Ty SpaceeManJones for the kind words, I am so glad you found this video useful. Feel free to check out other videos in my channel when your time permits. Thanks again.
Nicely done presentation with good energy, thank you. I appreciate the demo, which patiently went into proving how the encryption keys prevent access into encrypted files.
Awesome video. Really helped in clearing the KMS Mystery!! After watching this excellent video, I got a question in mind. when you applied KMS on a file, the user who was not having access(Bob) to KMS key could not access the file. This could have been done by ACL properties as well, why did we use KMS key? I thought KMS is actually used to encrypt the data and not to control the access. Would appreciate your response.
Appreciate the kind words Gaurav! Regarding SCL and KMS - ACL for VPC can be used for granular access using IP. However for enterprises, often one account/VPC is shared by multiple groups. In those cases, KMS is easier to segregate different apps. Also KMS gets integrated in IAM policy so you can do lot of funky conditions there (based on prefix, wildcard etc.), ACLs are pretty strict and can't do different conditions like IAM policies. Lastly for ACLs, if IP address changes you have to redo those, however for KMS you can use alias and even if the key material rotates, the policy need not change. Apologies for the long answer, hope this helps clarify your doubt.
Thank you so much for the videos, they are really helping and motivating me in my SAA studies. Please keep on smashing it by sending awesome videos!! :)
Thanks Supriya for watching :). I am glad you found it helpful. I am making "How to Architect" video in next couple weeks which you will find helpful for SAA. Thanks again for kind words and support.
Simply Excellent! I just would like to know in one case, if we have a bucket with images and video serving publicly and we do not want that someone should steal it quietly. Thanks
Hey, its a nice video. Quick question, if AWS managed keys are used to encrypt files in S3, can I still control the access using IAM policies as I don't see the same option of "key users" in KMS. If that can be controlled in a different way, what is the advantage of using customer managed keys other than having control of key management? Thanks in advance.
how does s3 take care about the data keys? where are the encrypted data keys for an encrypted file with that key stored? can i see the data key for a specific file see? do you have any infos about that? thank you a lot!!!!
Hello sir, Your tutorials are very helpful thank you so much. But i have a little bit of a different scenario. Scenario: I have an .mp4 file in S3 bucket(private) I'm using Elastic Transcoder to convert that video in different resolutions and same time encrypting those files using SSE-KMS and storing back to S3 Finally to access Private content I'm using CloudFront with Signed URL. Problem: How to decrypt those media files? If i do not encrypt files while transcoding, the whole scenario above mentioned is working properly. Thank you for giving time to read this. Hoping to hear from you soon
Very Nice. But I have some confusion. Where is encryption and decryption, It was just restricting the rights on that particular file that can be done by bucket policy as well or by other means. Please clarify this.
I wanna do a project on CLIENT-SIDE CRYPTOGRAPHY BASED SECURITY FOR CLOUD COMPUTING SYSTEM. Using AWS for this is costly. Sir ,In which cloud can I implement this one without much expense?.. Could you please suggest me an idea?
Hi Raj. Nice video. one quick question .. from the example the policy restriction itself is enough to allow / deny read/download of file. If the user is not permitted to read file he is of course is restricted to read contents of it at the first level. Then decrypting is something as next step is obviously not reached. Can you please shed light on point of encryption in this scenario?
If the data ( file ) is encrypted by a data key, and the CMK is used to encrypt the data key, where is teh data key stored ? ( Does KMS create a paired [ inaccessible to the customers] data key whenever it kreates a CMK ? )
yes , I can access the kms encrypted object via iam permission . then i click open option I can view my object . but here after 300 second it will be expire ???? why. please let me know
I'm slightly confused here, I understood the encryption part, but doubt is when one user tried to access file from another account he wasn't able to do, I'm kinda confused because the same access permissions can be specified in bucket policies, can anyone help me out?
Using CMK we can just encrypt data which is less than 4kb in size, in my case I have tried to upload 1 mb of file using AWS:KMS onto s3, and able to do so, how come? Internally is it using data-keys to achieve the same?
