Skip to content

KMS

KMS - Key Management Service

Enumeration:

aws kms list-aliases --region <AWS_REGION>
aws kms list-aliases --region <AWS_REGION> --profile <PROFILE_NAME>

If we find a secret encrypted via the KMS service, we can save to file the decoded base64 binary data and decrypt the blob file using the KMS service

Decrypt:

aws kms decrypt --profile <PROFILE_NAME> --ciphertext-blob fileb://<PATH_TO_FILE> --query Plaintext --output text --region <AWS_REGION>