diff --git a/10-kms/Practice-10.1/PlaintextFile b/10-kms/Practice-10.1/PlaintextFile
new file mode 100644
index 00000000..6675f302
--- /dev/null
+++ b/10-kms/Practice-10.1/PlaintextFile
@@ -0,0 +1 @@
+This is my secret file
\ No newline at end of file
diff --git a/10-kms/Practice-10.1/cmk_key.yml b/10-kms/Practice-10.1/cmk_key.yml
new file mode 100644
index 00000000..704bbc4c
--- /dev/null
+++ b/10-kms/Practice-10.1/cmk_key.yml
@@ -0,0 +1,55 @@
+Description: AWS CMK Key
+
+Resources:
+ myKey:
+ Type: 'AWS::KMS::Key'
+ Properties:
+ Description: A symmetric encryption KMS key
+ EnableKeyRotation: true
+ PendingWindowInDays: 20
+ KeyPolicy:
+ Version: 2012-10-17
+ Id: key-default-1
+ Statement:
+ - Sid: Enable IAM User Permissions
+ Effect: Allow
+ Principal:
+ AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
+ Action: 'kms:*'
+ Resource: '*'
+ - Sid: Allow administration of the key
+ Effect: Allow
+ Principal:
+ AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs"
+ Action:
+ - 'kms:Create*'
+ - 'kms:Describe*'
+ - 'kms:Enable*'
+ - 'kms:List*'
+ - 'kms:Put*'
+ - 'kms:Update*'
+ - 'kms:Revoke*'
+ - 'kms:Disable*'
+ - 'kms:Get*'
+ - 'kms:Delete*'
+ - 'kms:ScheduleKeyDeletion'
+ - 'kms:CancelKeyDeletion'
+ Resource: '*'
+ - Sid: Allow use of the key
+ Effect: Allow
+ Principal:
+ AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs"
+ Action:
+ - 'kms:DescribeKey'
+ - 'kms:Encrypt'
+ - 'kms:Decrypt'
+ - 'kms:ReEncrypt*'
+ - 'kms:GenerateDataKey'
+ - 'kms:GenerateDataKeyWithoutPlaintext'
+ Resource: '*'
+
+ myAlias:
+ Type: 'AWS::KMS::Alias'
+ Properties:
+ AliasName: alias/ndambi
+ TargetKeyId: !Ref myKey
diff --git a/10-kms/Practice-10.1/encryptedFile b/10-kms/Practice-10.1/encryptedFile
new file mode 100644
index 00000000..4630c9e4
Binary files /dev/null and b/10-kms/Practice-10.1/encryptedFile differ
diff --git a/10-kms/Practice-10.1/file.txt b/10-kms/Practice-10.1/file.txt
new file mode 100644
index 00000000..6675f302
--- /dev/null
+++ b/10-kms/Practice-10.1/file.txt
@@ -0,0 +1 @@
+This is my secret file
\ No newline at end of file
diff --git a/10-kms/Practice-10.1/scripts b/10-kms/Practice-10.1/scripts
new file mode 100644
index 00000000..f624bfba
--- /dev/null
+++ b/10-kms/Practice-10.1/scripts
@@ -0,0 +1,14 @@
+aws kms encrypt \
+ --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \
+ --plaintext fileb://file.txt \
+ --output text \
+ --query CiphertextBlob | base64 \
+ --decode > encryptedFile
+
+aws kms decrypt \
+ --ciphertext-blob fileb://encryptedFile \
+ --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \
+ --output text \
+ --query Plaintext | base64 \
+ --decode > PlaintextFile
+
diff --git a/10-kms/Practice-10.2/NewFile.txt b/10-kms/Practice-10.2/NewFile.txt
new file mode 100644
index 00000000..158a0601
--- /dev/null
+++ b/10-kms/Practice-10.2/NewFile.txt
@@ -0,0 +1 @@
+Test Client-Side encryption
diff --git a/10-kms/Practice-10.2/go.mod b/10-kms/Practice-10.2/go.mod
new file mode 100644
index 00000000..d6845094
--- /dev/null
+++ b/10-kms/Practice-10.2/go.mod
@@ -0,0 +1,10 @@
+module kms
+
+go 1.19
+
+require (
+ github.com/aws/aws-sdk-go v1.44.103 // indirect
+ github.com/aws/aws-sdk-go-v2 v1.16.16 // indirect
+ github.com/aws/smithy-go v1.13.3 // indirect
+ github.com/jmespath/go-jmespath v0.4.0 // indirect
+)
diff --git a/10-kms/Practice-10.2/go.sum b/10-kms/Practice-10.2/go.sum
new file mode 100644
index 00000000..70c1397e
--- /dev/null
+++ b/10-kms/Practice-10.2/go.sum
@@ -0,0 +1,22 @@
+github.com/aws/aws-sdk-go v1.44.103 h1:tbhBHKgiZSIUkG8FcHy3wYKpPVvp65Wn7ZiX0B8phpY=
+github.com/aws/aws-sdk-go v1.44.103/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go-v2 v1.16.16 h1:M1fj4FE2lB4NzRb9Y0xdWsn2P0+2UHVxwKyOa4YJNjk=
+github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k=
