AWS Certified Developer Exam Notes - KMS

Manages keys for all services
KMS can encrypt up to 4KB of data. If data > 4KB use Envelope Encryption
Keys
- Symmetric – AES-256
  - Single key
  - Necessary for envelope
- Asymmetric RSA key pairs
  - 2 keys, public and private
  - Encryption outside of AWS by users who cant call KMS API
Use KMS Keys Policies for copying snapshots across accounts.
Can set up KMS to rotate CMKs (keys) every year.
Can get a Throttling Exception. Use exponential backoff to back off and retry
- Can use data key caching for GenerateDataKey to solve it.
Can encrypt Cloudwatch logs
- To associate a KMS key with a log group you must use the CLI. It is not possible through Console

Envelope Encryption

S3 Encryption

4 methods
- SSE-S3: Encrypts S3 objects fully managed by AWS
- SSE-KMS: Use KMS to manage keys
  - Uses the GenerateDataKey & Decrypt API because files are > 4KB
  - You need a KMS Key Policy and an IAM policy to give access to KMS
  - S3 calls are counted on KMS limits, which can lead to KMS throttling
  - In case of throttling try exponential backoff or request AWS to increase limits
- SSE-C: manage encryption keys
- Client-side
S3 Bucket Key decreases calls made to KMS by 99%
- An S3 bucket key is created with a KMS key, and then this bucket key is used for encryption.
- Low cost, fewer Cloudtrail logs.

SSM – Systems Manager Parameter Store

Secrets Manager

Store Secrets
Automate the generation of secrets, rotate secrets
Secrets Manager VS SSM Parameter Store
- With Secret Manager you can rotate secrets
- Secret Manager is more expensive
- With Secrets Manager the integration with KMS is mandatory

CloudHSM

The AWS CloudHSM service helps you meet regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud.

George Antonopoulos