AWS Secrets Manager

• Store secrets/credentials and automatically rotate them

  • Ex: database credentials are encrypted and periodically rotated

• Integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB

AWS SSM Parameter

• Can store secrets (SecureString) but NO automatic rotation, you/application have to rotate if needed.

AWS KMS keys

• Multi-tenant Key Management Service

• Region Specific

• Symmetric : single key for both encryption and decryption

• Asymmetric: 2keys , Public and Private keys for Encryption and Decryption

• Envelope Encryption:

  • Encrypting plaintext data with a data key, and then encrypting the data key under another key

  • master_key( data_key[Plaintext]) or

  • master_key{ data_key (data_key [Plaintext] ) } and so on

  • This top-level plaintext key encryption key is known as the master key

  • KMS helps you to encrypt this master key (plain text) and it’s called customer master keys KMS CMKs

• Request quotas

  • 5,500 to 30000 per sec

  • ThrottlingException : When you exceed the allotted quotas

    • you could lower your request rate

    • Retry with exponential backoff

• CloudTrail: Can be used to track KMS CMK’s

CloudHSM

• Dedicated Single-tenant HSM

• You need hardware security module (HSM) appliance to store your encrypted keys

• FIPS 140-2 compliance

• Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces.

• High-performance in-VPC cryptographic acceleration (bulk crypto)

Amazon Guard​Duty

• Threat detection, continuously monitors for malicious activity and unauthorized behavior and protect your AWS accounts and workloads

AWS Shield

• Avoid DDoS Attacks

AWS WAF

Protect from SQL injection , Cross-site scripting