CMKs are the primary resources in AWS KMS. You can use a CMK to encrypt and decrypt up to 4 kilobytes (4096 bytes) of data. However, most commonly, you will use CMKs to generate, encrypt, and decrypt the data keys that you use outside of AWS KMS to encrypt your data.
In this section we will create a CMK with key material coming from AWS KMS, and later we will generate a CMK with your own key material.
In order to create our first CMK, we will use the AWS CLI in the instance. We will use it, instead of the AWS console, beacuse it will provide you with deeper insights and understanding of the process. Once you understand it, creating CMKs from the console will be a breeze.
aws configure
us-east-1
(the region id of the area you are working in), press Enteraws kms create-key
4. Check the CMK we created.
Key aliases are very useful. They are easier to remenber when operating with keys. Most importantly, when rotation keys, as we will see later in this section, we will not have to update our code to update the new KeyIDs or ARN references. By using alias in our code to call the CMKs by them, and updating the alias CMKs to point to the newly generated key, the amount of change in our code gets minimized.
aws kms create-alias --alias-name alias/FirstCMK --target-key-id '<key ID of your CMK>'
6. Check the Alias