating a pre-signed URL in a C# .NET Core 2.0 API controller class using the AWSSDK.S3 (3.3.31.11). The resulting URL is intended to be used by a client side Angular application to upload a ...
- 491
9
votes
3
answers
19k
views
A client error (InvalidCiphertextException) occurred when calling the Decrypt operation:
When I am trying to execute the command:
aws kms decrypt --ciphertext-blob fileb://CPOEncrypted.txt --output text --query Plaintext
I am getting the below error and I am suspecting that ciphertext ...
- 91
9
votes
1
answer
2k
views
How to manage Asymmetric (Public/Private) Keys in AWS
I need to develop a solution to store both symmetric and asymmetric keys securely in AWS. These keys will be used by applications that are running on EC2s and Lambdas. The applications will need to be ...
- 657
8
votes
1
answer
8k
views
getSecretValue callback is not working in AWS Lambda
I'm trying to retrieve Secret Value from AWS Secret Manager using aws-sdk for Javascript, I'm using the code snippet provided by Secret Manager, I have included this code in Lambda function, but I can'...
- 1,413
8
votes
2
answers
2k
views
How AWS KMS determine which key to use when decrypt?
I'm confused on how the aws-kms select which key to use to decrypt a ciphertextblob?
When calling the decrypt method, no key information is provided.
- 87
7
votes
2
answers
10k
views
How do I write the policy statement of an encrypted SQS for S3 events?
I have an SQS queue which used to have the following policy doc. for receiving S3 events from a bucket:
{
"Version": "2008-10-17",
"Id": "example-ID",
"Statement": [
{
"Sid": "example-...
- 10.8k
7
votes
2
answers
6k
views
Using Encrypted EBS Volumes in Auto Scaling Groups with CMK owned by a different AWS account
I'm trying to use Auto Scaling groups in AWS to create and manage instances created from AMIs with encrypted snapshots, which have been encrypted by a CMK owned by a different AWS account.
I keep ...
- 382
7
votes
2
answers
9k
views
Encryption and Decryption file in s3 using Nodejs with AWS KMS
I am using AWS KMS to encrypt file to s3 bucket. I'm currently doing this using the AWS console, but I'd like to do this using Nodejs.
I just checked some of the things but I am not getting any ...
- 347
7
votes
2
answers
21k
views
KMS permissions for encrypted CloudWatch LogGroups with AWS Systems Session Manager
I've set up a CMK (Custom Managed Key) to encrypt LogGroups with AWS Systems Session Manager:
First, permissions for "key administrators" and "key users/roles" are added in the ...
7
votes
1
answer
7k
views
Sharing an AWS managed KMS key with another account
I have an s3 folder that has encrypted objects in it. It is encrypted with the AWS KMS managed keys, not a custom key. I need another AWS account to be able to copy files from this bucket. From what I ...
- 2,238
7
votes
2
answers
22k
views
InvalidCiphertextException when calling kms.decrypt with S3 metadata
I can add a client-side encrypted file via the Java SDK, and I can fetch the file too. I'm now trying to access it with boto3. (I know boto3 doesn't have support for this, but s3-wrapper does. This ...
- 24.1k
7
votes
1
answer
14k
views
AWS KMS Decrypt Error Credstash
My aws account is in us-west-2 region. and the KMS key created in that account has ARN arn:aws:kms:us-east-1::key/. In my node module, I am using Credstash to decrypt the key which is encrypted using ...
- 535
6
votes
1
answer
8k
views
How to get an AWS SSM Key Arn from an Alias using CloudFormation?
Is it possible to get a KMS Key ARN using CloudFormation using an alias?
I want to give specific permissions to a Key in my AWS Account.
Something like the following?
- Effect: Allow
Action: ...
- 3,023
6
votes
2
answers
5k
views
CloudFormation KMS Encryption Questions
Given a CloudFormation template that defines:
A KMS Key
A KMS Key Alias
An S3 bucket
If for some reason I need to delete the CloudFormation stack and re-deploy, the deletion retains the KMS Key and ...
- 322
6
votes
4
answers
12k
views
How to use AWS KMS in AWS lambda
I've just started to work with AWS services, particularly AWS Lambda. Is there a way to use AWS KMS service from within Lambda code (Java). I'd like to use KMS to decrypt an encrypted externalized (...
- 133
6
votes
2
answers
4k
views
How to properly encrypt Elasticsearch instance with KMS
I will use my Rails/Mysql/Elasticsearch for processing some sensitive data, so I want to encrypt my data at rest.
It is clear to me that I can use AWS KMS to encrypt data in Mysql. It's important ...
- 1,317
6
votes
1
answer
6k
views
understanding kms policy?
I have a IAM group called group-dev and couple of users attached to this group, I have custom IAM policy(below). Does this IAM policy alone be sufficient for users in that group to encrypt and list ...
- 1,941
6
votes
1
answer
3k
views
Encrypted bucket notifications from S3 to SQS
How can I set up S3 bucket notifications to a queue in SQS where KMS are used on both the bucket and the queue?
I have a bucket in S3 where the contents are encrypted with an AWS Managed Key (the aws/...
- 4,629
6
votes
1
answer
3k
views
Can AWS S3 default encryption use a KMS key owned by another account?
I want to use the relatively new S3 default encryption property to ensure that all objects written to a particular prefix in an S3 bucket are encrypted. In this case, I need to be able to specify a ...
- 1,430
6
votes
3
answers
12k
views
How can a Cloudfront distribution an AWS KMS key to GET an S3 image encrypted at rest?
I would like to use AWS's Server Side Encryption (SSE) with the AWS Key Management Service (KMS) to encrypt data at rest in S3. (See this AWS blog post detailing SSE-KMS.)
However, I also have the ...
- 38.4k
6
votes
1
answer
4k
views
Why AWS CloudWatch Alarm cannot send notification to encrypted SNS Topic?
I set up alerts to notify me if my lambda function memory usage is more than 80% of the lambda memory size. I'm capturing the data points using custom metrics and I am able to see the alerts in the ...
- 1,301
6
votes
2
answers
6k
views
AWS Glue reading S3 file client-side encryption using AWS KMS
Is it possible to crawl S3 file encrypted using CSE-KMS in AWS Glue? I know that Athena can do that, but haven't found similar functionality in Glue crawler
- 3,539
6
votes
2
answers
1k
views
AWS KMS - Store/Use Ciphertext Blob
I'm just getting myself setup with the AWS Key Management Service and am calling the method generateDataKey. The method is working and returning the CiphertextBlob and the Plaintext blob.
However, ...
- 1,127
6
votes
2
answers
8k
views
How to encrypt a column in Pandas/Spark dataframe using AWS KMS
I want to encrypt values in one column of my Pandas (or PySpark) dataframe, e.g. to take the the column mobno in the following dataframe, encrypt it and put the result in the encrypted_value column:
...
- 673
6
votes
2
answers
10k
views
"Failed to fetch a list of secrets" on AWS Secrets Manager console?
Has anyone noticed some unpredictable failures on AWS Secret Manager when trying to retrieve secret values? I'm using my own encryption key, and I've found that frequently, I am getting a "Failed to ...
- 86