Forem: Rishi

Complete Guide to AWS KMS: Encryption, Key Management & Serverless Projects

Rishi — Mon, 07 Jul 2025 05:51:56 +0000

AWS Key Management Service (KMS) is used to create, manage, and audit cryptographic keys. In this hands-on course, we'll break down core KMS concepts and implement two mini projects to bring theory into practice.

Prerequisites

To follow the mini-projects confidently, you should know how to build a basic serverless CRUD app:

Course Structure – What Will You Learn? 🌿

Encryption Fundamentals
What is encryption, and types of encryption?
KMS Key Types
KMS keys are categorized based on structure (symmetric/asymmetric) and ownership (AWS-owned, AWS-managed, customer-managed).
Envelope Encryption
What is envelope encryption, and why is it essential for scalable secure storage?
How is envelope encryption used with AWS customer-managed symmetric keys?
KMS Access Control & Service Integration
How KMS integrates with AWS services like S3, Lambda, and Secrets Manager.

How to control access using IAM policies, key policy, and grants.
Key Rotation & Auditing
Mini Projects
- 🔐Password Manager – Encrypt and store credentials in DynamoDB using KMS
- 🔑JWT Auth Server – Use KMS asymmetric keys to sign and verify JWTs

Chatlings🐾 AI Moderated Serverless Chat App For Kids!🌿

Rishi — Tue, 01 Jul 2025 14:33:41 +0000

Chatlings 🐾 is a serverless, real-time chat platform designed for children aged 8–14. It ensures content safety using AI moderation and a delightful, kid-friendly design.

Just like ducklings 🦆 follow their guide while learning to explore the world, Chatlings helps young users explore digital conversations safely and responsibly.

✨ Key Features

💬 Real-time Group Chat
Users can create or join public or private groups. Seamless text and image messages using WebSocket and serverless architecture.

🧠 Smart Moderation with AI
All text messages are moderated by Amazon Bedrock's Nova model for abuse and toxic language. Using AWS Rekognition, uploaded images are scanned for safety, instantly blocking unsafe or adult content.

🤖 AskBot The Friendly Chat Assistant
Got a question or stuck on something? Just tag @askbot in your group chat. AskBot uses the latest AWS Nova model to help kids solve doubts safely and quickly.

Chatlings🐾 Architecture

Chatlings is a serverless app built using:-

AWS Lambda, DynamoDB, S3, Bedrock, Rekognition and API Gateway for backend.
Cognito userpool and Lambda authorizer for authentication.
React, Zustand and other frontend tools for delightful interface.

The application is exposed using CloudFront CDN. The default CDN behaviour points to the React frontend. React app redirects the user to the Cognito login page, and after successful OAuth2.0 login flow, getSignedCookies API call happens to get CloudFront signed cookies. These cookies are used to access images handled by “/media*” behaviour.

After that app loads and websocket connection ($connect) is established. ACCESS_TOKEN verification is done in the same step with the help of Lambda authorizer. Then, depending on user interaction, action messages are sent to the Websockets API gateway, and processing happens.

1. Create/Join Group action
When any user creates a group, the lambda function is triggered, and group metadata is stored in DynamoDB. On join group action, groupCode is verified and records are created.

2. Text Message Moderation
When user sends message using sendMessage action, first of all, lambda verifies if user belongs to the group. After that, message is stored in DynamoDB and user receives immediate feedback.

Then DynamoDB stream triggers another lambda that looks for new INSERT message operations and uses Bedrock Nova model to moderate the message. If the message is toxic, content is removed from DynamoDB. The same lambda function notifies all active connections (that are part of this group) about this message.

3. Image Message Moderation
User triggers generateS3PreSignedURL action and uploads image file to S3. File upload to S3 triggers the imageAnalyzer Lambda function that uses Rekognition to verify image content. If the image is not suitable for kids, it is deleted immediately and only flag is stored in DynamoDB. Else, image URL is stored in DynamoDB.

INSERT operation in DynamoDB table again triggers messageAnalyzer lambda, but it sends notification only for image files.

4. CloudFront Signed Cookies
Access to image files is restricted with the help of CloudFront signed cookies that were created just after successful login.

5. AskBot AI Assistant
When user mentions @askbot in the message, the askbot route is triggered, which calls Nova model to answer the question. Both user’s query and model’s response are stored in DynamoDB table. Again, the INSERT operation triggers moderation followed by notification of both messages.

