In this section, we will present the steps for creating KMS keys:

1. From the IAM dashboard navigation pane, click on Encryption Keys and then on the Get Started Now button to create a new master encryption key:

2. Select US West (Oregon) from the Region drop-down list:

3. In this step, we create an alias:
   • Alias (required): The alias is a display name that is used to easily identify the key. The alias must be between 1 and 32 characters long. An alias must not begin with aws as those are reserved by Amazon Web Services to represent AWS-managed keys.
   • Description: The description can be up to 256 characters long and should tell users what the key will be used to encrypt.
   • Click on Next Step, which will configure the users who administer the key:

4. Next, we specify a tag:

5. Next, we select the IAM role to define the administrative permissions. In this step, you associate the users/roles who have administration rights to this key. The administration rights are for enabling or disabling a key, the rotation of keys, and adding users/roles who can use the key. In our example, IAM group admin users is selected. Click on Next Step, which will configure the users who can use the key to encrypt and decrypt the data:

6. Next, we define the key usage permissions. We assign usage rights to the IAM users/roles. Usage rights in this context means to encrypt and decrypt data using this key. Click on Next Step to review the key policy:

7. We review the policy and click on the Finish button to complete the process. You can now review the policy before creating it. Click on Finish to create the new master key:

8. You should see the following success message: