Security

Key Management Service (KMS)

• Managed Key : free (aws/service-name)

• Customer Managed Key : $1/month

• Key Policy can be defined to define who can access the key

• The key can be selected as multi-region. The replicas will be created, they have the same id , key material. The content can be encrypted in 1 region and decrypted in another region. Each key is managed independently

SSM Parameter Store

• Storage for configuration

• Optional encryption by using KMS

• Allow to assign TTL to force update or delete of sensitive data if using advanced parameter

• Version tracking of configuration

Secret Manager

• For storing secret

• Force rotation of secret every X day and auto generation

• encrypted using KMS

• Mostly meant for RDS integration

• Replicate secrets across different regions

Certificate Manager

• Deploy TLS certificate to provide HTTPS

• Automatic certificate renewal

• Support public and private certificate, but free of charge for public certificate

• Option to generate certificate outside of ACM and import it

• ACM send daily expiration event starting 45 days prior to expiration

Web Application Firewall (WAF)

• Layer 7 Firewall, mostly deploy on application load balancer, cloud front, api gateway, ....

• Web Access Control List (Web ACL) rules can be defined to restrict ip, http header, rate limit

• Firewall Manager can be used to manage the rule for accounts of an organization

AWS Shield

• Prevent from DDoS Attack

GuardDuty

• Using machine learning algo to discover the threat

• The date includes cloud trail event logs, DNS logs, ....

Inspector

• Evaluate the security of EC2, Container Images and lambda functions

Macie

• Using algo to identify the sensitive data