- Specifically designed for storing and rotating secrets.
- Shares functionality with Parameter Store.
- Designed specifically for Secrets like passwords and API Keys.
- Usable via Consoles, CLI, APIs or SDKs.
- Supports automatic rotation of secrets using Lambdas.
- Directly integrates with some AWS products like RDS.
- Secrets are encrypted at rest.
- Secrets are integrated with IAM roles.
- Secrets are encrypted using KMS.
- AWS Sheild provides protection against DDoS attacks.
- AWS shield standard comes free with Route53 and CloudFront.
- Protections against Layer 3 and Layer 4 DDoS attacks.
- Shield Advanced- $3000 per month.
- Shield Advanced protects EC2, ELB, CloudFront, Global Accelerator and R53.
- Shield Advanced gives access to DDoS response team and financial assistsnce.
- It's a Layer 7(HTTP/S) firewall.
- WAF protects against complex Layer 7 attacks/exploits.
- SQL Injections, Cross-Site scripting, Geolocation Blocks, Rate awareness.
- Main entity provided by WAF is Web Access control (WEBACL), integrated with ALB, API Gateway and CloudFront.
- Web ACL has rules and they are evaluated when traffic arrives.
- Both WAF and Shield filter traffic on perimiter (CloudFront, R53, ALB, API Gateway) bfore they reach to our infrastcuture.
- They can be used together in supported product.
- Sheild protects us with DDoS and Layer 3/4 attacks (Probably IP & Packet level attacks).
- WAF protects us with Layer 7 attacks and exploits and access can be controlled using WEBACL.
- It's an appliance which creates, manages and secure Cryptographic materials or keys.
- Almost as same as KMS.
- KMS is aws managed service, isolated for you but basic infrastructure is shared between tenants.
- Behind the scene KMS use HSM = Hardware Security Module.
- HSM are industry standard pieces of hardware which are designed to manage keys and perform cryptographic operations.
- CloudHSM is true single tenant HSM.
- Could HSM is provisioned by HSM but as the customers, we have to manage them ourselves.
- AWS can't access Cloud HSM, they may access KMS if required. That means if we lose HSM, it's gone forever. We can reprovision a new HSM but the old one is completely gone.
- Cloud HSM is fully FIPS 140-3 Level 3, while KMS is generally Level 2, and only some part is Level 3.
- KMS can be accessed with AWS apis and can be fully integrted with AWS services.
- CloudHSM can not be accessed with AWS Apis. For Access and Integration we need to use industry standard Apis like PKS#11, Java Cryptography Extensions (JKE) or Microsoft CryptoNG(CNG) libraries.
- KMS can use Cloud HSM as custom key store.
- They are deployed to AWS Managed CloudHSM VPC.
- We have no visibility of this VPC.
- HSM is by default is not HA device.
- For HA we need to have a cluster with atleast two HSM devices one each per AZ within VPC.
- HSM configured in a cluster replicate keys, policies and configuration by default.
- HSM runs in AWS managed VPC and Interfaces are added to our VPC.
- CloudHSM Client needs to be installed in every instance to access or use HSM functionality.
- Cloud HSM does not have native integration..
- Cloud HSM can offload SSL/TLS processing of webservers.
- Cloud HSM can enable Transparent Data Encryption (TDE) for oracle databases.
- Cloud HSM can protect private keys for issuing Certificate Authority (CA).