Create CMK

CMKs are the primary resources in AWS KMS. You can use a CMK to encrypt and decrypt up to 4 kilobytes (4096 bytes) of data. However, most commonly, you will use CMKs to generate, encrypt, and decrypt the data keys that you use outside of AWS KMS to encrypt your data.

In this section we will create a CMK with key material coming from AWS KMS, and later we will generate a CMK with your own key material.

Create CMK

In order to create our first CMK, we will use the AWS CLI in the instance. We will use it, instead of the AWS console, beacuse it will provide you with deeper insights and understanding of the process. Once you understand it, creating CMKs from the console will be a breeze.

  1. Connect to the Instance we created. Create CMK
  2. Set the Region for AWS CLI.
  • Execute the command
aws configure
  • In the AWS Access Key ID section, don’t type anything, press Enter
  • In the AWS Secret Access Key section, don’t type anything, press Enter
  • In the Default region name section, điền us-east-1 (the region id of the area you are working in), press Enter
  • In the Default output formatsection, don’t type anything, press Enter Create CMK
  1. To create the CMK we execute the command:
aws kms create-key

Create CMK 4. Check the CMK we created.

  • Go to Key Management Service Console.
  • Click Customer managed keys.
  • Check and get the Key ID of the CMK we created. Create CMK

    Key aliases are very useful. They are easier to remenber when operating with keys. Most importantly, when rotation keys, as we will see later in this section, we will not have to update our code to update the new KeyIDs or ARN references. By using alias in our code to call the CMKs by them, and updating the alias CMKs to point to the newly generated key, the amount of change in our code gets minimized.

  1. To create the Alias whose value is FirstCMK we execute the command:
aws kms create-alias --alias-name alias/FirstCMK --target-key-id '<key ID of your CMK>'

Create CMK 6. Check the Alias Create CMK