I have a series of files in AWS S3, encrypted with a GPG public key. I want to store the private key in AWS KMS, so I can programmatically decrypt them.
I have followed AWS docs for BYOK (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) but cannot encrypt my private key with the AWS wrapping key as it's "unable to load private key" when I follow step 2 of https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html.
Related
I am using the windows command prompt with the AWS Command Line Interface to connect the AWS S3 storage files and EC2 Server, I typed the following info (Part 1) and got an error (Part 2).
Part 1
AWS Access Key ID: (I put the EC2 Key pair name)
AWS Secret Access Key ID: (I put the key pair)
Default region name: us-east-2
Default output format: All (according to EC2 Security > Outbound Rules > Protocol)
Part 2
C:\Users(username)>aws s3 ls s3://www.(domain name)
An error occurred (InvalidAccessKeyId) when calling the ListObjectsV2 operation: The AWS Access Key Id you provided does not exist in our records.
AWS Access Key ID: (I put the EC2 Key pair name)
AWS Secret Access Key ID: (I put the key pair)
As #Anon Coward says, Ec2 Key pair is totally separate from AWS API access key / secret.
Go to IAM for your IAM user and generate a new IAM Access Key then rerun aws configure and paste in the values it gives you. The access key will look like AKIA..... and the secret will be a bunch of random looking characters.
I am using KMS to encrypt/decrypt data (s3 object and string value). The data I encrypted is the file saved in s3 bucket. And some string values saved in database.
As an example, I use below command to encrypt the string value.
aws kms encrypt --key-id 59c41ce0-153b-487c-821b-7c1d994fca0c --plaintext QTEyMzQtMTIzNDU2WFk=
The key I created is a single region key. It is custom managed key and I use external origin and I have imported the key material to the KMS. Now I need to deploy my application in another region which means I need to decrypt the existing data from the other region.
The problem I have is that AWS doesn't support converting a single region key to multiple region. That means I have to re-create a new multiple region key. I own the key material and I expect I can import the same key material to the new multi-region key, then use this key to decrypt the existing data which was encrypted by the single region key.
But I got this error when I try to decrypt: An error occurred (IncorrectKeyException) when calling the Decrypt operation: The key ID in the request does not identify a CMK that can perform this operation..
It seems there are other data used by kms to encrypt the data besides key material. Is there a way to replicate the key with same material? I expect I am able to re-create the kms with the same material to decrypt the data.
As a disaster recovery measure, is it possible to import an external KMS key to decrypt data encrypted by a previous key?
In the AWS documentation it says the following:
Can't decrypt with any other KMS key
When you encrypt data under a KMS key, the ciphertext is permanently
associated with the KMS key and its key material. It cannot be
decrypted with any other KMS key, i̲n̲c̲l̲u̲d̲i̲n̲g̲ ̲a̲ ̲d̲i̲f̲f̲e̲r̲e̲n̲t̲ ̲K̲M̲S̲ ̲k̲e̲y̲ ̲w̲i̲t̲h̲ ̲t̲h̲e̲ ̲s̲a̲m̲e̲ ̲k̲e̲y̲ ̲m̲a̲t̲e̲r̲i̲a̲l̲.
This is a security feature of KMS keys.
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
I did some testing where I imported an externally generated key and then re-imported it into KMS (generating a second key with a second ID). Data encrypted by the first key could not be decrypted by the second key (even having the same key material).
But, can any AWS customer back up keys for post-malicious/accidental KMS key deletion recovery?
I'm using puttygen to create the three required ppk. Certificate CertificateChain and private key. After that I convert the three ppk files to pem files.
Then using the tutorial on aws I write the following lines in the ec2 terminal:
$ aws iam upload-server-certificate --server-certificate-name ExampleCertificate
--certificate-body file://Certificate.pem
--certificate-chain file://CertificateChain.pem
--private-key file://PrivateKey.pem
Then I receive the error:
An error occurred (MalformedCertificate) when calling the UploadServerCertificate
operation:
Certificate body is invalid. The body must not contain a private key.
I've tried to use different keys. I'm not really sure what to do. I thought I followed the steps correctly. I'm at a loss here.
If you were after uploading a keypair for an ec2 server, the process I use is
Log into the AWS Console and create a new Keypair server-default
Save the private key somewhere safe like a Password Repo
Open putty gen, open the private key and hit the save Public Key option and save it somewhere useful like /temp/server_pub.pem
Run the AWS Cli to upload the public key for the Keypair
aws ec2 import-key-pair --region us-east-1 --key-name server-default --public-key-material file:///temp/server_pub.pem
I am trying to connect to s3 bucket from the EC2 instance. The logging into ec2 instance is using private key, generated from pem file. Ideally I should have been able access the s3 bucket from here directly without passing access key and secret. But when i try to connect it is asking for above 2 things rahter than directly connecting and listing the contents.
The SSH key you generated from the pem file, and the AWS IAM account access key and secret key are two completely different things. The SSH key is used for initiating SSH connections with your EC2 server. The access key and secret key are from an AWS IAM account and are used for accessing the AWS API.
If you are trying to access S3 from your EC2 server the the prefered way is to assign an IAM role to the EC2 instance with the appropriate permissions, so that you don't have to deal with the IAM key credentials.