- Key Management Service
- Regional secure key management and encryption and decryption
- Manages customer master keys (CMKs)
- Encrypt and decrypt data up to 4 KB in size
- Audit capability using CloudTrail – logs delivered to S3
- FIPS 140-2 Level 2 service
- Level 3 is CloudHSM
- Types of CMK
- AWS Managed CMK – Free; used by default if you pick encryption in most AWS services. Only that service can use them directly.
- Customer Managed CMK – Allows key rotation; controlled via key policies and can be enabled/disabled.
- AWS Owned CMK – Used by AWS on a shared basis across many accounts; you typically won’t see these.
- Symmetric vs Asymmetric CMKs
- Symmetric – Same key used for encryption and decryption and based on the AES-256 standard. Also, may be used to import your own key material.
- Asymmetric – Mathematically related public/private key pair based on the RSA and elliptic-curve cryptography (ECC) algorithms.
- CloudHSM – Provides a tamper resistant environment for managing keys
- Dedicated HSM
- FIPS 140-2 Level 3
- Manage your own keys (single tenant, multi-AZ cluster, within a VPC)
- No access to the AWS-managed component
- Industry-standard APIs – no AWS APIs
- Keep your keys safe – irretrievable if lost
- Systems Manager Parameter Store – Securely managing configuration and secrets within AWS. It’s an essential tool for caching and distributing secrets securely to AWS resources.
- Secure serverless storage for configuration and secrets
- Values can be stored encrypted (KMS) or plain text
- Separate data from source control
- Store parameters in hierarchies
- Track versions
- Secrets Manager – A service that helps you rotate, manage, and retrieve various kinds of secrets such as database credentials, API keys, etc. Using secrets manager you can secure, audit, and manage secrets to access resources in AWS, on third party services, and on-premise.
- The ability to automatically rotate secrets
- Generate random secrets
- AWS Shield
- AWS Shield Standard
- Automatically enabled for all customers at no cost
- Protect against common layer 3 and 4 attacks
- SYN/UDP flood
- Reflection attacks
- AWS Shield Advanced
- $3,000/month, per orgranization
- Enhanced protection for EC2, ELB, CloudFront, Global Accelerator, and Route 53
- 24/7 access to DDoS Response Team (DRT)
- AWS Shield Standard
- Web Application Firewall (WAF) – A web application firewall that lets you monitor HTTP(S) requests to CloudFront, ALB, or API Gateway
- Control access to content
- Configure filtering rules to allow/deny traffic
- Allow all requests, except the ones you specify
- Block all requests, expect the ones you specify
- Count the requests that match the properties you specify
- Control access to content
- AWS Firewall Manager – Allows you to centrally configure and manage firewall rules across an AWS Organization
-
Recent Posts
Categories
- Amazon CloudWatch
- Amazon Elastic Compute Cloud
- Amazon Virtual Private Cloud
- Amazon Web Services
- Ansible
- Apache
- Architecture
- Automation
- AWS Command Line Interface
- AWS Identity and Access Management
- Backups
- Barracuda Networks
- BIND
- BIOS
- Brocade
- Certification
- Cisco
- Cisco Unified Computing System
- Dell
- Dell Compellent
- Dell Lifecycle Controller
- Dell OpenManage Essentials 2.1
- Dell PowerEdge R630
- Distributed File System
- Documentation
- Domain Name System
- Dynamic Host Configuration Protocol
- EIGRP
- Fibre Channel
- File Services
- GitHub
- IEEE 802.1q
- Integrated Dell Remote Access Controller 8
- Intel
- Internet Information Services
- iSCSI
- Linksys
- Linktree
- Linux
- Microsoft Active Directory
- Microsoft Deployment Toolkit 2013
- Microsoft Exchange Management Shell
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Failover Clustering
- Microsoft Group Policy Object
- Microsoft Hyper-V
- Microsoft Office 365
- Microsoft Windows 10
- Microsoft Windows Command Prompt
- Microsoft Windows PowerShell
- Microsoft Windows Server 2016
- Microsoft Windows Storage Server 2012
- Migration
- Multipath I/O
- Network
- Network Time Protocol
- Notepad++
- OSPF
- Python
- Red Hat Enterprise Linux 7
- RIP
- Scripting
- Service Account
- Services
- Storage Area Network
- Symantec Backup Exec 2012
- Symantec Endpoint Protection
- Technical Utilities
- Telnet
- Terraform
- Ubuntu
- Uncategorized
- Virtualization
- VLANS and Trunking
- VMware
- VMware ESXi 5.5
- VMware ESXi 6.0
- VMware ESXi 6.5
- VMware ESXi 6.7
- VMware PowerCLI
- VMware vCenter Converter
- VMware vCenter Server 5.0
- VMware vCenter Server 6
- VMware vCenter Server 6.0
- VMware vCenter Server 6.5
- VMware vCenter Server 6.7
- VMware vSphere 5.0
- VMware vSphere 6.0
- VMware vSphere 6.5
- VMware vSphere Update Manager 6.0
- VMware Workstation 11
- Windows Server 2019
- Windows Server Update Services
- Wireless Networking
Archives
- April 2023
- June 2022
- March 2022
- February 2022
- November 2020
- September 2020
- July 2020
- May 2020
- April 2020
- March 2020
- January 2020
- November 2019
- October 2019
- September 2019
- June 2019
- May 2019
- April 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- November 2017
- September 2017
- July 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- December 2015
- November 2015
- October 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- January 2015
- December 2014
- November 2014
- October 2014
- August 2014
- July 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- December 2012
- November 2012
- June 2012
- May 2012
- April 2012
Meta