Key Management Services
→ Reginoal Secure key management
→ Managed customer master keys
→ Encrypt to decrypt data up to 4KB in size
→ Integrated with AWS service
→ Pay per API call
→ Audit with CloudTrail
→ Level 3 is CloudHSM
→ Three types of CMK
- Customer Managed
- AWS Manged CMK
- AWS Owned CMK
→ Symmetric vs Asymmetric CMK
CloudHSM
→ Dedicated hardware security module
→ FIPS 140-2 Level 3
→ Manage your own keys
→ Single tenant, dedicated hardware and multi-AZ cluster
→ Runs within VPC
→ PKCS#11
→ Java Cryptography extensions
→ Microsoft CryptoNG
→ Keep your keys safe , - irretrievable if lost.
Systems Manager Parameter Store
→ Securely managing Credentials
→ Securely managing configurations
→ Servlets storage of configuration and secrets
→ Store parameters in hierarchies with 15 level
Secrets Manager
→ Secure rotate and audit secrets
→ Similar to Systems Manager Parameter store and it comes with cost
→ Automatic rotate secrets
→ Apply the new key/password in RDS for you
→ Generate random secrets
→ Shared across AWS accounts
AWS Shield
→ Protect against DDOS
→ AWS Shield standard
- Automatically enabled
- SYN/UDP floods
- Reflection attacks
- Protect layer 3 and 4
- Free of cost
→ AWS Shield Advanced
- $3000
- 24X7 access to DDOS
- Enhanced protection
Web Application Firewall
→ Monitor HTTP/HTTPS request to Cloudfront, ALB and API gateway
→ Configure filtering rules
→ Protect against SQL Query injection
→ Blocked traffic returns 403 forbidden
→ All all requests,
→ Block all request
→ Count the request
→ Monitor request properties and block request accordingly
→ AWS firewall manager configure firewall rules , WAF rules and AWS shield Advanced protections, Enable security groups for EC2 and ENIs