Passwords, Secrets, Keys Flashcards
What does KMS integrate with?
AWS Services such as S3, EBS, RDS
What is a CMK?
Customer Master Key
- contains key material used to encrypt and decrypt data
What is a HSM?
Hardware Security Module
- a physical device that safeguards digital keys
3 ways to generate a CMK
1) AWS creates it for you (AWS managed)
2) Import your own key
3) have key generated and used in an AWS CloudHSM Cluster
Key Rotations*
- AWS can automatically rotate keys once a year
- only for keys that AWS generated
KMS policies
polices are documents that describe who has access
- key policies - a resource-based policy giving access (required)
Ways to control key permissions*
1) use the key policy
2) use IAM policies in combination with the key policy
3) use grants with key policies. this allows users to delegate their access to others.
Cloud HSM
you rent this physical dedicated device from AWS
KMS vs Cloud HSM
KMS: shared tenancy, automatic key rotation, automatic key generation
Cloud HSM: dedicated HSM hardware, full control of users, groups, keys, etc. No automatic key rotation*
Secrets Manager
a service that securely stores, encrypts and rotates database credentials and other credentials
KMS vs Secrets Manager
KMS = encryption keys
Secrets Manager = passwords, credentials (or other key value pair secrets)
How does Secrets Manager ensure encryption at transit and at rest?
using KMS to encrypt your secrets
How do you reduce risk of passwords being compromised in API calls?
API calls Secrets Manager to get the credentials
Parameter Store
a capability of AWS Systems Manager that provides secure, hierarchical storage for configuration data management and secrets management
- Free
Parameter Store Limits
- 10,000 parameters (max)
- no key rotation
