creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Anthropic-Cybersecurity-Skills/skills/implementing-envelope-encryption-with-aws-kms/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

1.9 KiB
Raw Permalink Blame History

API Reference — Implementing Envelope Encryption with AWS KMS

Libraries Used

  • boto3: AWS SDK for KMS key management and data key generation
  • cryptography: AES-256-GCM for local data encryption with generated data keys

CLI Interface

python agent.py --region us-east-1 encrypt --input <file> --output <out> --key-id <kms_key>
python agent.py --region us-east-1 decrypt --input <encrypted> --output <out>
python agent.py --region us-east-1 list-keys
python agent.py --region us-east-1 audit --key-id <kms_key>

Core Functions

generate_data_key(kms_key_id, region)

Generates a data encryption key (DEK) using AWS KMS.

  • kms.generate_data_key(KeyId=key_id, KeySpec="AES_256")
  • Returns plaintext key (for local encryption) and encrypted key (for storage).

encrypt_data(plaintext_bytes, kms_key_id, region)

Performs envelope encryption: generates DEK via KMS, encrypts data locally with AES-256-GCM, stores encrypted DEK alongside ciphertext.

decrypt_data(envelope, region)

Decrypts envelope: calls kms.decrypt(CiphertextBlob=encrypted_key) to recover DEK, then decrypts data locally.

list_kms_keys(region)

Lists KMS keys with metadata using kms.list_keys() and kms.describe_key().

audit_key_policy(key_id, region)

Audits KMS key policy for overly permissive principals (Principal: "*").

  • kms.get_key_policy(KeyId=key_id, PolicyName="default")

boto3 KMS API Calls

Method Purpose
kms.generate_data_key(KeyId, KeySpec) Generate plaintext + encrypted DEK
kms.decrypt(CiphertextBlob) Decrypt encrypted DEK back to plaintext
kms.list_keys() List all KMS keys in the account
kms.describe_key(KeyId) Get key metadata (state, usage, origin)
kms.get_key_policy(KeyId, PolicyName) Get key resource policy JSON

Dependencies

pip install boto3>=1.28 cryptography>=41.0
Reference in New Issue View Git Blame Copy Permalink