6. DynamoDB Single Table Design
All data is stored in a single DynamoDB table that is designed keeping access pattern in mind instead of the structure of the data. Table schema is as follows:-

Conclusion
Chatlings🐾 helps kids interact with friends while staying protected by cutting-edge AI moderation. All of this is powered by a fully serverless, event-driven architecture built on AWS.

GitHub:- https://github.com/TrickSumo/Chatlings

Thanks for reading, hope you enjoyed, Thanks 🌿

Creating Fruit Tetris🍎Using Amazon Q Developer CLI

Rishi — Sat, 14 Jun 2025 09:21:58 +0000

This weekend I'm having fun with Amazon Q CLI. Using Q CLI, created this game called Fruit Tetris (one of first ever games that I played eons ago on a flip-flop mobile probably running on Symbian Java).

It took me more time to install CLI itself than to create this awesome 2D game. Before we dive into the instructions, let's play the game. Use the up/down/arrow key to control, move and rotate the blocks.

Installing Amazon Q CLI

There are already great tutorials available for Linux and Windows, so I will not reiterate here. Make sure "Virtualization" is enabled in your computer (that is something you can look for in the boot menu settings) and just follow the instructions, it is easy peasy 🫛

How To Create The Game

Once Q CLI is installed and login is done, run "q chat" command (restart the terminal if "q" command is not recognized).

Give instructions for your favorite game that you want to create and it will be ready within minutes! Reiterate, add, and improve after that🚀

Here are the instructions that I gave:-

I want to create a Tetris game where blocks are fruits, and when 3 fruits are accumulated, they are destroyed.
Each block should be made of the same fruits. Also, blocks should be destroyed only when 6 fruits are the same.
There is some bug... fruits are disappearing even if 6 are not touching each other. Even if the overall count is 6, fruits are being destroyed.
Is it possible to support controls for Android?

You should also try it out, it is fun😃

Spring Pokédex - Explore! Identify! Appreciate!

Rishi — Fri, 06 Jun 2025 14:24:07 +0000

Spring is the season of nature’s greenery, blooming flowers, and buzzing insects. There are millions and trillions of species of flora and fauna. Often, we come across something mesmerizing but don’t know what it is!

To solve this mystery, Spring Pokédex comes to the rescue. This blog post dives into how the Spring Pokédex works and the architecture behind it.

UX Workflow - A Magical Experience 🌿

Ashley, a budding AWS engineer, went to the park on a beautiful spring day. While strolling around, she noticed a reddish-pink flower with a unique, shooting fragrance. She had never seen this flower and wondered what is the name of this species. Suddenly, she recalled that her friend Brock had once mentioned that an app named Spring Pokédex is handy in these situations.

She quickly opened the application, created an account, and logged in without any issues. Thanks to AWS Cognito for handling user management.

After that, she clicked on the “Scan Now” button and took a photo of the plant. The image started uploading and a notification confirmed the successful upload. A short while later, a notification popped up: “Creature Identified!”. Ashley screamed with joy! As she tapped the notification, the screen displayed 🌸Frangipani (Plumeria).

Behind the scenes, the image was securely uploaded using S3-Presigned URLs, and a real-time notification system (powered by Momento Topics) awaited the results.

She clicked on the “Share” button and a unique shareable link was generated (powered by Momento Cache) which she quickly sent to Brock.

Later that day, after reaching home, Ashley thought “What if other users could access the images she uploaded? 🤔”. Curious, she opened her laptop and tried to access the image she uploaded but this time as another user. To her surprise, it did not work, access was denied!
Why? Because access to files has been protected using CloudFront signed cookies.

Ashley was seriously impressed. Her curiosity sparked, and she wanted to dive deeper into the architecture behind the application. She wondered if any documentation was available online — and luckily, there was.

Spring Pokédex Architecture: High-Lvl Overview 🔮

Let’s see what really powers the magic of Spring Pokédex🪄

Bit Scary, isn’t it? Well, let us break it down into small workflows.

1. CloudFront CDN And Its Behaviours

The application is delivered through AWS CloudFront distribution. And it has 3 behaviors pointing to 3 different origins.

The first behaviour matches “/api*” in the URL and points to the AWS API gateway (protected by Cognito authorizer).

The second behaviour looks for the path pattern “/images” and points to the “images” folder of the application bucket. This behaviour restricts view access using signedCookies and signedURLs.