Okay, so the keys dont actually encrypt the data, as in they dont ever modify the contents of the file, they just essentially stop people who dont have decrypt permissions for the key from opening the file. Or are the file contents actually encrypted in gibberish behind the scenes, but then once someone with key tries to open the file, it decrypts the contents from gibberish into the original file content?
Awesome overview, thank you!
Ty SpaceeManJones for the kind words, I am so glad you found this video useful. Feel free to check out other videos in my channel when your time permits. Thanks again.
I don't understand why this channel is not in AWS mainstream learning channel suggestions.
Thank you Raj, video was very helpful.
This video very engaging and informative. Thank you!
Glad you enjoyed it!
Excellent Tutorial. Cleared away the mystery surrounding KMS. Also, enjoyed your delivery. Made it fun to watch/listen.
Very kind of you John. Really appreciate the positive feedback!
Best video on the subject. This cleared up a lot of confusion. Thank you!
Nicely done presentation with good energy, thank you. I appreciate the demo, which patiently went into proving how the encryption keys prevent access into encrypted files.
Thanks for the kind words! I am so happy you found this video useful. Stay safe and healthy.
@Raja - Great effort and witty as always...Please edit comment you can "delete" KMS Managed AWS key at 4:32. Best of luck.
The best video I've found on the subject. THANKS !!!
Raj , It is easy to understand KMS , great job!
thanks for the simple, yet crisp explanation!!
Glad it was helpful!
Nice Explanation...Thank you👍
To the point , and real-life applications. Thanks for the videos...Appreciate your efforts.
Quality video. Very useful. Thank you very much.
Glad it was helpful!
Awesome video. Really helped in clearing the KMS Mystery!!
After watching this excellent video, I got a question in mind. when you applied KMS on a file, the user who was not having access(Bob) to KMS key could not access the file. This could have been done by ACL properties as well, why did we use KMS key? I thought KMS is actually used to encrypt the data and not to control the access. Would appreciate your response.
Appreciate the kind words Gaurav! Regarding SCL and KMS - ACL for VPC can be used for granular access using IP. However for enterprises, often one account/VPC is shared by multiple groups. In those cases, KMS is easier to segregate different apps. Also KMS gets integrated in IAM policy so you can do lot of funky conditions there (based on prefix, wildcard etc.), ACLs are pretty strict and can't do different conditions like IAM policies. Lastly for ACLs, if IP address changes you have to redo those, however for KMS you can use alias and even if the key material rotates, the policy need not change. Apologies for the long answer, hope this helps clarify your doubt.
Great video! I really loved how you eased into KMS
Superb explanation
Thank you 🙂
Nice video Raj... Pls do more .. you explain complicated stuff simply... Thank you
Thanks for the kind words, I will try my best. Thanks for watching
Thank you so much for the videos, they are really helping and motivating me in my SAA studies. Please keep on smashing it by sending awesome videos!! :)
Thanks Supriya for watching :). I am glad you found it helpful. I am making "How to Architect" video in next couple weeks which you will find helpful for SAA. Thanks again for kind words and support.
Nicely explained with demo. keep doing more videos please..
Thanks Sami for the kind words! Check out my channel for other videos when you have a moment. Thanks again!
Dude your energy is awesome! First video I seen from you, looking forward to the rest!!
I appreciate that! Thanks for watching!
thanks raj 🎉❤
Simply Excellent!
I just would like to know in one case, if we have a bucket with images and video serving publicly and we do not want that someone should steal it quietly. Thanks
Good explanation
Love you man.... you have an awesome personality :)
Excellent, it is always good refresh these concepts :)
Thank You! An Overview well explained, Sir !
Most welcome!
thanks for demystifying KMS for me...
Good on ya mate, very clear and concise explanation, cheers
Much appreciated!
It's perfect :) Short, concise, useful
Glad it was helpful!
Great video ! Very clear and informative !
simple and good.
Glad you liked it, thanks for watching
Any videos for data in transit?
