The Basics is a ey anagement ervice that let you create Cryptographic keys that you can use to encrypt and decrypt data and also other keys. You can read more about it . AWS KMS K M S here Important points about Keys Please note that the customer master keys(CMK) generated can only be used to encrypt small amount of data like passwords, RSA key. You can use AWS KMS CMKs to generate, encrypt, and decrypt data keys. However, AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys. You must use and manage data keys outside of AWS KMS. KMS API uses AWS KMS CMK in the encryption operations and they cannot accept more than 4 KB (4096 bytes) of data. To encrypt application data, use the server-side encryption features of an AWS service, or a client-side encryption library, such as the AWS Encryption SDK or the Amazon S3 encryption client. Scenario We want to create signup and login forms for a website. Passwords should be encrypted and stored in DynamoDB database. What do we need? KMS key to encrypt and decrypt data DynamoDB table to store password. Lambda functions & APIs to process Login and Sign up forms. Sign up/ Login forms in HTML. Lets Implement it as Serverless Application Model (SAM)! Lets first create the Key that we will use to encrypt and decrypt password. KmsKey: Type: AWS::KMS::Key Properties: Description: CMK for encrypting and decrypting KeyPolicy: Version: '2012-10-17' Id: key-default-1 Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Sub arn:aws:iam::${AWS::AccountId}:root Action: kms:* Resource: '*' - Sid: Allow administration of the key Effect: Allow Principal: AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/${KeyAdmin} Action: - kms: Create* - kms: Describe* - kms: Enable* - kms: List* - kms: Put* - kms: Update* - kms: Revoke* - kms: Disable* - kms: Get* - kms: Delete* - kms: ScheduleKeyDeletion - kms: CancelKeyDeletion Resource: '*' - Sid: Allow use of the key Effect: Allow Principal: AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/${KeyUser} Action: - kms: DescribeKey - kms: Encrypt - kms: Decrypt - kms: ReEncrypt* - kms: GenerateDataKey - kms: GenerateDataKeyWithoutPlaintext Resource: '*' The important thing in above snippet is the . KMS requires a Key Administrator and Key User. As a best practice your Key Administrator and Key User should be 2 separate user in your Organisation. We are allowing all permissions to the root users. KeyPolicy So if your key Administrator leaves the organisation, the root user will be able to delete this key. As you can see can manage the key but not use it and can only use the key. and are parameters in the SAM template. KeyAdmin KeyUser ${KeyAdmin} ${KeyUser} You would be asked to provide values for these parameters during SAM Deploy. Parameters: KeyAdmin: Type: String KeyUser: Type: String Next, we will create DynamoDB table. The partition key will be user id. This is enough. You can additional attributes as required. myDynamoDBTable: Type: AWS::DynamoDB::Table Properties: BillingMode: PAY_PER_REQUEST AttributeDefinitions: - AttributeName: "userid" AttributeType: "S" KeySchema: - AttributeName: "userid" KeyType: "HASH" Now, lets create the API and Lambda handler that will process the Signup and Login requests. ApiGatewaySignupApi: Type: AWS::Serverless::Api Properties: StageName: Prod Auth: UsagePlan: CreateUsagePlan: PER_API Description: Usage plan for this API Quota: Limit: 500 Period: MONTH Throttle: BurstLimit: 100 RateLimit: 50 SignupFunction: Type: AWS::Serverless::Function Properties: Environment: Variables: userTable: !Ref myDynamoDBTable keyid: !Ref KmsKey CodeUri: Lambda/ Handler: signup.lambda_handler Runtime: python3.8 Policies: - DynamoDBCrudPolicy: TableName: !Ref myDynamoDBTable - KMSEncryptPolicy: KeyId: !Ref KmsKey - KMSDecryptPolicy: KeyId: !Ref KmsKey Events: getCounter: Type: Api Properties: Path: /signup Method: POST RestApiId: !Ref ApiGatewaySignupApi ApiGatewayLoginApi: Type: AWS::Serverless::Api Properties: StageName: Prod Auth: UsagePlan: CreateUsagePlan: PER_API Description: Usage plan for this API Quota: Limit: 500 Period: MONTH Throttle: BurstLimit: 100 RateLimit: 50 LoginFunction: Type: AWS::Serverless::Function