creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-envelope-encryption-with-aws-kms/assets/template.md
T

2.2 KiB
Raw Blame History

Envelope Encryption with AWS KMS Template

Prerequisites Checklist

  • AWS account with KMS access
  • IAM policy allows kms:GenerateDataKey, kms:Decrypt, kms:ReEncrypt
  • KMS Customer Managed Key (CMK) created
  • CloudTrail logging enabled for KMS events
  • boto3 and cryptography Python libraries installed

IAM Policy Template

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:DescribeKey"
      ],
      "Resource": "arn:aws:kms:us-east-1:123456789012:key/your-key-id"
    }
  ]
}

KMS Key Policy Template

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowKeyAdministration",
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::123456789012:role/KeyAdmin"},
      "Action": [
        "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*",
        "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*",
        "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowKeyUsage",
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::123456789012:role/AppRole"},
      "Action": ["kms:Decrypt", "kms:GenerateDataKey", "kms:ReEncrypt*"],
      "Resource": "*"
    }
  ]
}

Quick Reference

import boto3
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
import os

kms = boto3.client('kms')

# Encrypt
resp = kms.generate_data_key(KeyId='alias/my-key', KeySpec='AES_256')
plaintext_key = resp['Plaintext']
encrypted_key = resp['CiphertextBlob']

nonce = os.urandom(12)
ciphertext = AESGCM(plaintext_key).encrypt(nonce, data, None)
# Store: encrypted_key + nonce + ciphertext

# Decrypt
resp = kms.decrypt(CiphertextBlob=encrypted_key)
plaintext_key = resp['Plaintext']
data = AESGCM(plaintext_key).decrypt(nonce, ciphertext, None)

Cost Estimation

Operation Price Notes
KMS API requests $0.03 per 10,000 GenerateDataKey, Decrypt
CMK storage $1.00 per month Per customer managed key
Key rotation Free Automatic annual rotation
Reference in New Issue View Git Blame Copy Permalink