If none of the above behaviour match, the default behaviour serves the React application from the “dist” folder of the S3 bucket (using origin access identity OAI).

2. What Happens When App Loads?

If the user is not authenticated, redirection happens to Cognito managed login. After successful authentication, the user is redirected to the callback URL of the application with authorization_code that is used to request ACCESS_TOKEN (as part of the oAuth2.0 protocol).

After that, a request to “/api/getSignedCookies” is made to get CloudFront signed cookies for “/images/cognitoUserId/*” folder of S3, ie. users can access images uploaded by them only.

Also, a request is made to “/api/getDisposableToken” endpoint to get the Momento disposable token. Lambda function with valid Momento credentials sits behind the API and acts as a disposable token vending machine.

Momento token contains view-only scopes for Momento Topic named “pubsub-cache:cogintoUserId” and cache named “shared-cache”. Frontend uses the Momento disposable token to subscribe to the topic.

3. Discover Nature - One Scan At A Time!

The user clicks on the “Scan Now” button and selects (captures using the camera) an image to upload. Frontend makes a request to “/api/getSignedURL” endpoint to get signedURL and upload the image. Once the image is uploaded, frontend reflects the status as “Processing” and waits for a status update message on the Momento topic.

The image is uploaded to AWS S3 as “/images/cognito-user-id/image.png” and triggers the SpringScanner AWS Lambda function. The Lambda function generates a CloudFront signed URL for the image and calls OpenAI API using it.

On success, lambda stores data in the DynamoDB table and also publishes a success message to the Momento topic. On failure or crash of lambda function, the event goes to SQS queue (Dead-Letter Queue) and triggers DLQ handler lambda function that publishes failure message to the topic.

Frontend listens for these messages and shows details to the user in realtime. Mometo topic helps to achieve this without having any websockets connection.

4. Check History Or Share Your Discovery

At the time of the scan, data is stored in a DynamoDB table where userId is the partition key and S3ObjectKey is the sort key. History of scans for a user can be fetched by querying dynamo table using userId (/scanHistory endpoint).

When the user decides to share the scan with someone, api call to “/shareScan” endpoint is made. Using the userId from lambda event and scanId received as part of API payload, a DynamoDB call retrieves the scan details.

Since image access is allowed only for the original uploader, the imageUrl can’t be shared directly. To solve this, a CloudFront signed URL is generated with a validity of 24 hours.

This signed URL and the scan details are stored in a Momento cache with a unique identifier. That identifier becomes part of the shareable URL. Both the cache entry and the signed URL have a TTL of 24 hours, so the shared scan remains accessible to others for one day only.

5. Rate Limiting The Scans

Momento cache is also used to limit how many scan operations a user can perform in a single day.

For each user, a cache key like “userid-date-today” is created, and its value is incremented with every image upload (this logic is integrated into the getSignedURL Lambda function).

Once the max threshold is reached, the API returns a 429 Too Many Requests, and the frontend blocks further uploads.

6. Securing The Secrets

The Lambda functions use sensitive credentials like the Momento API key, OpenAI API key, and the CloudFront private key. These secrets should never be stored directly in code.

One option is to store them in Lambda environment variables and encrypt them using a KMS customer-managed key for additional security. But a more secure and flexible approach is to store secrets in AWS SSM Parameter Store or AWS Secrets Manager.

To simplify secret access in Lambda, middy middleware is used. Middy helps to inject secrets from SSM or Secrets Manager into function’s context.

🐼 Final Thoughts
Ashley closed her laptop with a smile. What started as a simple curiosity in the park turned into a deep dive into modern serverless event-driven architecture.

GitHub:- https://github.com/TrickSumo/Spring-Pokedex

Thanks for reading, and I hope you enjoyed Spring Pokédex project 🌱

AWS Serverless CRUD App Tutorial Using Lambda, API Gateway, DynamoDB, Cognito and Cloudfront CDN

Rishi — Tue, 08 Apr 2025 14:40:16 +0000

In this tutorial, we will use AWS services to create a serverless application for a coffee shop. The user (coffee shop owner in this case) can authenticate using AWS Cognito and manage inventory (perform CRUD operations).