Properties: Environment: Variables: userTable: !Ref myDynamoDBTable keyid: !Ref KmsKey CodeUri: Lambda/ Handler: login.lambda_handler Runtime: python3.8 Policies: - DynamoDBCrudPolicy: TableName: !Ref myDynamoDBTable - KMSEncryptPolicy: KeyId: !Ref KmsKey - KMSDecryptPolicy: KeyId: !Ref KmsKey Events: getCounter: Type: Api Properties: Path: /login Method: POST RestApiId: !Ref ApiGatewayLoginApi Here, we are creating 2 Lambda handlers, one that handles signup and other handles the login. We are limiting the usage of API under property. This is to prevent abuse of our API. We are setting two environment variables, one for database table name and another for KMS key name. Auth We are not hard-coding the table/key names instead we let cloud formation to name it and we set it as environment variables with auto generated values. This will prevent name conflicts of resources and you can run multiple versions of your whole cloud environment. Then we set policy that allow Lambda to access DynamoDB and the key. You can find 'out of box' SAM policy templates . here With , we create the API Gateway resources. Events The final part of SAM template is Output section. Outputs: ApiGatewaySignupApi: Description: "API Gateway endpoint URL for Prod stage for Hello World function" Value: !Sub "https://${ApiGatewaySignupApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/signup/" SignupFunction: Description: "Sign Up Lambda Function ARN" Value: !GetAtt SignupFunction.Arn ApiGatewayLoginApi: Description: "API Gateway endpoint URL for Prod stage for Hello World function" Value: !Sub "https://${ApiGatewayLoginApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/login/" LoginFunction: Description: "Login Lambda Function ARN" Value: !GetAtt LoginFunction.Arn We output 2 important URLs in above section, and , We use these URLsin the frontend HTML form's attribute. See below: ApiGatewayLoginApi ApiGatewaySignupApi action Sign Up Username: Password: < > html < > head </ > head < > body < > h1 </ > h1 < = = = > form action "https://51v5ifsje1.execute-api.us-east-2.amazonaws.com/Prod/signup/" enctype "application/x-www-form-urlencoded" method "POST" < > label </ > label < = = = > input type "text" name "uname" id "uname" </ > input < > br < > br < > label </ > label < = = = > input type "password" name "password" id "password" </ > input < > br < > br < = > input type "submit" </ > input </ > form </ > body </ > html Login username: password: < > html < > head </ > head < > body < > h1 </ > h1 < = = = > form action "https://4ezqeugqlf.execute-api.us-east-2.amazonaws.com/Prod/login/" enctype "application/x-www-form-urlencoded" method "POST" < > label </ > label < = = = > input type "text" name "uname" id "uname" </ > input < > br < > br < > label </ > label < = = = > input type "password" name "password" id "password" </ > input < > br < > br < = > input type "submit" </ > submit </ > form </ > body </ > html In HTML, we are using encoding type as "enctype="application/x-www-form-urlencoded". With this type of encoding, the form data is sent in below format. username=doryfish&password=nemo The last piece in the puzzle is the Lambda handlers. Lets check it out. Python uses to access AWS. Boto3 json urllib.parse parse_qs urllib.parse boto3 logging os base64 log = logging.getLogger() log.setLevel(logging.INFO) log.info(event) log.info(event.get( )) qs = parse_qs(event.get( )) log.info(qs) uname = qs.get( )[ ] pwd = qs.get( )[ ] dynamodb = boto3.resource( ) table = dynamodb.Table(os.environ[ ]) log.info( +os.environ[ ]) key = os.environ[ ] client = boto3.client( ) response = client.encrypt( Plaintext=pwd, KeyId=key ) log.info(response[ ]) b64_pass = str(base64.b64encode(response[ ]), ) log.info(b64_pass) response = table.update_item( Key={ : uname }, AttributeUpdates={ : { : b64_pass, } } ) data = {} data[ ] = json_data = json.dumps(data) { : , : json_data } import from import import import import import import : def lambda_handler (event, context) "body" "body" "uname" 0 "password" 0 'dynamodb' 'userTable' 'key id:' 'keyid' 'keyid' 'kms' #Encrypt password 'CiphertextBlob' 'CiphertextBlob' 'utf-8' 'userid' 'password' 'Value' 