This is the fourth part in a series of articles that describe Using AWS KMS to Encrypt Values in CloudFormation Stacks.

Please note that by following the instructions in this article, you will incur charges related to the AWS Key Management Service. See the KMS pricing page for additional details, but each master key in KMS results in a $1.00/month charge to your AWS account.

In order to encrypt our sensitive information, we’re going to need an encryption key. You could roll and maintain your own keys, sure . . . but that introduces a lot of maintenance baggage, which is exactly what we’re trying to avoid in the first place. Enter AWS Key Management Service (KMS).

We’ll use KMS to create our encryption key. This is an extremely straight forward process that existing documentation and videos cover very well so I am not going to spend very much time on it here other than to say that when you get to the point of assigning users (not administrators) to your key, it is essential that you add the Lambda role that we created earlier.

Head over to the IAM console, and use the “Encryption Keys” item at the bottom of the menu on the left of the page to get started. Once your key is created, make a note of the key ID because we’ll need it in the final step (which is coming right up!).

Technically our Lambda function’s role only requires permissions to encrypt so if you feel like you need to remove decryption permissions by manually editing the key’s policy then that option is available. Have fun.

I also recommend the following video from AWS as a quick primer on KMS.

We’re done here, and with all the required pieces in place we can finally get down to the business at hand.