What are the differences between AWS Cloud HSM and KMS? - amazon-web-services

I am trying to understand the key management services in AWS (Amazon Web Services) and I can see that Amazon recommends more AWS Key Management Service (KMS) over Cloud Hardware Security Module (Cloud HSM). But I am having a hard time finding the key differences between the two, KMS vs Cloud-HSM.
Can someone please list a few key differences or a comparison of the two technologies?

Feature
AWS Cloud HSM
AWS KMS
Tenancy
Single-Tenant
Multi-Tenant
High Availability: How to achieve?
Create multiple HSMs (manually) over different AZs
Managed (automatically) by AWS
Scaling/Performance Responsibility
Your responsibility
AWS
Key access: Who controls it?
You
You+AWS
Keys: How to use?
Customer code + Safenet APIs
AWS Management Console
Keys: Where to use?
AWS & Your Network (VPN)
AWS
AWS Services Integration
A small set of services (Redshift, Oracle RDS etc.)
Most services fully integrated
Access & Authentication Policy
Quorom based K of N
AWS IAM Policy
Price
$$
$
FIPS 140-2 Compliance
Level 3
Level 2 overall (Level 3 in some areas)
Source: AWS official documentation + multiple courses I took for the AWS exams + practical experience.

Developers describe AWS CloudHSM as "Dedicated Hardware Security Module (HSM) appliances within the AWS cloud". The AWS CloudHSM service allows you to protect your encryption keys within HSMs designed and validated to government standards for secure key management. You can securely generate, store, and manage the cryptographic keys used for data encryption such that they are accessible only by you. AWS CloudHSM helps you comply with strict key management requirements without sacrificing application performance.
On the other hand, AWS Key Management Service is detailed as "Easily create and control the encryption keys used to encrypt your data".
AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with other AWS services including Amazon EBS, Amazon S3, and Amazon Redshift. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
AWS CloudHSM and AWS Key Management Service can be categorized as "Data Security Services" tools.
Some of the features offered by AWS CloudHSM are:
1]Protect and store your cryptographic keys with industry standard, tamper-resistant HSM appliances. No one but you has access to your keys (including Amazon administrators who manage and maintain the appliance).
2]Use your most sensitive and regulated data on Amazon EC2 without giving applications direct access to your data's encryption keys.
3]Store and access data reliably from your applications that demand highly available and durable key storage and cryptographic operations.
On the other hand, AWS Key Management Service provides the following key features:
1]Centralized Key Management
2]Integrated with AWS services
3]Encryption for all your applications

The AWS KMS custom key store feature combines the controls provided by AWS CloudHSM with the integration and ease of use of AWS KMS
Q: Why would I need to use a custom key store?
Since you control your AWS CloudHSM cluster, you have the option to manage the lifecycle of your CMKs independently of AWS KMS
From official documentation, it seems that KMS is a basic feature, and you can get a senior feature by expanding with CloudHSM.

Related

Kubernetes Encryption Configuration

https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
According to the above document in order to use encryption configuration, we need to edit the kube-apiserver.yaml file. But in GCP, Azure or AWS we cannot view this the api-server as it is managed by the cloud provider. How can we use encryption configuration in this case? Has anyone managed to use encryption configuration to encrypt secrets in GCP,Azure and AWS?
Google Secret Manager(GSM)is GCP’s flagship service for storing, rotation and retrieving secrets. A secret in GSM could be stored in encrypted form. It supports IAM for authentication and fine grained access controls
Azure Key Vault FlexVolume and for aws Amazon Elastic Container Service for Kubernetes (EKS) are the other tools that can be used

How to store AWS Access Key and Secret Key in .Net Core API Securely

How in a work environment with different AWS environments say for example develop, staging and production is it best to store the AWS Access Key and Secret Key other than in the appsettings.json files in .Net Core? I know there is Secret Manager but not sure if that is the best way to store these two values. Looking for someone that may have done this specifically for production and how they handled this within their organization. Thanks for any information.
I believe that your application is running outside of AWS and that it needs to make API calls to AWS services, for example SQS. To make those API calls, your application needs AWS credentials.
Here are approaches for authenticating external applications in a machine-to-machine scenario. In your case, your client seems to need to be able to make arbitrary AWS service requests and that means using AWS signature v4 requests, signed using AWS credentials, which are ideally temporary, rotated credentials from STS rather than persistent credentials (such as IAM user credentials).
Typically, you would configure your application with a base set of IAM credentials that allow the application to assume an IAM role. That role itself, rather than the base credentials, would then give your application the permissions it needs to make SQS API calls etc.
The issue you face is how to securely store the base set of credentials. This is a problem that on-premise applications have had since day one, well before the cloud era, and there are various solutions, depending on the technology you're using.
Typically these credentials would be encrypted, not committed to code repos, and populated on the relevant, locked down application servers in some secure fashion. Some potentially useful resources:
Encrypting sections of a configuration file for an ASP.NET application
Use AWS Secrets Manager to store & read passwords in .Net Core apps
Securely store and retrieve sensitive info in .NET Core apps with Azure Key Vault
AWS Secret Manager securely stores your secrets until you retrieve them at runtime. If your going to be running your ASP.NET Core app in AWS, then AWS Secrets Manager is a great option, as it allows you to finely control the permissions associated with the AWS IAM roles running your apps.
Here are some faqs which were given from the AWS for secrets-manager service and which will clear your doubts also.
Here is the article which you can refer to for implementing secure secrets storage for .net core with AWS Secret Manager