Hey, its a nice video. Quick question, if AWS managed keys are used to encrypt files in S3, can I still control the access using IAM policies as I don't see the same option of "key users" in KMS. If that can be controlled in a different way, what is the advantage of using customer managed keys other than having control of key management? Thanks in advance.
how does s3 take care about the data keys? where are the encrypted data keys for an encrypted file with that key stored? can i see the data key for a specific file see? do you have any infos about that? thank you a lot!!!!
Hello sir,
Your tutorials are very helpful thank you so much. But i have a little bit of a different scenario.
Scenario:
I have an .mp4 file in S3 bucket(private)
I'm using Elastic Transcoder to convert that video in different resolutions and same time encrypting those files using SSE-KMS and storing back to S3
Finally to access Private content I'm using CloudFront with Signed URL.
Problem:
How to decrypt those media files?
If i do not encrypt files while transcoding, the whole scenario above mentioned is working properly.
Thank you for giving time to read this.
Hoping to hear from you soon
very nice
Thanks for watching!
Great work Sir
Thanks Deepali for the kind words.
Another awesome video!
Glad you enjoyed it! Thanks for watching!
Hi Sir does KMS use a HSM behind the scenes always? if that is so why is there AWS CloudHSM? Thanks
Super koo! session
Thanks T.K for the kind words!
Do you have some video for all encryption options in S3, S3 SSE vs S3 SSE-KMS and S3 API settings etc
Very Nice. But I have some confusion. Where is encryption and decryption, It was just restricting the rights on that particular file that can be done by bucket policy as well or by other means. Please clarify this.
Thanks for the review
nicely explained.
Glad it was helpful!
We can achieve s3 file access control using bucket policies and Acl's rite.. 🤔
Excellent, thank you
Thanks Mike, glad to hear you found the video useful.
Good one sir, very informative... Thank you .
Ty Rajeev for your kind words! Have a great weekend.
Great Explanation!
Thanks Satya Santosh!
I wanna do a project on CLIENT-SIDE CRYPTOGRAPHY BASED SECURITY FOR CLOUD COMPUTING SYSTEM. Using AWS for this is costly. Sir ,In which cloud can I implement this one without much expense?.. Could you please suggest me an idea?
10:00
Hi Raj. Nice video. one quick question .. from the example the policy restriction itself is enough to allow / deny read/download of file. If the user is not permitted to read file he is of course is restricted to read contents of it at the first level. Then decrypting is something as next step is obviously not reached. Can you please shed light on point of encryption in this scenario?
If the data ( file ) is encrypted by a data key, and the CMK is used to encrypt the data key, where is teh data key stored ? ( Does KMS create a paired [ inaccessible to the customers] data key whenever it kreates a CMK ? )
Rajdeep, buckets are private by default. How can bob see the bucket ?
thank you ...love you :)
You are so welcome
it will be fun
Are u working at Amazon office at U.S? Which city?
Yes sir. Used to be in NYC office, now home office of course :)
yes , I can access the kms encrypted object via iam permission . then i click open option I can view my object .
but here after 300 second it will be expire ???? why. please let me know
I like your lipstick 🌸
I'm slightly confused here, I understood the encryption part, but doubt is when one user tried to access file from another account he wasn't able to do, I'm kinda confused because the same access permissions can be specified in bucket policies, can anyone help me out?
Using CMK we can just encrypt data which is less than 4kb in size, in my case I have tried to upload 1 mb of file using AWS:KMS onto s3, and able to do so, how come? Internally is it using data-keys to achieve the same?
demo starts at 7:24
Please update the title. There is no demonstration of client side encryption. Please provide a link if you have produced such. Thanks!
BAAAAAAACK!
Okay, so the keys dont actually encrypt the data, as in they dont ever modify the contents of the file, they just essentially stop people who dont have decrypt permissions for the key from opening the file.
Or are the file contents actually encrypted in gibberish behind the scenes, but then once someone with key tries to open the file, it decrypts the contents from gibberish into the original file content?
Sir itny okhy ku ho rhy hain
Another Kumar sanu
Only if I had melodic voice like Sanuda, I would bust into songs every video 😉
Dude just fall back to your native accent.. but great coverage of features.