The key ARN is: arn:aws:kms:us-west-2:123456789012:key/12345678-abcd-abcd-abcd-123456789012. The key Id is: 2345678-abcd-abcd-abcd-1234 

--------------------------------------------------------------------------------
Welcome to the AWS Key Management SDK Getting Started scenario.
This program demonstrates how to interact with AWS Key Management using the AWS SDK for Java (v2).
The AWS Key Management Service (KMS) is a secure and highly available service that allows you to create
and manage AWS KMS keys and control their use across a wide range of AWS services and applications.
KMS provides a centralized and unified approach to managing encryption keys, making it easier to meet your
data protection and regulatory compliance requirements.

This Getting Started scenario creates two key types. A symmetric encryption key is used to encrypt and decrypt data,
and an asymmetric key used to digitally sign data.
Let's get started...


Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
1. Create a symmetric KMS key
First, we will create a symmetric KMS key that is used to encrypt and decrypt data by invoking createKey().

Press <ENTER> to continue:
Continuing with the program...

Created a customer key with ARN arn:aws:kms:us-west-2:123456789012:key/11223344-aaaa-bbbb-cccc-111222233344

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
2. Enable a KMS key

By default when you create an AWS key, it is enabled. The code checks to
determine if the key is enabled. If it is not enabled, the code enables it.

Press <ENTER> to continue:
Continuing with the program...

The key is enabled.

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
3. Encrypt data using the symmetric KMS key
One of the main uses of symmetric keys is to encrypt and decrypt data.
Next, you encrypt the string 'Hello, AWS KMS!' with the SYMMETRIC_DEFAULT encryption algorithm.


Press <ENTER> to continue:
Continuing with the program...

The encryption algorithm is SYMMETRIC_DEFAULT

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
4. Create an alias
Enter an alias name for the key. The name should be prefixed with 'alias/'.
For example, 'alias/myFirstKey'.


alias/dev-encryption-key was successfully created.

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
5. List all of your aliases.

Press <ENTER> to continue:
Continuing with the program...

The alias name is: alias/Scott
The alias name is: alias/alias/myAlias
The alias name is: alias/alias/s3-kms-key
The alias name is: alias/aws/cloud9
The alias name is: alias/aws/connect
The alias name is: alias/aws/dynamodb
The alias name is: alias/aws/ebs
The alias name is: alias/aws/elasticfilesystem
The alias name is: alias/aws/es
The alias name is: alias/aws/glue
The alias name is: alias/aws/kendra
The alias name is: alias/aws/kinesisvideo
The alias name is: alias/aws/lex
The alias name is: alias/aws/rds
The alias name is: alias/aws/redshift

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
6. Enable automatic rotation of the KMS key
By default, when you enable automatic rotation of a KMS key,
KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and every year
thereafter.

Press <ENTER> to continue:
Continuing with the program...

You have enabled key rotation for key 11223344-aaaa-bbbb-cccc-111222233344

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
7. Create a grant.

A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys.
It also can allow them to view a KMS key (DescribeKey) and create and manage grants.
When authorizing access to a KMS key, grants are considered along with key policies and IAM policies.

Press <ENTER> to continue:
Continuing with the program...

The grant id is 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
8. List grants for the KMS key.

Press <ENTER> to continue:
Continuing with the program...

The grant Id is: 8f1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
9. Revoke the grant.

Press <ENTER> to continue:
Continuing with the program...

1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef was successfully revoked!

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
10. Decrypt the data.
Lets decrypt the data that was encrypted in an early step.
We'll use the same key to decrypt the string that we encrypted earlier in the program.


Press <ENTER> to continue:
Continuing with the program...

Decrypted text is: Hello, AWS KMS!

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
10. Create a key policy.
A key policy is a resource policy for an KMS key. Key policies are the primary way to control
access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy
determine who has permission to use the KMS key and how they can use it.
You can also use IAM policies and grants to control access to the KMS key, but every KMS key
must have a key policy.

We will set a key policy.
    "Version": "2012-10-17",
    "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": "arn:aws:iam::0000000000:root"},
    "Action": "kms:*",
    "Resource": "*"
    }]


Press <ENTER> to continue:
Continuing with the program...

Policy Name: default
The Key already has a policy.

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
11. Get the key policy.
Lets get the key policy to make sure it exists. 

Press <ENTER> to continue:
Continuing with the program...

The response is {
  "Version" : "2012-10-17",
  "Id" : "key-default-1",
  "Statement" : [ {
    "Sid" : "Enable IAM User Permissions",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::123456789012:root"
    },
    "Action" : "kms:*",
    "Resource" : "*"
  } ]
}

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
12. Sign your data with the asymmetric KMS key.
 Signing your data with an AWS key can provide several benefits that make it an attractive option
 for your data signing needs. By using an AWS KMS key, you can leverage the
 security controls and compliance features provided by AWS,
 which can help you meet various regulatory requirements and enhance the overall security posture
 of your organization.


Press <ENTER> to continue:
Continuing with the program...

Created KMS key with ID: 12345678-abcd-abcd-abcd-123456789012
Signature verification result: true

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
13. Tag your symmetric KMS Key.
By using tags, you can improve the overall management, security, and governance of your
KMS keys, making it easier to organize, track, and control access to your encrypted data within
your AWS environment


Press <ENTER> to continue:
Continuing with the program...

Tagged KMS key with key-value pair

Press <ENTER> to continue:
Continuing with the program...

--------------------------------------------------------------------------------
14. Schedule the deletion of the KMS key.
By default, KMS applies a waiting period of 30 days,
but you can specify a waiting period of 7-30 days. When this operation is successful,
the key state of the KMS key changes to PendingDeletion and the key can't be used in any
cryptographic operations. It remains in this state for the duration of the waiting period.

Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted,
all data that was encrypted under the KMS key is unrecoverable. 

Would you like to delete the Key Management resources? (y/n)
y
You selected to delete the AWS KMS resources.

Press <ENTER> to continue:
Continuing with the program...

The key will be deleted in 7 days.
--------------------------------------------------------------------------------
This concludes the AWS Key Management SDK Getting Started scenario
--------------------------------------------------------------------------------