Adding Encryption to the Web App

Adding Encryption to the Web App

The S3 bucket with its corresponding files is well protected under Bucket Policies and IAM policies. Currently, the role we have set in the working instance, has read and write access to the S3 bucket. However, for some reason, other instances or users may need read access to the bucket. It might be desirable that we encrypt the files with the CMK we have created importing our key material, to add protection for our files in bucket.

We need to use the appropriate API to upload the files using Server Side Encryption “(SSE)” with AWS KMS and the CMK we created. The API as stated in the Amazon S3 documentation, has this structure:

s3.put_object(Bucket=BUCKET,
              Key='encrypt-key',
              Body=b'foobar',
              ServerSideEncryption='aws:kms',
              # Optional: SSEKMSKeyId
              SSEKMSKeyId=keyid)

We could very easily modify the code in our App to include the Server Side Encryption (SSE). However, it is more clear if we download a version of the WebApp with the changes already implemented in the code, and hence that provides Server Side Encryption using one of our CMKs.\

  1. Execute the below command to download fixed Web App
sudo wget https://raw.githubusercontent.com/aws-samples/aws-kms-workshop/master/WebAppEncSSE.py

Add Encryption

  1. Execute the command aws kms list-aliases
  • Save TargetKeyID of the CMK whose alias is ImportedCMK Add Encryption
  1. Execute the below command to run fixed Web App
sudo python WebAppEncSSE.py 80
  • Type TargetKeyID we save in step 2 Add Encryption
  1. Do to Web App by Public IP http://54.221.111.102 Add Encryption
  2. Reupload file SampleFile-KMS.txt we have created in section 5.1.
  • Click Browse, Select file SampleFile-KMS.txt
  • Click upload Add Encryption
  1. Check file SampleFile-KMS.txt. We see the encrypted file
  1. To see the detail of file SampleFile-KMS.txt Click SampleFile-KMS.txt Add Encryption
  2. In the detail information of file SampleFile-KMS.txt
  • In the Server-side encryption settings section, we will see the file was encrypted by AWS KMS with KMS Key ID of the CMK in ARN Add Encryption

    From the file browser Web App, you can download and display the file we have upload and encrypted. Remember that when using Server Side Encryption with KMS, you don´t need to provide any additional information for getting the object; S3 is able to know how to decrypt the object from the metadata.