VISI

Data Security Controls

AWS KMS (Key Management Service) — managed encryption keys. Integrated with most AWS services.

Key types:

  • AWS Owned Keys — free, AWS fully manages (SSE-S3, SSE-SQS, SSE-DDB default)
  • AWS Managed Keys — free, per service (aws/rds, aws/ebs). Auto-rotated every 1 year.
  • Customer Managed Keys — $1/month. You control rotation and policies. Must enable auto-rotation.
  • Symmetric (AES-256) — single key for encrypt/decrypt. Most services use this.
  • Asymmetric (RSA/ECC) — public/private key pair. Use for encryption outside AWS or signing.

KMS Key Policies — control access to KMS keys (like S3 bucket policies). Default policy gives root user complete access to the key.

KMS Multi-Region Keys — same key ID/material in multiple regions. Encrypt in one region, decrypt in another without re-encryption. Use for Global DynamoDB tables, Global Aurora, global client-side encryption.

Envelope Encryption — KMS generates a Data Encryption Key (DEK). You encrypt data with the DEK, then KMS encrypts the DEK. This is how KMS works with large amounts of data.

CloudHSM — dedicated hardware security module. You manage keys entirely (AWS has no access). FIPS 140-2 Level 3. Single-tenant. Multi-AZ for HA. Good for Oracle TDE, SSL acceleration, strict compliance.

KMS vs CloudHSM: KMS = multi-tenant, AWS manages hardware. CloudHSM = single-tenant, you manage keys.

AWS Secrets Manager — stores secrets (DB passwords, API keys). Auto-rotates secrets using Lambda. Integrates with RDS, Aurora. Encrypted with KMS. Can replicate secrets across regions. More expensive than SSM Parameter Store but purpose-built for secrets with rotation.

SSM Parameter Store — free tier available. No auto-rotation (you manage). Good for config values and non-sensitive parameters. Supports versioning. Can store secrets encrypted with KMS (SecureString). Hierarchical organization.

Parameter Store vs Secrets Manager:

  • Need auto-rotation → Secrets Manager
  • Need tight RDS integration → Secrets Manager
  • Simple config or cost-sensitive → Parameter Store

AWS Certificate Manager (ACM) — provision and auto-renew TLS certificates. Free for public certs. Integrates with ALB, CloudFront, API Gateway. Cannot use with EC2 directly. For edge-optimized API Gateway, cert must be in us-east-1.

S3 Encryption:

  • SSE-S3 — AWS manages keys. AES-256. Default for new buckets. Header: x-amz-server-side-encryption: AES256.
  • SSE-KMS — KMS manages keys. You get CloudTrail audit + user control. Header: x-amz-server-side-encryption: aws:kms. Throttling risk at high volume (KMS API limits).
  • SSE-C — customer provides key in every request header. HTTPS required. AWS does NOT store the key.
  • Client-side — you encrypt before upload, decrypt after download.

Bucket Policies evaluated before Default Encryption setting.

S3 Object Lock (requires versioning):

  • S3 Object Lock: Compliance mode — no one (not even root) can delete/modify. Retention period can't be shortened.
  • Governance mode — most users can't modify; some with special permissions can.
  • Legal Hold — protects indefinitely, no retention period. Can be toggled with s3:PutObjectLegalHold.

S3 Glacier Vault Lock — WORM (Write Once Read Many). Lock a vault policy permanently. For compliance/retention.

S3 MFA Delete — requires MFA to permanently delete object versions or suspend versioning. Only bucket owner (root) can enable/disable.

S3 Pre-Signed URLs — generate URLs granting temporary access for GET or PUT. The URL holder inherits the permissions of the user who generated it. Expires in 1 min to 12 hours (Console) or up to 7 days (CLI).

S3 CORS — required when a web browser makes cross-origin requests to an S3 bucket. Configure CORS on the destination bucket. Exam hot topic.


References

Quiz

A few quick questions based on this unit. Mark it complete when you are done.

Question 1 / 3

What is Symmetric (AES-256)?