AWS Secrets Manager
Store secrets/credentials and automatically rotate them
Ex: database credentials are encrypted and periodically rotated
Integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB
AWS SSM Parameter
Can store secrets (SecureString) but NO automatic rotation, you/application have to rotate if needed.
AWS KMS keys
Multi-tenant Key Management Service
Region Specific
Symmetric : single key for both encryption and decryption
Asymmetric: 2keys , Public and Private keys for Encryption and Decryption
Envelope Encryption:
Encrypting plaintext data with a data key, and then encrypting the data key under another key
master_key( data_key[Plaintext]) or
master_key{ data_key (data_key [Plaintext] ) } and so on
This top-level plaintext key encryption key is known as the master key
KMS helps you to encrypt this master key (plain text) and it’s called customer master keys KMS CMKs
Request quotas
5,500 to 30000 per sec
ThrottlingException : When you exceed the allotted quotas
you could lower your request rate
Retry with exponential backoff
CloudTrail: Can be used to track KMS CMK’s
CloudHSM
Dedicated Single-tenant HSM
You need hardware security module (HSM) appliance to store your encrypted keys
FIPS 140-2 compliance
Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces.
High-performance in-VPC cryptographic acceleration (bulk crypto)
Amazon GuardDuty
Threat detection, continuously monitors for malicious activity and unauthorized behavior and protect your AWS accounts and workloads
AWS Shield
Avoid DDoS Attacks
AWS WAF
Protect from SQL injection , Cross-site scripting