By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
For AWS Solutions Architect – Associate (SAA-C03) and Real-World Production
You’re a cloud engineer at a fintech startup. Your team just migrated a monolithic app to AWS, and compliance requires all customer data to be encrypted at rest and in transit. Your CISO drops a bombshell: "We need FIPS 140-2 Level 3 compliance for our payment processing keys—no exceptions."
This is where AWS KMS (Key Management Service) and CloudHSM (Hardware Security Module) come in. KMS is your Swiss Army knife for encryption—cheap, scalable, and integrated with 100+ AWS services. CloudHSM is your Fort Knox: a dedicated, single-tenant appliance for ultra-sensitive keys (think PCI-DSS, HIPAA, or government workloads).
Why this matters in production:- If you ignore encryption, you risk data breaches (average cost: $4.45M per incident—IBM 2023).- If you misconfigure KMS, your app crashes when keys rotate, or you pay $1/10,000 API calls for unnecessary requests.- If you use CloudHSM wrong, you’ll burn $1,200/month on an idle HSM or fail an audit because you didn’t enforce quorum authentication.
Real-world scenario:You inherit a legacy app where developers hardcoded a plaintext encryption key in GitHub. You need to: 1. Replace it with KMS envelope encryption (cheap, scalable).2. Migrate the most sensitive keys to CloudHSM (compliance).3. Automate key rotation without breaking the app.
This guide gives you the exact steps to do this—no fluff.
aws --version
secret.txt
# Create a CMK with a key policy allowing your IAM user to use it aws kms create-key \ --description "My CMK for envelope encryption" \ --key-usage ENCRYPT_DECRYPT \ --origin AWS_KMS \ --bypass-policy-lockout-safety-check # Store the Key ID (e.g., "1234abcd-12ab-34cd-56ef-1234567890ab") KEY_ID=$(aws kms create-key --query KeyMetadata.KeyId --output text) # Attach a key policy (replace ACCOUNT_ID and USER_ARN) cat > key-policy.json <<EOF { "Version": "2012-10-17", "Id": "key-policy", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_ID:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_ID:user/YOUR_USERNAME" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ] } EOF aws kms put-key-policy \ --key-id $KEY_ID \ --policy-name default \ --policy file://key-policy.json
Verify:
aws kms describe-key --key-id $KEY_ID
Expected output: "KeyState": "Enabled"
"KeyState": "Enabled"
# Generate a 256-bit data key (returns plaintext + encrypted versions) aws kms generate-data-key \ --key-id $KEY_ID \ --key-spec AES_256 \ --query '[Plaintext, CiphertextBlob]' \ --output text > data-key.txt # Split into plaintext (for encryption) and encrypted (to store) PLAINTEXT_KEY=$(head -n 1 data-key.txt | base64 --decode) ENCRYPTED_KEY=$(tail -n 1 data-key.txt)
⚠️ Security Warning:- Never log $PLAINTEXT_KEY (e.g., echo $PLAINTEXT_KEY).- Store $ENCRYPTED_KEY securely (e.g., in S3 with KMS encryption).
$PLAINTEXT_KEY
echo $PLAINTEXT_KEY
$ENCRYPTED_KEY
# Encrypt secret.txt with the plaintext data key openssl enc -aes-256-cbc -salt -in secret.txt -out secret.enc -pass pass:$PLAINTEXT_KEY # Store the encrypted data key alongside the encrypted file echo $ENCRYPTED_KEY | base64 --decode > secret-key.enc
ls -l secret.*
Expected output:
-rw-r--r-- 1 user user 48 May 10 12:00 secret.enc # Encrypted file -rw-r--r-- 1 user user 256 May 10 12:00 secret-key.enc # Encrypted data key
# Decrypt the data key with KMS DECRYPTED_KEY=$(aws kms decrypt \ --ciphertext-blob fileb://secret-key.enc \ --query Plaintext \ --output text | base64 --decode) # Decrypt the file openssl enc -aes-256-cbc -d -in secret.enc -out secret-decrypted.txt -pass pass:$DECRYPTED_KEY
cat secret-decrypted.txt
Expected output: Original content of secret.txt.
json { "Effect": "Allow", "Action": ["kms:Decrypt"], "Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" }
bash aws kms enable-key-rotation --key-id $KEY_ID
bash aws kms tag-resource --key-id $KEY_ID --tags TagKey=Environment,TagValue=Production
alias/my-app-key
bash aws kms create-alias --alias-name alias/my-app-key --target-key-id $KEY_ID
KMS:KeyUsage
KMS:ThrottledRequests
GenerateDataKey
Decrypt
AccessDeniedException
Plaintext
"You need to encrypt a 10GB file in S3. What’s the most cost-effective way?"
KMS vs. CloudHSM:
"Your app requires FIPS 140-2 Level 3 compliance. Which service should you use?"
Key Rotation:
"You enabled automatic key rotation for a CMK. What happens to existing encrypted data?"
Key Policies:
kms:Decrypt
AccessDenied
Challenge:You’re encrypting a file with KMS envelope encryption. Your app crashes when decrypting because the data key was lost. How do you recover?
Solution:1. Store the encrypted data key (CiphertextBlob) alongside the encrypted file.2. Use kms:Decrypt to recover the plaintext data key when needed.
CiphertextBlob
Why it works:- The encrypted data key is safe to store (it’s useless without KMS).- KMS can always decrypt the data key if the IAM user has kms:Decrypt permission.
# Create a CMK aws kms create-key --description "My CMK" # Generate a data key (256-bit) aws kms generate-data-key --key-id $KEY_ID --key-spec AES_256 # Encrypt a file with a data key (OpenSSL) openssl enc -aes-256-cbc -salt -in file.txt -out file.enc -pass pass:$PLAINTEXT_KEY # Decrypt a data key with KMS aws kms decrypt --ciphertext-blob fileb://secret-key.enc # Enable key rotation aws kms enable-key-rotation --key-id $KEY_ID # Create an alias aws kms create-alias --alias-name alias/my-key --target-key-id $KEY_ID
# Initialize a CloudHSM cluster aws cloudhsmv2 initialize-cluster --cluster-id $CLUSTER_ID --signed-cert file://cert.pem # Install the CloudHSM client on EC2 sudo yum install -y cloudhsm-client # List HSMs in a cluster aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID
enable-key-rotation
modify-cluster
Final Tip:Bookmark this guide. When you’re debugging a KMS:AccessDenied error at 2 AM, you’ll thank yourself. ?
KMS:AccessDenied
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.