AWS Secrets Manager

  • Store secrets/credentials and automatically rotate them

    • Ex: database credentials are encrypted and periodically rotated

  • Integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB

AWS SSM Parameter

  • Can store secrets (SecureString) but NO automatic rotation, you/application have to rotate if needed.

AWS KMS keys

  • Multi-tenant Key Management Service

  • Region Specific

  • Symmetric : single key for both encryption and decryption

  • Asymmetric: 2keys , Public and Private keys for Encryption and Decryption

  • Envelope Encryption:

    • Encrypting plaintext data with a data key, and then encrypting the data key under another key

    • master_key( data_key[Plaintext]) or

    • master_key{ data_key (data_key [Plaintext] ) } and so on

    • This top-level plaintext key encryption key is known as the master key

    • KMS helps you to encrypt this master key (plain text) and it’s called customer master keys KMS CMKs

  • Request quotas

    • 5,500 to 30000 per sec

    • ThrottlingException : When you exceed the allotted quotas

      • you could lower your request rate

      • Retry with exponential backoff

  • CloudTrail: Can be used to track KMS CMK’s

CloudHSM

  • Dedicated Single-tenant HSM

  • You need hardware security module (HSM) appliance to store your encrypted keys

  • FIPS 140-2 compliance

  • Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces.

  • High-performance in-VPC cryptographic acceleration (bulk crypto)

Amazon Guard​Duty

  • Threat detection, continuously monitors for malicious activity and unauthorized behavior and protect your AWS accounts and workloads

AWS Shield

  • Avoid DDoS Attacks

AWS WAF

Protect from SQL injection , Cross-site scripting