'status' 'Signup Success' return 'statusCode' 200 'body' The first two statements are logging statements, this is useful in debugging and the log statements will be logged in CloudWatch logs. The module is used to read the form data from object. parse_qs event Data are returned as a dictionary. The dictionary keys are the unique query variable names and the values are lists of values for each name. Hence, in next 2 statements, we get the first value for each of type - uname and password. We retrieve the DynamoDB table using the table name from environment variable - . Environment variables in Lambda can be accessed using . userTable os.environ['key'] Now we got the username and password. Its time to encrypt the password and store it in DB. Password to encrypt is passed to attribute of the encrypt request and key id is retrieved from environment variable. Plaintext is the encrypted binary value in the response object. For example: CiphertextBlob '\x01\x02\x02\x00x\x9dN"\xa4\xf9\xfe\xb4\xc7&\x01\xdc\xb6J\xdf\xf1\xdc\xf2;)|7\x1b\'{8\xe6(\x80Q\xe5\x11\x8c\x010w"-\x11w\x10b\x9d\xd0w\xa7+\xd1\xa5\xc5\x00\x00\x00e0c\x06\t*\x86H\x86\xf7\r\x01\x07\x06\xa0V0T\x02\x01\x000O\x06\t*\x86H\x86\xf7\r\x01\x07\x010\x1e\x06\t`\x86H\x01e\x03\x04\x01.0\x11\x04\x0ca\xb4\xaa\x00\x10\xc0\xd1\xa6r\x07\xce\xc7\x02\x01\x10\x80"@\nL\xde<\x03s\xc6\xe0g\x80\xd4\x87\x8e\x1e\t\xa2\xac\x10\xfek\xb6\x1d\xf3\x87\x910\xabf\xd1d}x\xdb' Now we convert this binary value to ASCII text using str(base64.b64encode(response[ ]), ) 'CiphertextBlob' 'utf-8' and the end result we store it in database. AQICAHidTiKk+f xyYB LZK /Hc jspfDcbJ s iiAUeURjAEwdyItEXcQYp Qd cr aXFAAAAZTBjBgkqhki w BBwagVjBUAgEAME GCSqGSIb DQEHATAeBglghkgBZQMEAS wEQQMYbSqABDA aZyB HAgEQgCJACkzePA JoqwQ/mu HfOHkTCrZtFkfXjb 60 3 3 8 3 45 3 6 0 G9 0 8 3 4 0 87 NzxuBngNSHjh4 2 In Login Lambda handler, username and password is retrieved from the request like we did in Sign Up. json urllib.parse parse_qs urllib.parse boto3 secrets logging os base64 log = logging.getLogger() log.setLevel(logging.INFO) log.info(event.get( )) qs = parse_qs(event.get( )) uname = qs.get( )[ ] pwd = qs.get( )[ ] dynamodb = boto3.resource( ) table = dynamodb.Table(os.environ[ ]) response = table.get_item(Key={ : uname}) json_str = json.dumps( response[ ]) resp_dict = json.loads(json_str) dbpass = resp_dict.get( ) log.info( +os.environ[ ]) key = os.environ[ ] client = boto3.client( ) response = client.decrypt( CiphertextBlob=(base64.b64decode(dbpass)), KeyId=key ) log.info( ) decryptedPass = response[ ].decode( ) response = {} decryptedPass == pwd : response[ ] = { : , : json.dumps(response) } : response[ ] = { : , : json.dumps(response) } import from import import import import import import import : def lambda_handler (event, context) "body" "body" "uname" 0 "password" 0 'dynamodb' 'userTable' 'userid' 'Item' #using json.loads will turn your data into a python dictionary "password" #Decrypt password 'key id:' 'keyid' 'keyid' 'kms' "Decrypted value" 'Plaintext' 'UTF-8' if 'status' 'Login Success' return 'statusCode' 200 'body' else 'status' 'Login Failed' return 'statusCode' 200 'body' In decrypt request, the encrypted password string from database is converted into binary using and passed to the attribute. Decrypted password is returned as bytes in attribute of response. base64.b64decode(dbpass) CiphertextBlob Plaintext The password is encoded in UTF-8 to get the final decrypted password. The decrypted password is then compared with the password from the request and if it matches, response is sent back. 'Login Success' Phew! Finally, we are done coding.. Lets test it out. Lets do SAM build and Deploy. Stack creation complete! Testing Note that we are not deploying HTML forms as static site on S3 but we will locally open the forms in browser and hit the APIs. Add username/password, hit submit. Sign Up is Successful! Item in database. Password is encrypted Now, Login using the same username and password Login Success! Source Code: https://github.com/rajanpanchal/aws-kms-signup-login In next post, we will extend this example to use AWS STS! Previously published at https://rajanpanchal.net/aws-kms-solution/