Agent skill

implementing-envelope-encryption-with-aws-kms

Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting

View SKILL.md on GitHub Repository
Stars 0
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/autohandai/community-skills/tree/main/implementing-envelope-encryption-with-aws-kms

SKILL.md

Implementing Envelope Encryption with AWS KMS

Overview

Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting large volumes of data locally while keeping the master key secure in a hardware security module (HSM) managed by AWS. This skill covers implementing envelope encryption using AWS KMS GenerateDataKey API.

Objectives

  • Understand the envelope encryption pattern and its advantages
  • Generate data encryption keys using AWS KMS GenerateDataKey
  • Encrypt/decrypt data locally using DEKs
  • Store encrypted DEK alongside ciphertext
  • Implement key caching to reduce KMS API calls
  • Handle key rotation with automatic re-encryption
  • Implement multi-region encryption for disaster recovery

Key Concepts

Envelope Encryption Flow

  1. Call kms:GenerateDataKey to get plaintext DEK + encrypted DEK
  2. Use plaintext DEK to encrypt data locally (AES-256-GCM)
  3. Store encrypted DEK alongside ciphertext
  4. Discard plaintext DEK from memory
  5. For decryption: call kms:Decrypt on encrypted DEK, then decrypt data

Advantages Over Direct KMS Encryption

Aspect Direct KMS Envelope Encryption
Max data size 4 KB Unlimited
Latency Network round-trip per operation Local encryption
Cost $0.03/10,000 requests Fewer KMS requests
Offline Not possible Yes (with cached DEKs)

KMS Key Types

  • AWS Managed: AWS creates and manages (aws/s3, aws/ebs)
  • Customer Managed: You create and manage policies
  • Custom Key Store: Backed by CloudHSM cluster

Security Considerations

  • Never store plaintext DEK; only keep encrypted DEK
  • Use key policies to restrict who can call GenerateDataKey and Decrypt
  • Enable AWS CloudTrail logging for all KMS API calls
  • Implement key rotation (automatic annual rotation for CMKs)
  • Use encryption context for authenticated encryption metadata
  • Handle KMS throttling with exponential backoff

Validation Criteria

  • GenerateDataKey returns plaintext and encrypted DEK
  • Data encrypts correctly with plaintext DEK using AES-256-GCM
  • Encrypted DEK can be decrypted via KMS Decrypt API
  • Decrypted DEK recovers the original data
  • Plaintext DEK is wiped from memory after use
  • Encryption context is validated during decryption
  • Key rotation re-encrypts DEKs with new master key

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

autohandai/community-skills

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

0 0
Explore
autohandai/community-skills

hunting-for-spearphishing-indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

0 0
Explore
autohandai/community-skills

analyzing-malicious-url-with-urlscan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat

0 0
Explore
autohandai/community-skills

implementing-zero-standing-privilege-with-cyberark

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.

0 0
Explore
autohandai/community-skills

implementing-pam-for-database-access

Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia

0 0
Explore
autohandai/community-skills

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

0 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results