Github Repo: https://github.com/TrickSumo/AWS-CRUD-Serverless

Architecture Overview

We will use DynamoDB to store data and lambda functions (with lambda layer) to process API gateway requests. API gateway will be secured by Cognito and exposed with the help of Cloudfront CDN. React frontend will also be configured with Cognito UserPool and hosted on S3 and Cloudfront.

Optionally, Cloudflare and AWS Certificate Manager can be used to add a custom domain to Cloudront distribution.

Step 1 – Create DynamoDB Table

Head over to the AWS console and navigate to the DynamoDB section. Then create a new table with table name as “CoffeeShop” and partiton key as “coffeeId”.

Create a new item (coffee) in the table and fill attributes like coffeeId, name, price, and availability. It will be helpful to test connectivity to DynamoDB.

{
"coffeeId": "c123",
"name": "new cold coffee",
"price": 456,
"available": true
}

Step 2 – Create IAM Role For Lambda Function

Create a new IAM role with permissions to create CloudWatch logs and CRUD access to the “CoffeeShop” DynamoDB table. Let us call this IAM role as “CoffeeShopRole” and its a generic role for all our lambda functions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:PutItem",
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:Scan",
                "dynamodb:UpdateItem"
            ],
            "Resource": "arn:aws:dynamodb::<DYNAMODB_TABLE_NAME>"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

Step 3: Create Lambda Layer And Lambda Functions

First, create a Node.js Lambda layer that includes the DynamoDB library and common utility functions. It will help us avoid redundant installations of the same dependencies across multiple Lambdas.

mkdir nodejs
cd nodejs
npm init
npm i @aws-sdk/client-dynamodb @aws-sdk/lib-dynamodb
touch utils.mjs

Now create a utils.mjs file to keep the code for DynamoDB client initialization and createResponse function.

import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
import {
    DynamoDBDocumentClient,
    ScanCommand,
    GetCommand,
    PutCommand,
    UpdateCommand,
    DeleteCommand
} from "@aws-sdk/lib-dynamodb";

const client = new DynamoDBClient({});
const docClient = DynamoDBDocumentClient.from(client);

const createResponse = (statusCode, body) => {
    return {
        statusCode,
        headers: { "Content-Type": "application/json" },
        body: JSON.stringify(body),
    };
};

export {
    docClient,
    createResponse,
    ScanCommand,
    GetCommand,
    PutCommand,
    UpdateCommand,
    DeleteCommand
};

Then, create a zip of the content and upload it in a new lambda layer. According to convention, the folder where we keep all these dependencies must be named “nodejs”. Apart from that, the name of the zip file and lambda layer can be anything.

In our case, let us create zip named “layer.zip” and upload it to the Lambda layer named “Dynamo-Layer”

cd ..
zip -r layer.zip nodejs

Now create four lambda functions and attach this layer (Dynamo-Layer) and IAM Role (CoffeeShopRole) to them.

// getCoffee Function

import { docClient, GetCommand, ScanCommand, createResponse } from '/opt/nodejs/utils.mjs'; // Import from Layer

const tableName = process.env.tableName || "CoffeeShop";

export const getCoffee = async (event) => {
    const { pathParameters } = event;
    const { id } = pathParameters || {};

    try {
        let command;
        if (id) {
            command = new GetCommand({
                TableName: tableName,
                Key: {
                    "coffeeId": id,
                },
            });
        }
        else {
            command = new ScanCommand({
                TableName: tableName,
            });
        }
        const response = await docClient.send(command);
        return createResponse(200, response);
    }
    catch (err) {
        console.error("Error fetching data from DynamoDB:", err);
        return createResponse(500, { error: err.message });
    }

}

// createCoffee Function

import { docClient, PutCommand, createResponse } from '/opt/nodejs/utils.mjs'; // Import from Layer

const tableName = process.env.tableName || "CoffeeShop";

export const createCoffee = async (event) => {
    const { body } = event;
    const { coffeeId, name, price, available } = JSON.parse(body || "{}");

    console.log("valuies", coffeeId, name, price, available);


    if (!coffeeId || !name || !price || available === undefined) {
        return createResponse(409, { error: "Missing required attributes for the item: coffeeId, name, price, or available." });
    }

    const command = new PutCommand({
        TableName: tableName,
        Item: {
            coffeeId,
            name,
            price,
            available
        },
        ConditionExpression: "attribute_not_exists(coffeeId)",
    });

    try {
        const response = await docClient.send(command);
        return createResponse(201, { message: "Item Created Successfully!", response });
    }
    catch (err) {
        if (err.message === "The conditional request failed")
            return createResponse(409, { error: "Item already exists!" });
        else
            return createResponse(500, {
                error: "Internal Server Error!",
                message: err.message,
            });
    }

