L7. Data Protection: KMS, CloudHSM, and Secrets Manager
Video generating
Check back soon for the video lesson on Data Protection: KMS, CloudHSM, and Secrets Manager
Data protection is 30% of the Cloud Practitioner exam. This lesson covers AWS KMS, CloudHSM, AWS Certificate Manager, and Secrets Manager for encrypting data and managing credentials.
Encryption at Rest and In Transit
Encryption at rest: data encrypted when stored on disk or in a database. AWS services encrypt data at rest using AWS KMS keys. Encryption in transit: data encrypted while moving between systems. Implemented via TLS/SSL (HTTPS). AWS Certificate Manager (ACM) manages TLS certificates for free.AWS Key Management Service (KMS)
KMS is a managed service for creating and controlling encryption keys used across AWS services. Key types:
- AWS-managed keys: created and managed by AWS for specific services (e.g., "aws/s3"); free, 1-year rotation
- Customer-managed keys (CMKs): created by you; you control rotation, policies, and deletion; $1/month per key
- AWS-owned keys: used by AWS internally; no visibility or control
AWS CloudHSM
CloudHSM provides dedicated Hardware Security Modules in the cloud. Unlike KMS (shared multi-tenant), CloudHSM gives you exclusive access to dedicated HSM hardware. Use CloudHSM when: regulatory requirements mandate customer-controlled cryptographic operations (FIPS 140-2 Level 3), or you need to bring your own key material and manage it entirely.
AWS Secrets Manager
Secrets Manager stores, rotates, and retrieves secrets such as database passwords, API keys, and OAuth tokens. Key features:
- Automatic secret rotation (native support for RDS, Redshift, DocumentDB)
- Audit access to secrets via CloudTrail
- Integration with IAM for access control
AWS Certificate Manager (ACM)
ACM provisions, manages, and deploys SSL/TLS certificates for AWS services. Public certificates from ACM are free. Works with: Elastic Load Balancers, CloudFront, API Gateway, and other AWS services.
| Service | Purpose |
|---|---|
| AWS KMS | Manage encryption keys at scale |
| AWS CloudHSM | Dedicated HSM for regulatory compliance |
| AWS Secrets Manager | Store and rotate credentials securely |
| AWS Certificate Manager | Free TLS/SSL certificates for AWS services |
- ✓Encryption at rest protects stored data; encryption in transit uses TLS to protect data moving between systems
- ✓KMS manages encryption keys; AWS-managed keys are free; customer-managed keys cost $1/month
- ✓CloudHSM provides dedicated HSM hardware for FIPS 140-2 Level 3 compliance requirements
- ✓Secrets Manager stores and automatically rotates database passwords and API keys
- ✓AWS Certificate Manager provides free public TLS certificates for use with AWS services
1. A financial institution must store encryption keys in a dedicated hardware device that they exclusively control, meeting FIPS 140-2 Level 3 requirements. Which AWS service should they use?
2. Which AWS service automatically rotates database passwords on a configured schedule and integrates natively with Amazon RDS?
Recommended: Pluralsight
Complement these lessons with Pluralsight: structured CLF-C02 learning paths, AWS hands-on labs, and realistic practice questions for exam day.