+github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA=
+github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/10-kms/Practice-10.2/s3_client_side_download.go b/10-kms/Practice-10.2/s3_client_side_download.go
new file mode 100644
index 00000000..096e6e33
--- /dev/null
+++ b/10-kms/Practice-10.2/s3_client_side_download.go
@@ -0,0 +1,55 @@
+package main
+
+import (
+ "fmt"
+ "io/ioutil"
+ "log"
+
+ "github.com/aws/aws-sdk-go/aws"
+ "github.com/aws/aws-sdk-go/aws/session"
+ "github.com/aws/aws-sdk-go/service/s3"
+ "github.com/aws/aws-sdk-go/service/s3/s3crypto"
+ "os"
+)
+
+var (
+ bucket = "kms-bucket-ndambi"
+ key = "clientside.txt"
+)
+
+func main() {
+ sess := session.New(&aws.Config{
+ Region: aws.String("us-east-1"),})
+
+ client := s3crypto.NewDecryptionClient(sess)
+
+ input := &s3.GetObjectInput{
+ Bucket: &bucket,
+ Key: &key,
+ }
+
+ result, err := client.GetObject(input)
+ // Aside from the S3 errors, here is a list of decryption client errors:
+ // * InvalidWrapAlgorithmError - returned on an unsupported Wrap algorithm
+ // * InvalidCEKAlgorithmError - returned on an unsupported CEK algorithm
+ // * V1NotSupportedError - the SDK doesn’t support v1 because security is an issue for AES ECB
+ // These errors don’t necessarily mean there’s something wrong. They just tell us we couldn't decrypt some data.
+ // Users can choose to log this and then continue decrypting the data that they can, or simply return the error.
+ if err != nil {
+ log.Fatal(err)
+ }
+
+ // Let's read the whole body from the response
+ b, err := ioutil.ReadAll(result.Body)
+ if err != nil {
+ log.Fatal(err)
+ }
+ //fmt.Println(string(b))
+
+ file, err := os.Create("NewFile.txt")
+ if err != nil {
+ fmt.Println(err)
+ return
+ }
+ fmt.Fprintf(file, "%v\n", string(b))
+}
diff --git a/10-kms/Practice-10.2/s3_client_side_upload.go b/10-kms/Practice-10.2/s3_client_side_upload.go
new file mode 100644
index 00000000..7f885b6b
--- /dev/null
+++ b/10-kms/Practice-10.2/s3_client_side_upload.go
@@ -0,0 +1,55 @@
+/*
+Licensed under the MIT-0 license https://github.com/aws/mit-0
+*/
+package main
+
+import (
+ "log"
+ "strings"
+
+ "github.com/aws/aws-sdk-go/aws"
+ "github.com/aws/aws-sdk-go/aws/credentials"
+ "github.com/aws/aws-sdk-go/aws/session"
+ "github.com/aws/aws-sdk-go/service/kms"
+ "github.com/aws/aws-sdk-go/service/s3"
+ "github.com/aws/aws-sdk-go/service/s3/s3crypto"
+)
+
+var (
+ cmkId = "fbc58ad0-2bac-40fe-96ee-5ebd24d2f006"
+ bucket = "kms-bucket-ndambi"
+ key = "clientside.txt"
+)
+
+func main() {
+ sess, err := session.NewSession(&aws.Config{
+ Region: aws.String("us-east-1"),
+ Credentials: credentials.NewSharedCredentials("", "default"),
+ })
+ // This is our key wrap handler, used to generate cipher keys and IVs for
+ // our cipher builder. Using an IV allows more “spontaneous” encryption.
+ // The IV makes it more difficult for hackers to use dictionary attacks.
+ // The key wrap handler behaves as the master key. Without it, you can’t
+ // encrypt or decrypt the data.
+ keywrap := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkId)
+ // This is our content cipher builder, used to instantiate new ciphers
+ // that enable us to encrypt or decrypt the payload.
+ builder := s3crypto.AESGCMContentCipherBuilder(keywrap)
+ // Let's create our crypto client!
+ client := s3crypto.NewEncryptionClient(sess, builder)
+
+ input := &s3.PutObjectInput{
+ Bucket: &bucket,
+ Key: &key,
+ Body: strings.NewReader("Test Client-Side encryption"),
+ }
+
+ _, err = client.PutObject(input)
+ // What to expect as errors? You can expect any sort of S3 errors, http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html.
+ // The s3crypto client can also return some errors:
+ // * MissingCMKIDError - when using AWS KMS, the user must specify their key's ARN
+ if err != nil {
+ log.Fatal(err)
+ }
+}
+