Cyber Intelligence
Security and Compliance · 30% of exam

L7. Data Protection: KMS, CloudHSM, and Secrets Manager

Video generating

Check back soon for the video lesson on Data Protection: KMS, CloudHSM, and Secrets Manager

Data protection is 30% of the Cloud Practitioner exam. This lesson covers AWS KMS, CloudHSM, AWS Certificate Manager, and Secrets Manager for encrypting data and managing credentials.

Encryption at Rest and In Transit

Encryption at rest: data encrypted when stored on disk or in a database. AWS services encrypt data at rest using AWS KMS keys. Encryption in transit: data encrypted while moving between systems. Implemented via TLS/SSL (HTTPS). AWS Certificate Manager (ACM) manages TLS certificates for free.

AWS Key Management Service (KMS)

KMS is a managed service for creating and controlling encryption keys used across AWS services. Key types:

  • AWS-managed keys: created and managed by AWS for specific services (e.g., "aws/s3"); free, 1-year rotation
  • Customer-managed keys (CMKs): created by you; you control rotation, policies, and deletion; $1/month per key
  • AWS-owned keys: used by AWS internally; no visibility or control
KMS integration: S3, EBS, RDS, Redshift, Secrets Manager, and most AWS storage services natively integrate with KMS. Key policies: control which IAM entities can use or manage a KMS key.

AWS CloudHSM

CloudHSM provides dedicated Hardware Security Modules in the cloud. Unlike KMS (shared multi-tenant), CloudHSM gives you exclusive access to dedicated HSM hardware. Use CloudHSM when: regulatory requirements mandate customer-controlled cryptographic operations (FIPS 140-2 Level 3), or you need to bring your own key material and manage it entirely.

AWS Secrets Manager

Secrets Manager stores, rotates, and retrieves secrets such as database passwords, API keys, and OAuth tokens. Key features:

  • Automatic secret rotation (native support for RDS, Redshift, DocumentDB)
  • Audit access to secrets via CloudTrail
  • Integration with IAM for access control
vs. AWS Systems Manager Parameter Store: Parameter Store stores configuration values and can store secrets; Secrets Manager adds automatic rotation and is purpose-built for credentials.

AWS Certificate Manager (ACM)

ACM provisions, manages, and deploys SSL/TLS certificates for AWS services. Public certificates from ACM are free. Works with: Elastic Load Balancers, CloudFront, API Gateway, and other AWS services.

ServicePurpose
AWS KMSManage encryption keys at scale
AWS CloudHSMDedicated HSM for regulatory compliance
AWS Secrets ManagerStore and rotate credentials securely
AWS Certificate ManagerFree TLS/SSL certificates for AWS services
Exam tip: KMS = multi-tenant managed key service. CloudHSM = dedicated hardware, you control the keys. Secrets Manager = credential storage with automatic rotation.

Exam Focus Points
  • Encryption at rest protects stored data; encryption in transit uses TLS to protect data moving between systems
  • KMS manages encryption keys; AWS-managed keys are free; customer-managed keys cost $1/month
  • CloudHSM provides dedicated HSM hardware for FIPS 140-2 Level 3 compliance requirements
  • Secrets Manager stores and automatically rotates database passwords and API keys
  • AWS Certificate Manager provides free public TLS certificates for use with AWS services
Knowledge Check

1. A financial institution must store encryption keys in a dedicated hardware device that they exclusively control, meeting FIPS 140-2 Level 3 requirements. Which AWS service should they use?

2. Which AWS service automatically rotates database passwords on a configured schedule and integrates natively with Amazon RDS?

Recommended: Pluralsight

Complement these lessons with Pluralsight: structured CLF-C02 learning paths, AWS hands-on labs, and realistic practice questions for exam day.

Start CLF-C02 prep free10-day free trial available