Utilizing Amazon DynamoDB and AWS KMS, a serverless password manager

  

The problem is that we can't remember the password every time, so we frequently end up having to reset the password. We frequently run into situations where we have to create a new account for the websites we use. We can store the username and password in a text file, but again, we need secure passwords. In an emergency, this can become too frustrating. Although security is always a concern, we should always carry our passwords with us. We can also use online password managers.

Therefore, let's get started on making our own password manager!

Okay, before we continue, I'd like to let you know that this entire project will be broken up into several blog pieces, each of which will describe a different aspect of it. I'll be utilising several AWS services and the benefits of the serverless framework. Additionally, I'll demonstrate how to incorporate serverless into CI/CD Pipeline to create an end-to-end real-time application.

I'll discuss encryption, AWS KMS, and the dynamoDB encryption client in this blog.

I'll walk you through Amazon DynamoDB and my experience using it for data modelling in the following blog.

In the last blog, I'll bring everything together and implement the entire project—from the code to the CI/CD deployment.

I am utilising the following services:

My data will be stored on Amazon DynamoDB.

dynamodb encryption client, a library that supports use cases using cryptography.

boto3, a library for communicating with AWS services.

My encryption keys are managed by AWS KMS.

The programming language used is Python.

Build APIs, create resources, and deploy them in the cloud using a serverless framework.

First, let me provide a high-level overview of what we intend to do. We want to create an application that will encrypt our data and store it in the cloud. The data will be encrypted at the client-side, in transit, and while it is at rest.

Using the following commands, let's first instal the dynamodb encryption client and boto3. Python is a requirement for these libraries; if you don't already have it, go to this website, python.org, and get it.

the console with the commands listed below.

Installing Dynamodb encryption SDK with $ pip

Install Boto3 with $ pip.

Okay, the initial setup is complete. Before continuing, let's learn a little bit about encryption and AWS KMS.

Describe encryption.

If I have to communicate sensitive information to someone, I could send it by email, but we all know that emails aren't the safest method because they leave the information vulnerable to hackers. In these situations, we can encrypt our data, which will turn it into unintelligible text that can only be read by a special secret code known to the recipient, who can then decode it and see it as plain text. Cryptographic keys are used to decrypt this secret code.

Why should we utilise AWS KMS, and what does it do?

Key Management Service is referred to as KMS. There may be a large number of keys to handle whenever we deal with cryptographic use cases, and all of these keys must be present in a hardware security module (HSM) that can give all these materials at the moment of cryptographic activities. Either use the AWS KMS or use your own on-premise key store, which would involve some work, expense, and security considerations.

AWS KMS is a service that is offered to you right out of the box by AWS. Instead of relying on encryption keys generated using AWS KMS, this service offers the overall management of your cryptographic keys. It also offers a variety of other flexible operations, such as the ability to create your own key store and manage your own custom keys. Integration with additional AWS Services like S3, EC2, etc. is also offered.

Depending on the use cases, AWS KMS allows you to create either symmetric or asymmetric keys. Asymmetric keys, on the other hand, are a collection of keys or a key pair with one public key and one private key. Symmetric keys are a single key that can be used for encryption and decryption.

Utilizing AWS KMS to Create Keys

Okay, so we now understand what KMS is. As we prepare to encrypt the data, let's make a symmetric key. You need to have an AWS account in order to produce a key, so please establish one if you don't already have one.

Pricing KMS

20,000 free key management service requests, such as create, delete, get, etc., are included in the free tier each month. However, each KMS key you generate continues to cost $1 per month.

Each key you create costs $1 per month if you are not a member of the free tier, and the cost of your request depends on the AWS service you use. You can look at this for further details: KMS Pricing

You will be taken to the screen below; click on "generate a key."

Choose these defaults. Let's use the Symmetric key for the demonstration. This indicates that we will use a single key for both encrypting and decrypting our data. Since we will be using KMS as a provider of cryptographic materials, make sure the Key material is KMS in advanced options.

Give your key a name.

The following step, where you establish the roles and IAM users who can serve as administrators, is crucial. In my situation, I've made an IAM user named Tahir and given him or her administrative access.

After defining the administrators, you must specify who is permitted to use the key. For demonstration purposes, I've chosen the user tahir. From there, you can create users and specify their roles and access permissions.

The key policy, which defines all the access levels and actions, will be displayed to you after completing the aforementioned steps. You can either leave it as is or review and edit it in accordance with your needs. I'm leaving it as is in this instance.

Hurray! Your key has now been created and can be used to encrypt data. The key is secure and remains within the KMS; it is fully encrypted and cannot be retrieved from outside of AWS.

How is client-side encryption implemented?

I'll give a high-level explanation of each of the four components of the process—plain text, crypto config, item encryptor, and the cryptographic material provider—in order to keep things simple. For a more detailed explanation, see the documents here, but for now, this should be enough to get you started.

Text in plain form: This can be the thing or thing you're storing in the dynamoDB database.

Item encryptor: Similar to an engine or a blender, it accepts plain text, obtains the keys from the supplier of the cryptographic material, and accepts the crypto settings.

Provider of cryptographic materials: This is where our key and related information, the encryption algorithm, and details on creating and safeguarding encryption keys are all stored. To obtain the requirements, the item encryptor communicates with the supplier of cryptographic material.

Crypto configuration: You can see something called crypto config in the image above. This is very important because we specify information about our table here, such as the table name, primary key, attributes, etc.; this is collectively referred to as the encryption context.

Conclusion

I want to start by saying thank you for taking the time to read this blog.

In addition to being highly useful for our own usage, creating simple applications like these is a terrific way to learn a lot about AWS cloud services and how to utilise them, much like how we quickly picked up on topics like client-side encryption and encryption keys while using AWS KMS.