AWS Security Series: Key Management Service ( KMS )
4.3 (71 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
2,609 students enrolled

AWS Security Series: Key Management Service ( KMS )

Learn the key components of KMS with hands on labs.
4.3 (71 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
2,609 students enrolled
Last updated 5/2018
English [Auto]
Current price: $23.99 Original price: $34.99 Discount: 31% off
5 hours left at this price!
30-Day Money-Back Guarantee
This course includes
  • 2.5 hours on-demand video
  • 1 article
  • 1 downloadable resource
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
Training 5 or more people?

Get your team access to 4,000+ top Udemy courses anytime, anywhere.

Try Udemy for Business
What you'll learn
  • Student will gain a thorough understanding of Key Management Service (KMS) and its workings.
  • Prepare for AWS certification exams that demand in-depth knowledge of KMS.
  • Students will learn how to protect data at rest using KMS.
  • Basic AWS knowledge is required
  • Basic knowledge of encryption/decryption

This course provides a complete hands on introduction to  AWS Key Management Service(KMS). We have a fast paced style of delivery. The lectures and labs/demo are planned and edited to pack the most content in shortest time. This is a must take course to pass the AWS Security exam. Taught by an instructor who has successfully passed the AWS Security Speciality Exam.

This course includes Labs/demo using the Management Console and the command line interface(CLI).

What the students are saying:

"The pace is good, the presenter peaks very clearly, and the information is presented in a very straightforward way - it is clear they thought a lot about how to present the information in the most clear and concise way."

"Very clear Awesome Pace"

"I really enjoyed the course. I picked up a thing or 2. I think the topic was covered well."

"Great explanation on basic fundamentals"

We will cover topics including:

- Customer Master Key creation with Imported Key Materials

- Generating and using data keys

- Using CMK to import data

- Key Rotation

- Key Access controls 

- AWS Managed vs Customer Managed Keys

- Key Lifecycle Management

Why take this course?

1) KMS is integral to encryption of data on AWS.

 2) KMS is featured in several AWS Exams and heavily featured in the AWS Security exam. 

3) To get an good understanding of  KMS so you can identify the best solutions which KMS provides and fits your need.

4) You will get all the future updates we have on the course.

5) Get free Course Slides that you can use for study 

6) 30 day money- back guarantee. If you aren't satisfied, we will happily refund you.

7) The instructor is 5x AWS Certified including the AWS Security speciality cert where KMS is heavily featured.

Who this course is for:
  • Anyone learning and using AWS
  • Anyone who needs to secure data on AWS using encryption keys they manage
  • Those preparing for the AWS Security Speciality Exam and other exams
Course content
Expand all 26 lectures 02:27:48
+ KMS: Components, Terminologies and Cost
4 lectures 17:50
Components of KMS

KMS Pricing and cost
Demo: Customer Master Key Creation
+ KMS Access Control
8 lectures 58:09

IAM policy Evaluation Logic:


Access Control on KMS Lecture

IAM policy Evaluation Logic:

LAB: Create KMS Access IAM Policy

IAM policy Evaluation Logic:

LAB: Create IAM Users that can use the keys
LAB: Create a Customer Master Key with KMS Generated Key Material

Importing Key Material Reference:

LAB: Create a Customer Master Key with Imported Key Material

CLI Documentation Page with install links:

Install the AWS Command Line Interface (CLI)
LAB: Setup User Profiles on the Command Line Interface

IAM policy Evaluation Logic:


LAB: KMS and Customer Master Key Access Control
+ Putting the Customer Master Key(CMK) to use
7 lectures 49:50
LAB: Encrypt data with Data Keys
LAB: Encrypt S3 buckets and objects using a KMS Customer Master Key
LAB: Encrypt S3 objects with CMK using the Command Line Interface (CLI)

I have added this access control Lab in this section because we have to know few commands for this lab which we covered in this section. 


  • Encrypt a plaintext with userB: aws kms encrypt --plaintext "hello" --key-id alias/myKMSgeneratedKey --profile userB
  • Encrypt a plaintext with userD: aws kms encrypt --plaintext "hello" --key-id alias/myKMSgeneratedKey --profile userD
  • Go to CLI Documentation and read the create-grant  section: | Aliases is not supported for this command. There are few mandatory field and some optional.
  • Command to create grant: aws kms create-grant --key-id arn:aws:kms:us-east-1:3700003135:key/2a3434343d9-8296-4ed4-bc5c-398e5c4cc449  --grantee-principal arn:aws:iam::3782223433135:user/userD --name "userD-grant" --operations "Encrypt"  --profile userB
  • Use the grant token to encrypt with userD. All you need to provide is the keyID and grant token that was granted with the previous request.
  • Try generating Data Key with the grant token: aws kms generate-data-key --key-id arn:aws:kms:us-east-1:3784433135:key/2a82fad9-8296-4ed4-bc5c-398e5c4cc449 --grant-tokens Abcdefddsdsd --profile userD
  • Use  grant token to generate data keys for UserD and userD should be able to generate data keys: aws kms generate-data-key --key-id arn:aws:kms:us-east-1:378423343435:key/2adssdsfad9-8296-4ed4-bc5c-398sdsdc449 --grant-tokens xxxxxxxx --number-of-bytes 256 --profile userD
  • List all the grants: aws kms list-grants --key-id arn:aws:kms:us-east-1:378423433135:key/2a82fad9-8296-4ed4-bc5c-398e5c4cc449 --profile userB
  • Revoke grant to stop userD from using it: aws kms revoke-grant --key-id arn:aws:kms:us-east-1:378423433135:key/2a82fad9-8296-4ed4-bc5c-398e5c4cc449 --grant-id b2f1a9178327deceac90c9e5525adf7d2a79ce6aa6382a0c32fc148c379f90a3 --profile userB
Preview 10:54
LAB: Encrypt an EBS volume with your KMS Customer Master Key
LAB: Encrypt an unencrypted EBS volume
+ KMS Key Management: Disabling, Rotating and Deleting Keys
3 lectures 15:45
Key Management Lecture: Disable, Rotate and Delete CMK's
LAB: Disable a Customer Master Key(CMK)
LAB: Delete a Customer Master Key(CMK)
+ Course Summary
1 lecture 01:56

Check your knowledge of KMS with this set of questions. 

5 questions