Setting up an AWS KMS Key in AWS KMS

In this section, we will create an AWS KMS key in AWS KMS. You must have an AWS account that has permission to create and manage AWS KMS key objects.

Create an AWS KMS Key

Navigate to https://us-west-1.console.aws.amazon.com/kms, and select the region you want to use for creating a new AWS KMS key.

Click on the “Create Key” button:

Customer Managed Keys

Select “Symmetric” for the Key Type:

Key Type

Enter a name/description for the AWS KMS key:

Add labels

Pick an administrator to manage the AWS KMS key object:

Select your own account so that you can manage the key (more specifically, update the policy attached to that key).

Define key admin permissions

Skip the screen that grants permissions to access the key:

The final permissions will be set up at a later time.

Define key usage permissions

Review the key policy:

For this example, make sure that the action “kms:Encrypt” is specified in one of the Statement element in the policy. This will give you the ability to encrypt data using this AWS KMS key. In the example below, the “kms:Encrypt” is granted to the administrator of the key (your account). This is for demonstration purpose only, in a typical deployment, KMS key administrators are not authorized to perform the “kms:Encrypt” or “kms:Decrypt” actions.

The policy should look like this (<ACCOUNT> and <USER> should reflect your settings):

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<ACCOUNT>:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<ACCOUNT>:user/<USER>"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:Encrypt",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        }
    ]
}

Summary:

Summary of Success

Congratulations! You have created an AWS KMS key in AWS KMS. Take a note of the Amazon Resource Name (ARN) of your key, as you will need it later. It should look like this (replace <REGION>, <ACCOUNT> and <KEY-ID> with the values for your environment):

arn:aws:kms:<REGION>:<ACCOUNT>:key/<KEY-ID>