원클릭으로 Manus에서 모든 스킬 실행

implementing-envelope-encryption-with-aws-kms

Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting

Manus에서 실행

스타15,980

포크1,946

업데이트2026년 6월 1일 10:13

출처

mukul975

mukul975/Anthropic-Cybersecurity-Skills

GitHub 저장소 열기 Creator 저장소 보기

설치 명령

다운로드

Manus에서 실행

유용한 대상SOC

정보 보안 분석가컴퓨터 및 수학직15-1212L4

파일 탐색기

8 개 파일

SKILL.md

readonly

name	implementing-envelope-encryption-with-aws-kms
description	Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting
domain	cybersecurity
subdomain	cryptography
tags	["cryptography","encryption","aws","kms","envelope-encryption","key-management"]
version	1.0
author	mahipal
license	Apache-2.0
nist_csf	["PR.DS-01","PR.DS-02","PR.DS-10"]
mitre_attack	["T1600","T1573","T1553","T1078.004","T1530"]

Implementing Envelope Encryption with AWS KMS

Overview

Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting large volumes of data locally while keeping the master key secure in a hardware security module (HSM) managed by AWS. This skill covers implementing envelope encryption using AWS KMS GenerateDataKey API.

When to Use

When deploying or configuring implementing envelope encryption with aws kms capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation

Prerequisites

Familiarity with cryptography concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Objectives

Understand the envelope encryption pattern and its advantages
Generate data encryption keys using AWS KMS GenerateDataKey
Encrypt/decrypt data locally using DEKs
Store encrypted DEK alongside ciphertext
Implement key caching to reduce KMS API calls
Handle key rotation with automatic re-encryption
Implement multi-region encryption for disaster recovery

Key Concepts

Envelope Encryption Flow

Call kms:GenerateDataKey to get plaintext DEK + encrypted DEK
Use plaintext DEK to encrypt data locally (AES-256-GCM)
Store encrypted DEK alongside ciphertext
Discard plaintext DEK from memory
For decryption: call kms:Decrypt on encrypted DEK, then decrypt data

Advantages Over Direct KMS Encryption

Aspect	Direct KMS	Envelope Encryption
Max data size	4 KB	Unlimited
Latency	Network round-trip per operation	Local encryption
Cost	$0.03/10,000 requests	Fewer KMS requests
Offline	Not possible	Yes (with cached DEKs)

KMS Key Types

AWS Managed: AWS creates and manages (aws/s3, aws/ebs)
Customer Managed: You create and manage policies
Custom Key Store: Backed by CloudHSM cluster

Security Considerations

Never store plaintext DEK; only keep encrypted DEK
Use key policies to restrict who can call GenerateDataKey and Decrypt
Enable AWS CloudTrail logging for all KMS API calls
Implement key rotation (automatic annual rotation for CMKs)
Use encryption context for authenticated encryption metadata
Handle KMS throttling with exponential backoff

Validation Criteria

GenerateDataKey returns plaintext and encrypted DEK
Data encrypts correctly with plaintext DEK using AES-256-GCM
Encrypted DEK can be decrypted via KMS Decrypt API
Decrypted DEK recovers the original data
Plaintext DEK is wiped from memory after use
Encryption context is validated during decryption
Key rotation re-encrypts DEKs with new master key

이 저장소의 다른 Skills

같은 저장소

acquiring-disk-image-with-dd-and-dcfldd

mukul975/Anthropic-Cybersecurity-Skills

Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.

2026-06-0116.0k

analyzing-active-directory-acl-abuse

mukul975/Anthropic-Cybersecurity-Skills

Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths

2026-06-0116.0k

analyzing-android-malware-with-apktool

mukul975/Anthropic-Cybersecurity-Skills

Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.

2026-06-0116.0k

analyzing-api-gateway-access-logs

mukul975/Anthropic-Cybersecurity-Skills

Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules.

2026-06-0116.0k

analyzing-apt-group-with-mitre-navigator

mukul975/Anthropic-Cybersecurity-Skills

Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.

2026-06-0116.0k

analyzing-azure-activity-logs-for-threats

mukul975/Anthropic-Cybersecurity-Skills

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.

2026-06-0116.0k

name	implementing-envelope-encryption-with-aws-kms
description	Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting
domain	cybersecurity
subdomain	cryptography
tags	["cryptography","encryption","aws","kms","envelope-encryption","key-management"]
version	1.0
author	mahipal
license	Apache-2.0
nist_csf	["PR.DS-01","PR.DS-02","PR.DS-10"]
mitre_attack	["T1600","T1573","T1553","T1078.004","T1530"]

Implementing Envelope Encryption with AWS KMS

Overview

When to Use

When deploying or configuring implementing envelope encryption with aws kms capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation

Prerequisites

Familiarity with cryptography concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Objectives

Understand the envelope encryption pattern and its advantages
Generate data encryption keys using AWS KMS GenerateDataKey
Encrypt/decrypt data locally using DEKs
Store encrypted DEK alongside ciphertext
Implement key caching to reduce KMS API calls
Handle key rotation with automatic re-encryption
Implement multi-region encryption for disaster recovery

Key Concepts

Envelope Encryption Flow

Call kms:GenerateDataKey to get plaintext DEK + encrypted DEK
Use plaintext DEK to encrypt data locally (AES-256-GCM)
Store encrypted DEK alongside ciphertext
Discard plaintext DEK from memory
For decryption: call kms:Decrypt on encrypted DEK, then decrypt data

Advantages Over Direct KMS Encryption

Aspect	Direct KMS	Envelope Encryption
Max data size	4 KB	Unlimited
Latency	Network round-trip per operation	Local encryption
Cost	$0.03/10,000 requests	Fewer KMS requests
Offline	Not possible	Yes (with cached DEKs)

KMS Key Types

AWS Managed: AWS creates and manages (aws/s3, aws/ebs)
Customer Managed: You create and manage policies
Custom Key Store: Backed by CloudHSM cluster

Security Considerations

Never store plaintext DEK; only keep encrypted DEK
Use key policies to restrict who can call GenerateDataKey and Decrypt
Enable AWS CloudTrail logging for all KMS API calls
Implement key rotation (automatic annual rotation for CMKs)
Use encryption context for authenticated encryption metadata
Handle KMS throttling with exponential backoff

Validation Criteria

GenerateDataKey returns plaintext and encrypted DEK
Data encrypts correctly with plaintext DEK using AES-256-GCM
Encrypted DEK can be decrypted via KMS Decrypt API
Decrypted DEK recovers the original data
Plaintext DEK is wiped from memory after use
Encryption context is validated during decryption
Key rotation re-encrypts DEKs with new master key