creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-envelope-encryption-with-aws-kms/assets/template.md
T

91 lines
2.2 KiB
Markdown
Raw Blame History

# Envelope Encryption with AWS KMS Template
## Prerequisites Checklist
- [ ] AWS account with KMS access
- [ ] IAM policy allows kms:GenerateDataKey, kms:Decrypt, kms:ReEncrypt
- [ ] KMS Customer Managed Key (CMK) created
- [ ] CloudTrail logging enabled for KMS events
- [ ] boto3 and cryptography Python libraries installed
## IAM Policy Template
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/your-key-id"
}
]
}
```
## KMS Key Policy Template
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowKeyAdministration",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:role/KeyAdmin"},
"Action": [
"kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*",
"kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*",
"kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "AllowKeyUsage",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:role/AppRole"},
"Action": ["kms:Decrypt", "kms:GenerateDataKey", "kms:ReEncrypt*"],
"Resource": "*"
}
]
}
```
## Quick Reference
```python
import boto3
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
import os
kms = boto3.client('kms')
# Encrypt
resp = kms.generate_data_key(KeyId='alias/my-key', KeySpec='AES_256')
plaintext_key = resp['Plaintext']
encrypted_key = resp['CiphertextBlob']
nonce = os.urandom(12)
ciphertext = AESGCM(plaintext_key).encrypt(nonce, data, None)
# Store: encrypted_key + nonce + ciphertext
# Decrypt
resp = kms.decrypt(CiphertextBlob=encrypted_key)
plaintext_key = resp['Plaintext']
data = AESGCM(plaintext_key).decrypt(nonce, ciphertext, None)
```
## Cost Estimation
| Operation | Price | Notes |
|-----------|-------|-------|
| KMS API requests | $0.03 per 10,000 | GenerateDataKey, Decrypt |
| CMK storage | $1.00 per month | Per customer managed key |
| Key rotation | Free | Automatic annual rotation |
Reference in New Issue View Git Blame Copy Permalink