Prove to my customers that their data in AWS is encrypted

I am about to launch a webapp based on subscription. FYI, the web application manages health care data, and my customers are concerned about the security of data in the cloud.
Is there any certificate, or any official information I can give to my customers on the behalf of AWS proving that the data in any storage used by my application will be encrypted?
THANK YOU
From What is AWS Artifact?:
AWS Artifact provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and Service Organization Control (SOC) reports. You can submit the security and compliance documents (also known as audit artifacts) to your auditors or regulators to demonstrate the security and compliance of the AWS infrastructure and services that you use. You can also use these documents as guidelines to evaluate your own cloud architecture and assess the effectiveness of your company's internal controls. AWS Artifact provides documents about AWS only. AWS customers are responsible for developing or obtaining documents that demonstrate the security and compliance of their companies.
It explains what AWS does. However, you would also need to prove that you are using the cloud correctly, such as verifying user's identities and not making buckets public.
NO, there is no such a document, you need to apply and obtain this certificate.
AWS is complaint, for there part Security of the cloud, and you are responsible for the Security in the cloud. AWS Artifact is a repository.
AWS Config is the tool you will use to monitor the configuration of
your stack, can repair configurations also.
AWS Cloudwach will monitor the performance, brings you alerts and evoke Lambda
AWS Cloud Trail will monitor the API calls.
AWS Macy to check your buckets for Personal Identifiable information.
Then you are the one who enable encryption and choose the Key management and rotation, AWS KMS.
Just to mention few services to be aware of. Best regards.

Can AWS Lambda do Cross Account Activity?

Can we use AWS Lambda for cross account activity. For example, I want to store a Parameter in SSM Parameter store in multiple AWS Accounts. Imagine I have a Master AWS Account which has access to all other AWS Accounts. Now can I write a python script for storing the parameter and make use of AWS LAMBDA to perform this.
Yes Definitely. AWS services are by default explicitly denied access from anywhere. Thats where AWS IAM (Identity & Access Management) came into the picture.
Delegate Access Across AWS Accounts Using IAM Roles
Let say you have a master account that has a services needed by multiple accounts. The first thing you will do is provision the resource from that master account and then by doing so you are applying right policies that will give an access to the other accounts.
Lastly, some other services are protected by layers of protection such as NACL's for network layer protection and Security Groups for application layer protection. For this services that are protected by layers mentioned, you simply just need to check if these layers accepts and send traffic from the application ports that you're are using.
e.g. EC2 Security Group - Ingress Rule: 80, 443 0.0.0./0
Imagine I have a Master AWS Account which has access to all other AWS Accounts.
This is usually setup by AWS Organizations. It helps with management and governance of all your accounts in a unified way.
System manager, which include Parameter store has special provisions for working with AWS Organizations:
You can synchronize operations data across all AWS accounts in your organization by using Organizations and Systems Manager Explorer.
The generall cross-account concepts have been addressed by other answer.

AWS RDS - HIPAA compliant?

I'm planning to have Oracle on AWS.
Is Oracle RDS HIPAA compliant? How can I make it HIPAA compliant?
The answer just recently changed. RDS is now HIPAA compliant, per their documentation/FAQ:
What Services Can I Use in My AWS Account if I Have a BAA with AWS?
Customers may use any AWS service in an account designated as a HIPAA account, but they should only process, store and transmit PHI in the HIPAA-eligible services defined in the BAA. There are nine HIPAA-eligible services today, including Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon Elastic MapReduce (EMR), Amazon Elastic Load Balancer (ELB), Amazon Glacier, Amazon Relational Database Service (RDS) [MySQL and Oracle engines], Amazon Redshift, and Amazon S3.
Source
#Dang
There is no AWS offical documentation that says RDS can be made HIPAA compliant. Instead EC2, S3 and EBS are known services. The way to get HIPAA compliant for your AWS services follow this:
Customers must identify to AWS each account to be covered by the BAA
as a 'HIPAA Account'.
Customers may process, store or transmit PHI only on EC2, S3 and EBS.
Customers must use Dedicated instances for PHI data -
http://aws.amazon.com/dedicated-instances/
Customers must use VPC
Customers must encrypt all PHI in accordance with certain minimum
encryption standards
Customers may use any AWS service in their 'HIPAA Account' for data
that is not PHI
So, to get a BAA agreement from AWS you'll need dedicated instances running in a VPC, not the "classic" EC2. (Pricing for dedicated instances has come down a lot since the very beginning.)
I cannot comment about RDS for sure. What I know RDS can be made quite secure, using SSL over port 443.
What I suggest that If you are an authorized AWS customer, speak to AWS customer care executive as they are the best to validate my answer.
Thanks
Quoting the whitepaper released by Amazon Web Services on December 2015 (link mentioned below )
Amazon RDS for Oracle and Amazon RDS for Mysql are available for use under HIPAA standards once you sign an Business associate agreement and your account is designated as an "HIPAA account"
Link to the white paper - https://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf
Amazon RDS is an AWS HIPAA-Eligible Service meaning that it can be used with
In order to be HIPAA compliant in AWS, your team must do the following:
Sign a Business Associates Agreement (BAA) with AWS. This agreement outlines the HIPAA security responsibilities shared between the cloud provider and the cloud customer
Adopt appropriate administrative policies and procedures
Implement all necessary security configuration for individual cloud services, such as RDS, EC2, and S3. Security standards include configuring safeguards around encryption, backup and disaster recovery, and access control.
You can take a look at this guide to utilizing Amazon RDS in a HIPAA compliant manner.