# Day 41: Securing Data with AWS KMS

Welcome to Day 41. Today we will learn how to securing data with AWS KMS.

### What is AWS KMS?

**AWS Key Management Service (KMS)** is a managed service that makes it easy for you to create and control the cryptographic keys used to protect your data. It provides a highly available, secure, and centralized hub for managing encryption across your entire AWS environment.

### Core Functions of AWS KMS

AWS KMS handles the "heavy lifting" of cryptography so you don't have to manage complex hardware or software.

* **Key Lifecycle Management:** You can create, rotate, disable, and delete keys.
    
* **Centralized Control:** Manage permissions for who can use or manage keys through IAM (Identity and Access Management) and Key Policies.
    
* **Auditability:** Every time a key is used, it is logged in **AWS CloudTrail**, allowing you to see exactly who used a key, when, and for what resource.
    
* **High Security:** Keys are protected by FIPS 140-2 validated **Hardware Security Modules (HSMs)**. Plaintext master keys never leave these modules.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767437459221/c6eba85f-f792-421b-94d1-d2d31335c2be.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767437545513/769d8dee-be92-41c9-af71-cb7f07267f26.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767437575205/eaa678ff-008e-42a8-8dad-cc5a4135439f.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767437715260/ee740a67-d01e-4b54-855a-0557c55b2b3d.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767437734385/51ae2aa7-1562-4763-918d-51aad8b028df.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767437776155/9c91340b-a619-4e44-82c1-13bd7de36bf5.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767437796968/36bbbce3-e22f-4124-bbc7-6ac0a3cce34f.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767437823256/ac9601f5-ff2b-452c-8814-12530085b40a.png align="center")

```bash
#Create the Key
aws kms create-key --description "Nautilus datacenter-KMS-Key"

#Create the alias
aws kms create-alias --alias-name alias/datacenter-KMS-Key --target-key-id <your-key-id>

#Encrypt and encode the file
aws kms encrypt \
    --key-id alias/datacenter-KMS-Key \
    --plaintext fileb:///root/SensitiveData.txt \
    --query CiphertextBlob \
    --output text | base64 --decode > /root/EncryptedData.bin

#Decrypt the file
aws kms decrypt \
    --ciphertext-blob fileb:///root/EncryptedData.bin \
    --query Plaintext \
    --output text | base64 --decode > /root/DecryptedData.txt

#Compare Results
diff /root/SensitiveData.txt /root/DecryptedData.txt
```

Congratulations you did it. It looks good. This lab was successfully completed without any errors. See you in day 42. If you have any issues please let me know I will be happy to assist you. Stay tuned and learn together. If you find my article useful, please kindly like and share it.
