A Busy Engineer’s Guide to the AWS Encryption SDK¶
In this workshop, you will add encryption and decryption features to a simple web application that sends form data over Amazon SQS.
First, you will set up a work environment for this workshop. Then you will start adding functionality to the application. This functionality will include basic changes to enable encrypting and decrypting arbitrary data; using KMS directly for encryption and decryption; and using the AWS Encryption SDK. We will also walk you through using features such as Encryption Context, encryption with multiple Master Keys, and Data Key Caching.
Getting started¶
For help setting up an environment to work through the exercises, see Environment Setup.
For some tips on how to debug your application if needed, see Debugging Tips.
When you are done experimenting, you can find instructions for cleaning up the application in Cleaning up.
List of exercises¶
Exercise 1: Explore - Explore the example application and make your first change
Exercise 2: Introducing KMS - Add KMS encryption to the example application
Exercise 3: The AWS Encryption SDK - Add encryption using the AWS Encryption SDK
Exercise 4: Data Key Caching - Add caching to the example application
Exercise 5: Multiple Master Key Encryption - Using multiple Master Keys for encryption
Bonus Tasks¶
If you want more challenging tasks, try these ideas:
Downloading the AWS Encryption SDK CLI and using it to decrypt some of your messages.
Write your own Cryptographic Materials Manager (CMM) to transform the incoming request. For example, write one that adds a timestamp to the Encryption Context. Using the material introduced in Exercise 4, experiment with how the timestamp affects caching behavior and performance.
Source Code¶
The source code for the workshop and the documentation is available on GitHub.
License information¶
Copyright 2017-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the “License”). You may not use this file except in compliance with the License. A copy of the License is located at
https://aws.amazon.com/apache2.0/
or in the “license” file accompanying this file. This file is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.