A Busy Engineer’s Guide to the AWS Encryption SDK

In this workshop, you will add encryption and decryption features to a simple web application that sends form data over Amazon SQS.

First, you will set up a work environment for this workshop. Then you will start adding functionality to the application. This functionality will include basic changes to enable encrypting and decrypting arbitrary data; using KMS directly for encryption and decryption; and using the AWS Encryption SDK. We will also walk you through using features such as Encryption Context, encryption with multiple Master Keys, and Data Key Caching.

Getting started

For help setting up an environment to work through the exercises, see Environment Setup.

For some tips on how to debug your application if needed, see Debugging Tips.

When you are done experimenting, you can find instructions for cleaning up the application in Cleaning up.

List of exercises

Bonus Tasks

If you want more challenging tasks, try these ideas:

  • Downloading the AWS Encryption SDK CLI and using it to decrypt some of your messages.

  • Write your own Cryptographic Materials Manager (CMM) to transform the incoming request. For example, write one that adds a timestamp to the Encryption Context. Using the material introduced in Exercise 4, experiment with how the timestamp affects caching behavior and performance.

Source Code

The source code for the workshop and the documentation is available on GitHub.

License information

Copyright 2017-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the “License”). You may not use this file except in compliance with the License. A copy of the License is located at


or in the “license” file accompanying this file. This file is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.