}

// updateCoffee Function

import { docClient, UpdateCommand, createResponse } from '/opt/nodejs/utils.mjs'; // Import from Layer

const tableName = process.env.tableName || "CoffeeShop";

export const updateCoffee = async (event) => {
    const { pathParameters, body } = event;

    const coffeeId = pathParameters?.id;
    if (!coffeeId)
        return createResponse(400, { error: "Missing coffeeId" });

    const { name, price, available } = JSON.parse(body || "{}");
    if (!name && !price && available === undefined)
        return createResponse(400, { error: "Nothing to update!" })

    let updateExpression = `SET  ${name ? "#name = :name, " : ""}${price ? "price = :price, " : ""}${available ? "available = :available, " : ""}`.slice(0, -2);

    try {

        const command = new UpdateCommand({
            TableName: tableName,
            Key: {
                coffeeId,
            },
            UpdateExpression: updateExpression,
            ...(name && {
                ExpressionAttributeNames: {
                    "#name": "name", // name is a reserved keyword in DynamoDB
                },
            }),
            ExpressionAttributeValues: {
                ...(name && { ":name": name }),
                ...(price && { ":price": price }),
                ...(available && { ":available": available }),
            },
            ReturnValues: "ALL_NEW", // returns updated value as response
            ConditionExpression: "attribute_exists(coffeeId)", // ensures the item exists before updating
        });

        const response = await docClient.send(command);
        console.log(response);
        return response;

    }
    catch (err) {
        if (err.message === "The conditional request failed")
            return createResponse(404, { error: "Item does not exists!" });
        return createResponse(500, {
            error: "Internal Server Error!",
            message: err.message,
        });
    }
}

// deleteCoffee Function

import { docClient, DeleteCommand, createResponse } from '/opt/nodejs/utils.mjs'; // Import from Layer

const tableName = process.env.tableName || "CoffeeShop";

export const deleteCoffee = async (event) => {
    const { pathParameters } = event;
    const coffeeId = pathParameters?.id;
    if (!coffeeId)
        return createResponse(400, { error: "Missing coffeeId" });

    try {
        const command = new DeleteCommand({
            TableName: tableName,
            Key: {
                coffeeId,
            },
            ReturnValues: "ALL_OLD", // returns deleted value as response
            ConditionExpression: "attribute_exists(coffeeId)", // ensures the item exists before deleting
        });

        const response = await docClient.send(command);
        return createResponse(200, { message: "Item Deleted Successfully!", response });
    }
    catch (err) {
        if (err.message === "The conditional request failed")
            return createResponse(404, { error: "Item does not exists!" });
        return createResponse(500, {
            error: "Internal Server Error!",
            message: err.message,
        });
    }
}

Step 4: Create API Gateway To Expose Lambda Functions

Create an HTTP API Gateway and add five routes pointing to the above lambda functions.

GET /coffee -> getCoffee lambda function
GET /coffee/{id} -> getCoffee lambda function
POST /coffee -> createCoffee lambda function
PUT /coffee/{id} -> updateCoffee lambda function
DELETE /coffee/{id} -> deleteCoffee lambda function

At this point, you should be able to use all APIs using Postman or Thunderclient.

Step 5: Create Cognito UserPool And API Gateway Authorizer

Create a cognito UserPool with a public client (SPA App) and use it as a JWT authorizer for API gateway for all the routes.

Step 6: Setup React Application And Upload Build To S3 Bucket

Create a new React app and configure it with Cognito. You can copy files from here: https://github.com/TrickSumo/AWS-CRUD-Serverless/tree/main/FrontendWithAuth

Create a new S3 bucket, build the React app, and upload the “dist” folder to the S3 bucket.

Step 7: Create Cloudfront Distribution With Behaviors For S3 And API Gateway

Create a new Cloudfront distribution with S3 as the origin and use OAC to access the private bucket (make sure to update bucket policy).

Create another origin pointing to API gateway and create a new behaviour to redirect “/coffee*” routes to this new origin.

Step 8: Attach Custom Domain Name To CDN (Optional)

Edit CDN settings to add an alternate domain name. Use AWS Certificate Manager to issue an SSL certificate (to verify domain ownership, CNAME record method can be used).

