AWS Crypto Training

Upcoming Training Date: May 22nd - May 24th, 2023


AWS Crypto Training (KMS, CloudHSM, ACM Private CA) course is recommended for anyone using, managing, deploying or designing Key Management solutions, secure Cryptographic storage, PKI and Encryption within AWS Cloud infrastructure.



About Course

This course demonstrates how to efficiently use AWS Cloud Crypto services to stay secure in the AWS Cloud. The course focuses on the data security best practices as per AWS and industry standards for enhancing the security of Cloud data and complementing Cloud Data governance.

The course highlights the security features of AWS Cryptographic and PKI services, including AWS ACM Private CA, AWS KMS, AWS CloudHSM, and data encryption methods. You will also learn how to leverage AWS services and tools for automation using Third party tools like Terraform, continuous monitoring and logging, and responding to security incidents.

Class Audience




Course Contents

Day 1

Module 01

  • Introduction to Cryptography
  • Symmetric Encryption and Asymmetric Encryption
  • Hash Functions and Digital Signatures
  • Security design principles and Shared responsibility model in AWS
  • DevOps integration of Terraform with AWS
  • Introduction to PKI environment – On-Premises, Cloud, and Hybrid
  • Introduction to AWS Crypto Services and tools (KMS, CloudHSM, and ACM Private CA)

Module 02: Deep dive into AWS KMS

  • Pre-requisites and Custom-built application integration
  • Data Protection and Industry compliance (FIPS, SOC, PCI, HIPPA etc.) standard
  • Functionality, Architecture and Design Considerations for Key Management as-a-service in AWS
  • Understanding the Client-side and Server-side encryption techniques
  • Understanding Customer Managed Keys, AWS Managed Keys, and Key Rotation Policies
    • Lab 01: Creation of AWS Managed CMKs and Customer Managed CMKs in AWS environment
  • Understanding Symmetric and Asymmetric keys
    • Lab 02: Creation of Symmetric and Asymmetric Customer Managed Key (CMK)
  • Understanding the concept of BYOK (Bring Your Own Key), and integration of KMS with HSM
  • Management of Keys (AWS Managed CMKs and Customer Managed CMKs) as per FIPS 140-2 L2/L3 compliances
    • Lab 03: Integration of Customer Managed Key with FIPS 140-2 Level3 compliant HSM
  • Integration of authentication and access control policy with various policies (Key, IAM, and grants)

AWS KMS use cases

  • Lab 04: Encryption of S3 buckets using CMK
  • Lab 05: Integration of AWS S3 bucket encryption with CMK using CloudHSM as a key storage
  • Lab 06: Integration of Amazon EBS (Elastic Block Store) with CMK
  • Lab 07: Digital Signing and verification of contents using CMK-Asymmetric feature
  • Troubleshooting for CloudTrail logs, S3 permissions and HSM audit logs

Day 2

Module 03: Deep dive into AWS CloudHSM


  • Pre-requisites and Multi-Service Integration
  • Data Protection, FIPS, and PCI-DSS Compliance
  • Software Vs Hardware based HSMs
  • Various CloudHSM Models
  • Functionality, Architecture and Design Considerations for HSM as-a-service in AWS
  • Application integration using Software Libraries to HSM
  • CloudHSM prerequisite environment
    • Lab 01: Setting up a prerequisite for CloudHSM environment
  • CloudHSM Cluster provisioning and management
    • Lab 02: Deploying CloudHSM cluster in Multi-AZ environment
  • Install CloudHSM client Software
    • Lab 03: Installing CloudHSM client Software on Windows and Linux
  • Provisioning HSMs (Hardware Security Modules) in the Cluster
    • Lab 04: Deploying HSMs in the CloudHSM cluster
  • Learn with hands-on exercise on CloudHSM management and Key management command line tools
    • Lab 05: Activate the CloudHSM cluster using CloudHSM management CLI tool and crypto key operations using Key management CLI tool

CloudHSM use cases

  • Lab 06: To provide private key protection of a Windows CA server with AWS CloudHSM service
  • Lab 07: Bring your own key (BYOK) use case with CloudHSM
  • Troubleshooting for CloudHSM client logs, CloudTrail logs and HSM audit logs

Day 3

Module 04: Deep dive into AWS PKI Service (ACM Private CA)

AWS ACM Private CA

  • Pre-requisites and Multi-Service Integration
  • Cloud Security and Data protection
  • Certificate Verification and Certificate Chaining
  • Simple Storage Service (S3) as-a-CRL-Service Provider
  • Various Cloud PKI Models in AWS
  • Key factors in development of CP/CPS document to architect the PKI infra including Certificates and their attributes
  • Key considerations to outline the Key ceremony document for Root CA
  • Functionality, Architecture and Design Considerations for PKI as-a-service

ACM-PCA use case:

  • Lab 01: Deploying 2 tier PKI architecture hands-on lab in AWS environment
  • Troubleshooting of CloudTrail logs, Windows CA Server logs, S3 permissions

Certificate of Completion

Every student that attends and completes the full training scoring 70% in the AWS exam will receive a certificate of completion. The certificate will allow student to qualify for ISC2 continuing education credit for annual CPE commitments.

Let's talk