Im new to AWS HSM (but worked with many others)
is it possible to load 3DES key to the AWS Cloud HSM?
I saw you can generate but is it possible if already have my key
thanks
Related
https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
According to the above document in order to use encryption configuration, we need to edit the kube-apiserver.yaml file. But in GCP, Azure or AWS we cannot view this the api-server as it is managed by the cloud provider. How can we use encryption configuration in this case? Has anyone managed to use encryption configuration to encrypt secrets in GCP,Azure and AWS?
Google Secret Manager(GSM)is GCP’s flagship service for storing, rotation and retrieving secrets. A secret in GSM could be stored in encrypted form. It supports IAM for authentication and fine grained access controls
Azure Key Vault FlexVolume and for aws Amazon Elastic Container Service for Kubernetes (EKS) are the other tools that can be used
I have a general question for the rds feature within aws credentials manager. When I get the secret, it looks like this:
Does this mean that these credentials directly will work or is the password encrypted? Like if I wanted to sign into my database with a connection what credentials do I use and do these credentials auto rotate with the cycling feature?
I assume you mean the RDSDataClient to access a database such as a Serverless Amazon Aurora instance.
To successfully connect to the database using the RdsDataClient object, you must setup an AWS Secrets Manager secret that is used for authentication. For information, see Rotate Amazon RDS database credentials automatically with AWS Secrets Manager.
To see an AWS tutorial that shows this concept and the corresponding code, see this example that uses the AWS SDK for Kotlin. You will need these values to make a successful connection:
private val secretArnVal = "<Enter the secret manager ARN>"
private val resourceArnVal = "<Enter the database ARN>" ;
See the full example here:
Creating the Serverless Amazon Aurora item tracker application using the Kotlin RdsDataClient API
I just tested this again (been a while since it was developed), and it works perfectly.
We will port this example to use other supported programming languages too - like AWS SDK for Java.
UPDATE
You only need to use Secret Manager when using the RDSDataClient. As mentioned in that tutorial, the RdsDataClient object is only supported for an Aurora Serverless DB cluster or an Aurora PostgreSQL. If you are using MySQL RDS, you cannot use the the RdsDataClient object. You would use a supported JDBC API.
Given already deployed AWS resources that use the default AWS managed keys, is it possible to change the default encryption key from AWS managed to a Customer Managed Key (CMK)?
Resources in question:
EFS
FSx
Thanks!
I don't think you can change it, at least the API documentation don't have this options.
EFS:
https://docs.aws.amazon.com/efs/latest/ug/API_UpdateFileSystem.html
FSx:
https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateFileSystem.html
I am trying to understand the key management services in AWS (Amazon Web Services) and I can see that Amazon recommends more AWS Key Management Service (KMS) over Cloud Hardware Security Module (Cloud HSM). But I am having a hard time finding the key differences between the two, KMS vs Cloud-HSM.
Can someone please list a few key differences or a comparison of the two technologies?
Feature
AWS Cloud HSM
AWS KMS
Tenancy
Single-Tenant
Multi-Tenant
High Availability: How to achieve?
Create multiple HSMs (manually) over different AZs
Managed (automatically) by AWS
Scaling/Performance Responsibility
Your responsibility
AWS
Key access: Who controls it?
You
You+AWS
Keys: How to use?
Customer code + Safenet APIs
AWS Management Console
Keys: Where to use?
AWS & Your Network (VPN)
AWS
AWS Services Integration
A small set of services (Redshift, Oracle RDS etc.)
Most services fully integrated
Access & Authentication Policy
Quorom based K of N
AWS IAM Policy
Price
$$
$
FIPS 140-2 Compliance
Level 3
Level 2 overall (Level 3 in some areas)
Source: AWS official documentation + multiple courses I took for the AWS exams + practical experience.
Developers describe AWS CloudHSM as "Dedicated Hardware Security Module (HSM) appliances within the AWS cloud". The AWS CloudHSM service allows you to protect your encryption keys within HSMs designed and validated to government standards for secure key management. You can securely generate, store, and manage the cryptographic keys used for data encryption such that they are accessible only by you. AWS CloudHSM helps you comply with strict key management requirements without sacrificing application performance.
On the other hand, AWS Key Management Service is detailed as "Easily create and control the encryption keys used to encrypt your data".
AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with other AWS services including Amazon EBS, Amazon S3, and Amazon Redshift. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
AWS CloudHSM and AWS Key Management Service can be categorized as "Data Security Services" tools.
Some of the features offered by AWS CloudHSM are:
1]Protect and store your cryptographic keys with industry standard, tamper-resistant HSM appliances. No one but you has access to your keys (including Amazon administrators who manage and maintain the appliance).
2]Use your most sensitive and regulated data on Amazon EC2 without giving applications direct access to your data's encryption keys.
3]Store and access data reliably from your applications that demand highly available and durable key storage and cryptographic operations.
On the other hand, AWS Key Management Service provides the following key features:
1]Centralized Key Management
2]Integrated with AWS services
3]Encryption for all your applications
The AWS KMS custom key store feature combines the controls provided by AWS CloudHSM with the integration and ease of use of AWS KMS
Q: Why would I need to use a custom key store?
Since you control your AWS CloudHSM cluster, you have the option to manage the lifecycle of your CMKs independently of AWS KMS
From official documentation, it seems that KMS is a basic feature, and you can get a senior feature by expanding with CloudHSM.
I'll do some data import form the third-party. They required me to provide a PGP public key with which they encrypt data. I don't want to generate key pairs on my machine so I'm looking at hosted solution and wondering if we can use AWS KMS (we already use AWS services as infra).
Is it possible to use KMS for that? If not what would be good way to achieve this on AWS?