Create a new CNAME record from the domain name control panel to point to the Cloudfront distribution URL.

Done 🥳

Step 9: Clean Up All Resources

Now it’s time to clear all resources. Delete CDN, DynamoDB, API Gateway, Lambdas (with Layer), IAM Role, ACM certificate, and Cognito UserPool.

Hope you enjoyed the tutorial! Thanks 🙂

AWS KMS Deep Dive - The Mystery Of Envelope Encryption

Rishi — Sun, 23 Mar 2025 15:45:00 +0000

AWS Key Management Service (KMS) allows you to create/manage encryption keys that are used to encrypt/decrypt and sign/verify data. AWS internally uses KMS across many services for encryption, so even if you’re not familiar with it, there’s a high chance you’ve already used it while working with other services (like while creating an S3 bucket!).

In this post, we will explore how KMS uses envelope encryption, understand different KMS key types, and finally do hands-on with KMS using AWS CLI commands.

Let’s start with the story of Pandora to get a gist of envelope encryption.

Pandora And The Envelope Encryption

The story goes like this, Zeus (king of Olympus) gave Pandora a box and asked her to never open it at any cost. But curious Pandora got curious and opened it anyway.

Zeus could have given Pandora a locked box with a key and asked to not open it. In this scenario, Pandora might lose the key. Or she might open the locked box and claim she doesn’t know who did it.

Zeus can also try to lock the box using his own key and give only the box to Pandora. In this case, Zeus would be responsible for keeping the key safe. Also, someone might steal the key from Zeus and open the box.

To solve these problems, Zeus could have used envelope encryption. First, he locks the box using a unique key. Then, instead of giving her the raw key, he encrypts it using his lightning bolt weapon⚡(his strongest secret). Now, he gives Pandora both the locked box and the encrypted key. This ensures:

Pandora can’t open the box without Zeus’ help (Zeus must decrypt the key first to unlock the box).
If Pandora loses the key, no one else can use it.
To unlock the box, Pandora must call Zeus to decrypt the key. Later, she can’t deny granting access by claiming she doesn’t know who opened the box.

Envelope Encryption

The above story is an example of envelope encryption, where the key used to encrypt the message (Pandora’s box of hope in our story) is encrypted itself (often using a more secret key ⚡). Then both the encrypted object (box) and encrypted key are stored together.

It is called envelope encryption because the key used for locking the box is wrapped (enveloped/encrypted) by a super-secure master key. Then both locked object and encrypted key are packed into a single structure (thus forming an envelope).

The purpose of encrypting a key with another key (multiple layers of keys) is to provide centralized key management and auditing while ensuring that the primary key is never exposed in an unencrypted form. Check out the article on FreeCodeCamp on how envelope encryption helps to manage encryption at scale.

KMS Key Types

Based on ownership, KMS offers three key types –

AWS Owned Keys (free) =>These keys provide default encryption for most of the services. You might have seen the SSE-S3 option while creating an S3 bucket. Everything is handled in the background and these keys are not visible anywhere. No visibility on audit trails or key rotation.
AWS Managed Keys (free) => These keys are also to be used by AWS services only (aws/s3 or aws/rds). However, customers can see key policies and CloudTrail events for AWS-managed keys. Everything else is managed by AWS.
Customer Managed Keys ($1/month) => You (customer) own this key and can view audit trails and rotate on demand (Careful! Each key rotation adds $1/month to the bill since all versions are retained). If you want to call KMS API to create a key and use it in your applications, this is the type that you need.

Based on cryptographic structure, a key can be symmetric or asymmetric. For the rest of the tutorial, we will focus on customer-managed symmetric KMS keys.

Envelope Encryption In Action – KMS Workflow

Fair warning before we proceed forward, you are going to encounter a lot of keys. Be prepared!

Step1: Key Creation

When a customer-managed KMS key is created, AWS uses HSM (hardware security module) hardware to create HSM Backing Key (HBK⚡). Since it’s not possible to keep HBK in memory of HSM forever, it must be exported to durable storage. But HBK cannot leave the HSM unencrypted. So, HBK is encrypted using HSM-managed domain keys to generate an EKT (Exported Key Token) and stored in a database. Then our newly created KMS key points to this EKT.

Yes, a KMS key (also called customer master key CMK) does not contain actual key material. Instead, it acts as a pointer to the EKT (which is an encrypted version of the HBK itself)!

