vm broker ‐ kes ‐ aws

Login to AWS console.aws.amazon.com/console

Go to the AWS console and create a new user Navigate to Identity and Access Management (IAM)

Navigate to Users > Create User > Add a name > Click next

In the following "Set permissions" screen, click Create Policy.

On the following screen, click JSON and paste the following to create a custom AWS policy. Click Next. Then click Create Policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1578498399136",
      "Action": [
        "secretsmanager:CreateSecret",
        "secretsmanager:DeleteSecret",
        "secretsmanager:GetSecretValue",
        "secretsmanager:ListSecrets"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1578498562539",
      "Action": [
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:Encrypt"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Return to the Create User page, and Refresh Policies

Select the kes-policy and Click Next. Then Click Create User

Navigate to IAM > Users > kes. Click Create access key Choose "Other" use case

Note:

Access key | Secret access key
AKIA3JZRSDVQRG57MTKY | rEsFFWO1MtGgGjcddSrsAdQOucuprlXlG1by+lC7
-- | --

On kes-server

ssh -p 20070 ubuntu@1.2.3.4 -o "ServerAliveInterval=5" -o "ServerAliveCountMax=100000" -o "StrictHostKeyChecking=off"

In kes config_aws.yml modify keystore

address: 0.0.0.0:9073 # Listen on all network interfaces on port 9073

admin:
  identity: disabled
   
tls:
  key: private.key    # The KES server TLS private key
  cert: public.crt    # The KES server TLS certificate
   
policy:
  minio: 
    allow:
    - /v1/key/create/minio-key*
    - /v1/key/generate/minio-key*
    - /v1/key/decrypt/minio-key*
    - /v1/key/list/*
    - /v1/key/delete/*
    identities:
    - 83dbfcdba05cb3256eae72f5217ac4cbc6cf866f7a80927c1981901af6d9882c # Use the identity of your client.crt
   
keystore:
  aws:
    secretsmanager:
      endpoint: secretsmanager.us-east-1.amazonaws.com  # Use the SecretsManager in your region.
      region:   us-east-1                               # Use your region
      credentials:
        accesskey: "AKIA3JZRSDVQRG57MTKY" # Your AWS Access Key
        secretkey: "rEsFFWO1MtGgGjcddSrsAdQOucuprlXlG1by+lC7" # Your AWS Secret Key
      

Restart KES.

On minio instance kes-minio.lab.min.dev, create a new bucket and key

Test encryption

Note API logs are available in AWS using Cloud Trail

https://us-east-2.console.aws.amazon.com/cloudtrail https://aws-cloudtrail-logs-776956157281-a2a1daed.s3.us-east-2.amazonaws.com/AWSLogs/776956157281/CloudTrail/us-east-1/2023/11/10/776956157281_CloudTrail_us-east-1_20231110T0035Z_J9c89d9bWtwquRK3.json.gz?response-content-disposition=inline&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEKj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMiJHMEUCIQCzHn9v95Py11AONeELRZYPNHYuwmZhM620r62ABVmSkwIgLNQk5KKDNsZcAEh3Y0BEwPS2c8IFPIoVSZR20s9IaUgq7QII4f%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw3NzY5NTYxNTcyODEiDPcWOghGQHs4%2BLVXQCrBAscszW87AjkNFCk7QCm5CuBCMfiy42JzV7cR1U859WF5Li5X9AwDkSarTurlVxJvxVXQhbGTWtAD9oNQTiwzuzUUa0d5P5r9YPIDhojUTaWv346yQduqKNFJ4bHPwiSGNnLHQJk93smcBCh8fW8PZPPM9IunDs6m1a%2B8GcblzO2jbF7cJVuQrdMeZa%2BUU1A%2BqvRbmJxMfHnoKrLQp6GrqoolAel%2B1KnZMI33mdatHmKjKsWmSs7nR6rshHGMda5uKL%2BhH59lm9A%2BBfDVJHQNED3GALOLzvjhs1PISeTVCh7Bv4CLVxKwPPptA0dSMo0ZeIcZKDH50O1sCIwxbi1wOcIUnYeoTLxA0%2FfqvDfbLL8d%2BPgSBwVjAJfTgog2xfLgZ%2BoSYSVbIc5stfwpIVmvnFlpwxsNofdtarQ6BZnpqCqFezCsoLWqBjqzAn1x1Tpe2mmkKKDNGXCGTDQUa5L4DR0f68NMcX6%2BFsmQ8glJykUd3DutqjE2v6TAI%2Bue%2Bu1%2FE%2B%2FZ%2F1iUMQB0ngFx21JB8T7oam7FhJqMpmNiSgEDnrMLBfGOP9urI%2B9jmhJgxqEkaO0WJhiFyYRVzRmlhCETceMhmcVyXBeEIyJJKhlJr6hezDaARG5fGXrzPIaGEox6PjlJ0laxEb%2Fq2gYWTF5xfNYxN%2FVid7c9D3lrj2%2FsyM%2FZRYotgJDV36Lo5oKp1dpXaIQQIcaF%2F0rM2xpH8Sq8vbOPdvxSq9MhCBkbun5MofbPDvYWVX0NTefleX1TTGBPrUuNYRNgmPSsUDdd5QNIS4lRD6WVP%2FG5bzo7UwM4pHb%2FmnilemSoAlvUzkGCYxR%2B1cRo%2Fxf0Tpa%2FoIyLUuk%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20231110T003146Z&X-Amz-SignedHeaders=host&X-Amz-Expires=300&X-Amz-Credential=ASIA3JZRSDVQZMETDVNO%2F20231110%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Signature=7f8256c2408ec89eae987254230bdc96eb233b33815eb140eca851cb4e157420