Stack Overflow
Stack Overflow

Questions tagged [amazon-kms]

AWS Key Management Service (KMS) is an encryption and key management service scaled for the cloud. KMS keys and functionality are used by other AWS services, and you can use them to protect data in your own applications that use AWS.

AWS Key Management Service (KMS) is an encryption and key management service scaled for the cloud. KMS keys and functionality are used by other AWS services, and you can use them to protect data in your own applications that use AWS.

704 questions
329
votes
13 answers

boto3 client NoRegionError: You must specify a region error only sometimes

I have a boto3 client : boto3.client('kms') But it happens on new machines, They open and close dynamically. if endpoint is None: if region_name is None: # Raise a more specific error message that will give #…
WebQube
  • 8,510
  • 12
  • 51
  • 93
81
votes
3 answers

How to use Async and Await with AWS SDK Javascript

I am working with the AWS SDK using the KMS libary. I would like to use async and await instead of callbacks. import AWS, { KMS } from "aws-sdk"; this.kms = new AWS.KMS(); const key = await this.kms.generateDataKey(); However this does not work,…
Kay
  • 17,906
  • 63
  • 162
  • 270
53
votes
3 answers

What is Sid attribute use for in key policies?

Here is a documentation: Sid – (Optional) The Sid is a statement identifier, an arbitrary string you can use to identify the statement. Does it means that Sid parameter is just description?
Cherry
  • 31,309
  • 66
  • 224
  • 364
35
votes
5 answers

Minimal KMS permissions to copy a database snapshot

I am trying to setup minimal permissions for doing aws rds copy-db-snapshot with a KMS encryption key: $ aws rds copy-db-snapshot --source-db-snapshot-identifier rds-backup-share- mysql --target-db-snapshot-identifier…
svenwltr
  • 17,002
  • 12
  • 56
  • 68
32
votes
4 answers

The ciphertext refers to a customer master key that does not exist,

I have a lambda which accesses the S3. Before, this lambda program worked well. But recently I changed KMS key of S3 or some other security group setting, (lambda source code doesn't change) There comes error. I guess this lambda and S3 is not on…
whitebear
  • 11,200
  • 24
  • 114
  • 237
29
votes
5 answers

Attempting to decrypt ciphertext within a Lambda function using KMS results in timeout

When decrypting ciphertext from the command line using the AWS CLI, the ciphertext gets decrypted without issues: $ aws kms decrypt --ciphertext-blob fileb://encrypted-secrets --output text --query Plaintext --region us-east-1 | base64 --decode >…
zealoushacker
  • 6,766
  • 5
  • 35
  • 44
20
votes
1 answer

Does AWS RDS encryption with KMS affect performance?

Amazon states that Encryption and decryption are handled transparently so you don’t have to modify your application to access your data My application (Rails, MySQL, Elasticsearch) builds a lot of graphics and therefore queries a lot of data.…
borisano
  • 1,270
  • 1
  • 16
  • 28
19
votes
4 answers

How can I call Amazon's AWS kms decrypt function without using a binary file?

I have code that retrieves a string that was encrypted using Amazon's aws kms encrypt function. I would like to call aws kms decrypt to get back the unencrypted value, but I would like to do this without writing the string to a binary file. All…
Bert Cushman
  • 771
  • 2
  • 8
  • 27
17
votes
4 answers

The new key policy will not allow you to update the key policy in the future

The title says it all. I am getting this error whenever I try to create a KMS key via an AWS CloudFormation template. I am creating the template as an IAM user with administrative permissions, and I want the key to be manageable by any IAM user in…
Rabadash8820
  • 2,328
  • 3
  • 27
  • 49
15
votes
3 answers

How exactly does encryption key rotation work?

How exactly does encryption key rotation work? I understand it's a very good practice to continuously rotate your encryption keys for security purposes, but rotating a key would require too much work. Case: Let's just say I have a database storing…
Raghav Mishra
  • 429
  • 6
  • 15
12
votes
1 answer

AWS IAM policy: Multiple Actions and Multiple Resources

It is question on AWS IAM policy, multiple Actions with Multiple Resources (presumably not related). I have parameter 'myparam' encrypted with 'mykey', and I have policy as below separate blocks, one for param and one for key, it works. { { …
Krishna
  • 501
  • 1
  • 8
  • 17
12
votes
3 answers

What is the purpose of kms:GenerateDataKey in AWS?

I'm writing a serverless function on AWS Lambda. On certain instances I need to use kms:GenerateDataKey* permissions. What exactly is the purpose of this. I checked the AWS documentation but it is too cryptic. Can someone give a practical example…
tmp dev
  • 8,043
  • 16
  • 53
  • 108
12
votes
2 answers

How do I access the current user in a cloudformation template?

I want to create a KMS key using CloudFormation. I want to be able to provide the user executing the cloudformation YAML file (I'll call them "cloudformation-runner"), administrative access to the key they create. I can setup the IAM policy to…
Aishwar
  • 9,284
  • 10
  • 59
  • 80
12
votes
1 answer

Message "Did not have IAM permissions to process tags on AWS::KMS::Key resource" When Creating KMS Key Using Cloudformation

While creating a new KMS key using Cloudformation I see this message in the "Status Reason" column: Did not have IAM permissions to process tags on AWS::KMS::Key resource The cloudformation stack seems to be created correctly, but I was wondering…
Nic
  • 12,220
  • 20
  • 77
  • 105
12
votes
2 answers

How do I get AWS cross-account KMS keys to work?

I'm trying to set up cross-account access to allow for an external account to use my KMS key to decrypt data from an S3 bucket. I have the key, policies, roles set up with what I believe is the correct grants but I can't describe the key from the…
Ryan Fisher
  • 1,485
  • 1
  • 19
  • 32
1
2 3
46 47