Step2: Envelope Encryption

When the user (or services like S3) requests a data key (also called Data Encryption Key but we will call it data key because the term DEK is needed for another key – I promised too many keys ☺️) from KMS to encrypt an object, it also tells which KMS key to use (either by specifying key id or key alias). As we know, the KMS key serves as a pointer to the EKT. So EKT is taken to HSM and converted back to HBK (HSM Backing Key ⚡). After that, HBK is combined with Nonce (random number) to create a Derived Encryption Key (DEK).

Inside the HSM, a data key is also generated (also called Customer Data Key CDK or Data Encryption Key). This key will be used to lock the box (encrypt the object). Then the data key is encrypted using DEK (derived encryption key) and both the plaintext data key and encrypted data key are sent to the user (or service). For now, DEK will be discarded by HSM. Remember, the DEK encrypts the data key, which in turn encrypts the object.

Now user can encrypt a file/object using the plaintext data key and immediately discard it. Then store the encrypted file and encrypted data key together.

Step3: Envelope Decryption?

In storage, we have an encrypted object and encrypted data key. To decrypt the object, we again need the plaintext data key but we deleted it just after encrypting the file/object (even S3 would also have done the same).

To get the plaintext data key, we send the encrypted data key to KMS as part of the decrypt API. AWS HSM extracts the KMS key ID/alias and nonce from the encrypted data key. From the KMS key, EKT is traced and HBK is calculated.

With HBK and nonce, the system regenerates the DEK (which was originally used to encrypt the data key). Then DEK is used to decrypt the data key and the plaintext data key is returned to the user.

Finally, the plaintext data key can be utilized to decrypt the encrypted file/object.

KMS Hands-On Using AWS CLI – Less Than 4KB File Size

For files smaller than 4KB, no need to request a data key. Just call encrypt/decrypt API and KMS will take care of all other things internally.

Create a symmetric KMS customer-managed key with Alias “learn”. Make sure to have encrypt and decrypt privileges for your AWS user.
Open AWS CLI (top right in console), and create a file named myFile.txt.
Call KMS encrypt command
aws kms encrypt --key-id alias/learn --plaintext fileb://myFile.txt --output text --query CiphertextBlob --region ap-south-1 | base64 -d > myFile.encrypted
Now you should be able to see a new encrypted file myFile.encrypted.
To decrypt the file, use the KMS decrypt command
aws kms decrypt --ciphertext-blob fileb://myFile.encrypted --output text --query Plaintext --region ap-south-1 | base64 -d
In CLI, you should be able to see the original text of myFile.txt.

KMS Hands-On Using AWS CLI – More Than 4KB File Size

For files bigger than 4KB, we can call GenerateDataKey API to get the data key and encrypted data key.

Get data key
aws kms generate-data-key --key-id alias/learn --key-spec AES_256 > data_key.json
Store both data keys
jq -r '.Plaintext' data_key.json | base64 --decode > data_key_plaintext jq -r '.CiphertextBlob' data_key.json | base64 -d > data_key_encrypted
Encrypt the “test.txt” file and delete the plaintext data key
openssl enc -aes-256-cbc -pbkdf2 -salt -in test.txt -out test.encrypted -pass file:data_key_plaintext && rm data_key_plaintext
For decrypting the file, decrypt the encrypted data key
aws kms decrypt --ciphertext-blob fileb://data_key_encrypted --output text --query Plaintext --region ap-south-1 | base64 --decode > data_key_plaintext
Then decrypt the locked file
openssl enc -d -aes-256-cbc -pbkdf2 -salt -in test.encrypted -out test.decrypted.txt -pass file:data_key_plaintext

KMS Use Cases – Project Ideas

Here are a few ideas to play with KMS:-

Password manager using KMS and DynamoDB.
JWT-based authentication – KMS can be used to sign and verify JWTs.
Use KMS to implement passkeys using FIDO2.0.

Share your ideas in the comments!

Conclusion – KMS is Not Scary Anymore!

Hope this tutorial helped you to understand the ins and outs of AWS KMS. Let me know your feedback and thoughts. Thanks 🙂

AWS Cognito Course For Beginners

Rishi — Fri, 14 Mar 2025 15:30:00 +0000

AWS Cognito is a robust tool for implementing an authentication and authorization layer on your application. In this course, we will understand Cognito offerings (User Pool and Identity Pool), different ways to use Cognito with your application (OAuth2.0 and SDK), and at the end will use our learnings to create a secure file sharing application (ShareMyFiles).

