Passwords, Secrets, Keys

Question 1

What does KMS integrate with?

Answer 1

AWS Services such as S3, EBS, RDS

Question 2

What is a CMK?

Answer 2

Customer Master Key

- contains key material used to encrypt and decrypt data

Question 3

What is a HSM?

Answer 3

Hardware Security Module

- a physical device that safeguards digital keys

Question 4

3 ways to generate a CMK

Answer 4

1) AWS creates it for you (AWS managed)
2) Import your own key
3) have key generated and used in an AWS CloudHSM Cluster

Question 5

Key Rotations*

Answer 5

• AWS can automatically rotate keys once a year

- only for keys that AWS generated

Question 6

KMS policies

Answer 6

polices are documents that describe who has access

- key policies - a resource-based policy giving access (required)

Question 7

Ways to control key permissions*

Answer 7

1) use the key policy
2) use IAM policies in combination with the key policy
3) use grants with key policies. this allows users to delegate their access to others.

Question 8

Cloud HSM

Answer 8

you rent this physical dedicated device from AWS

Question 9

KMS vs Cloud HSM

Answer 9

KMS: shared tenancy, automatic key rotation, automatic key generation
Cloud HSM: dedicated HSM hardware, full control of users, groups, keys, etc. No automatic key rotation*

Question 10

Secrets Manager

Answer 10

a service that securely stores, encrypts and rotates database credentials and other credentials

Question 11

KMS vs Secrets Manager

Answer 11

KMS = encryption keys

Secrets Manager = passwords, credentials (or other key value pair secrets)

Question 12

How does Secrets Manager ensure encryption at transit and at rest?

Answer 12

using KMS to encrypt your secrets

Question 13

How do you reduce risk of passwords being compromised in API calls?

Answer 13

API calls Secrets Manager to get the credentials

Question 14

Parameter Store

Answer 14

a capability of AWS Systems Manager that provides secure, hierarchical storage for configuration data management and secrets management
- Free

Question 15

Parameter Store Limits

Answer 15

• 10,000 parameters (max)

- no key rotation

Question 16

Secrets Manager vs Parameter Store

Answer 16

Secrets Manager

• costs more
• automatically rotate secrets
• generate random secrets

Parameter store

• store unencrypted or encrypted
• Free

Question 17

AWS Certificate Manager

Answer 17

• Allows you to create, manage and deploy public and private SSL certificates for use with other AWS services
• integrates with other AWS services: ELB, CloudFront, API Gateway*
• Benefits: cost = free
• automated renewals and rotation
• easy to set up