Any reason you show using RSAES_OAEP_SHA_1 vs. the AWS recommended RSAES_OAEP_SHA_256 which would be more secure? Reference https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf (pg.19). Also you are using the oldest supported version of openSSL?
4 Answers
The RSAES_OAEP_SHA_1 encryption algorithm works best with this example. Before running the example, make sure that you used RSAES_OAEP_SHA_1 for the wrapping algorithm in Step 2. If necessary, repeat the step to download and import the public key and token.
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
I must say that I also find this a bit perplexing as well, especially being this is a security course. Digging deeper in the documentation, AWS does not recommend using SHA1 in production and even explicitly states "The key material you import must be a 256-bit symmetric encryption key." The walk-though states to use SHA1 if you are using OpenSSL to generate the materials for a POC as OpenSSL is often buggy and poorly implements cryptography.
Ryan was following the instructions found here: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html. This seems to have been superseded by https://aws.amazon.com/premiumsupport/knowledge-center/import-keys-kms/.
Bad part is even the course name is AWS Security specialty – 2020 but this videos seems using the concept which is minimum 2 years old. May be time to upload new video for this example in KMS part 3?