Key Management Service (KMS)
S3 Encryption Mechanisms
AWS Secrets Manager
Managing Public and Private SSL/TLS Certificates using AWS Certificate Manager
The course is part of this learning path
This section of the Solution Architect Associate learning path introduces you to the core encryption concepts and services relevant to the SAA-C03 exam. We overview the AWS encryption options and how to select and apply AWS encryption services to meet relevant situations and scenarios.
Want more? Try a lab playground or do a Lab Challenge!
- Learn the fundamentals of Amazon's Key Management Service (KMS), including permissions, key policies, and key management
- Learn how the AWS Secrets Manager is used to implement security best practices by protecting secrets such as database credentials and API keys
- Learn the fundamentals of CloudHSM, how it's implemented, and how to use it as a Custom Key Store in KMS
- Learn how to implement server-side and client-side encryption
We've now gone through the key encryption services that could make an appearance on the exam. So now I just want to take a look at some of the differences between these services and features to make sure you can comfortably answer any questions that appear relating to this topic. Now, encryption isn't always the favorite topic in the exam for people, but once you have grasped the essentials, you will find that the rest will soon fall into place.
So let's focus on the KMS service first, which is by far the most common encryption service that's mentioned. And you'll see more questions on KMS than CloudHSM that's for sure. So starting with KMS, the Key Management Service. From the name alone, it should be clear that this is used for some sort of encryption. Now, the Key Management Service is a managed service used to store and generate encryption keys that can be used by other AWS services and applications to encrypt your data.
Now, you've probably heard me mention a number of times through this entire learning path, about how KMS is integrated in one way or another for offering a way to encrypt data or logs. For example, KMS can be used with EBS for encrypting its volumes, or it can be used with RDS databases for encryption, or it can be used in conjunction with CloudTrail to encrypt log files. And again, where it's used a lot is with S3. And you'll probably see something about S3 and encryption on the exam.
Now, it's important to understand that the KMS service is for encryption at rest. So if a question relates to encryption in-transit, then you'll need to use a supporting service that uses SSL or similar to perform that in-transit encryption. Now the main key type in KMS is the CMK, the Customer Master Key. Now the CMK can either be AWS managed or customer managed, either way, it remains in the KMS service at all times, but it can be used to generate data encryption keys and these data encryption keys can leave the KMS service to help you encrypt other data. So key policies are used to define who can use and access a particular key within KMS, and every key must have a key policy. Now, the policies themselves define which users can administer the key and which can use the key for encryption.
Now, quickly I just want to highlight the other encryption option service that we covered, and that was the CloudHSM service. So this encryption service offers a physical single tenant, tamper-resistant hardware appliance that is used to protect and safeguard cryptographic material and encryption keys. Now, sometimes this is required to meet certain stringent compliance requirements as it gives you more control around your keys and the key data than that of KMS. You can also combine KMS and CloudHSM by creating a custom key store in KMS and this is then backed by CloudHSM. So if you need to use KMS, but require the security and compliance of maintaining your own key material outside of KMS, then you can create a custom key store, which would be backed by your CloudHSM cluster.
Okay, the last part of the encryption summary I want to talk about is S3 encryption. This will more than likely come up in the exam, so it's a good idea to understand what options are available. Be sure to understand that S3 offers both server-side and client-side encryption options. So server-side encryption options include the default encryption with S3, which is SSE-S3, whereby S3 manages the encryption keys for you. You simply just need to tell S3 you want your object encrypted and S3 will handle everything else. However, if you want to encrypt your data with a specific CMK, you can use SSE-KMS. And as we know, this is the Key Management Service. So you can create your own CMK in KMS and then use this key to encrypt your object data.
Now, the last service-side encryption option allows you to supply your own encryption key that sits outside of KMS using the SSE-C option. So the client-side encryption options include CSE-KMS. Here you can use an AWS SDK to request data encryption keys from KMS to allow the end client to perform the encryption before the object is uploaded to S3 and you also have a client-side encryption option using customer managed keys too, with CSE-C. Now, the main encryption options that you're most likely to see in the exam, include SSE-S3 and SSE-KMS.
Okay, you've made it through the last part of this section. Congratulations, that's another one down. So just remember that KMS is integrated into many different AWS services to provide a secure method of creating and managing encryption keys to protect your data, whereas CloudHSM enables you to easily generate and use your own encryption keys with greater control over the underlying key material. And S3 encryption options to focus on include, SSE-S3 and SSE-KMS, but it would serve you well to have an understanding of all the options available to you.
Okay, when you're ready, on to the next section.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.