Prerequisites

Basic understanding of JavaScript, React, and NodeJS.
Familiarity with core AWS services (S3, IAM, API Gateway) will be helpful.

Course Structure

AWS Cognito introduction
- What is AWS Cognito?
- Difference between User Pool, ID Pool, and IAM
User Pool overview
- Users, Groups, MFA, Passkey & Managed Login
0Auth2.0 workflow with User Pool (Managed Login)
- 0Auth2.0 introduction, grant types, PKCE security, JWT authentication
- Public and Private OAuth2.0 clients
- User Pool with React (single page application), traditional backend and fullstack application
- Third-party (Google) login support
User Pool APIs and SDK (custom login page)
Secure AWS API Gateway using Cognito User Pool (JWT Authorizer)
Identity Pool
- Introduction
- Integration with User Pool and Google social login
- Role based access control
- APIs and SDK
ShareMyFiles (Build a Secure File Sharing App with AWS Cognito & S3)

Github repo containing code and curl commands:- Cognito Course

Hope people find it insightful. If there are any doubts, please let me know in the comments!

Thanks ☺️

What is So Special About Microsoft’s Majorana 1 Quantum Processor

Rishi — Sun, 09 Mar 2025 09:30:00 +0000

Recently, Microsoft announced Majorana 1 quantum processor that uses topological conductor to create quantum computers that can scale to a million qubits. In this post, we will decode why there is so much hype around Majorana 1 and understand how it works using simple analogies.

Quantum computers utilize phenomena of quantum mechanics (ie, superposition, entanglement, and interference) for performing certain kinds of operations much faster than classical computers. However, we still do not have a working quantum computer (that can run Doom 😁) because of something called noise.

What is Noise?

Like classical computers have bits, quantum equivalents are qubits. And these qubits utilize superposition (yes, yes, that both 0 and 1 at the same time thingy) to operate.

But these qubits are generally very small subatomic particles (like an electron) and are susceptible to disturbances. Quantum state gets lost because of minute events like temperature change, electromagnetic interference, or even vibrations. Anything that affects the state of a qubit (and thus ultimately causes calculation error) is called Noise.

No matter how much we shield our qubits, noise causes problems. And the time for which a quantum state can be maintained is measured as the Decoherence Time. So all quantum manufacturers work hard to increase this decoherence time.

What Are Majorana Quasiparticles?

Quasiparticles are not real fundamental particles but interactions of fundamental particles (emergent effects arising from the collective behavior of actual particles). And that interaction itself behaves as a particle and is hence called quasi-particle. It’s like an electron hole pair where if an electron moves from the valence band, leaving behind a void/space (or hole). This hole acts as a positively charged quasiparticle.

Majorana quasiparticles are those particles that are antimatter of their own (and they exist in pairs). If they touch each other, then destroy each other. However, when spatially separated, they can store quantum information in a way that resists noise.

These Majorana quasiparticle pairs are analogous to mini water whirlpools. Like both vortices rotate in opposite directions and can destroy each other, they are also linked internally.

Check out above video from “Physics Girl” where she demonstrates formation of such vortices in a swimming pool.

What is a Topological Conductor?

Similar to how conventional computation started with an Abacus, followed by vacuum tubes, electromagnetic relays, and transistors. Quantum computers are also on a hardware evolution journey. There are many modalities of quantum hardware like Google/IBM’s superconducting qubits, D-Wave’s trapped ion qubits, PsiQuantum’s photonic qubits. But all of them suffer from noise or information loss to some extent.

To fix this noise issue, topological conductors use Majorana quasiparticles to distribute the quantum state across the surface. Now even if some noise enters the system, it is less likely to cause errors because the quantum information is spread out across a topological structure rather than being localized in a single particle.

Check out “Dr. Ben Miles” video on Topological Quantum Chips for an in-depth understanding.

Quantum Future is Exciting!

However, some critics say that Microsoft still has not successfully created topological conductors that can scale. But even if there is some progress going on, that is good news.

Also, Amazon announced they are working on Ocelot quantum processors that use cat qubits🐈

Overall, Majorana 1 is a good candidate to take us out of the NISQ (Noisy intermediate-scale quantum) era.