# AWS Certified Solutions Architect - Associate (Security) ###### tags: `AWS` ### Reducing security threats - Using NACL  > Notes: NACL operate at Layer 4 - Using NACL + ALB  - Using Web Application Firewall (WAF)  > Note: WAF operate at Layer 7 - Using WAF + CloudFront  ### Key Management Service (KMS) - **Regional** secure key management and encryption and decryption - Manages **customer master keys** (CMKs) - Ideal for S3 objects, DB passwords and API keys stored in Systems Manager Parameter Store - Encrypt and decrypt data up to **4KB** in size - Integrated with most AWS services - Pay per API call - Audit capability using CloudTrail - logs delivered to S3 - **FIPS 140-2 Level2** - Level 3 is CloudHSM #### Types of CMKs - AWS Managed CMK Free; used by default if you pick encryption in most AWS services. Only that service can use them directly. - Customer Managed CMK Allows key **rotation**; controlled via key policies and can be enabled/disabled. - AWS Owned CMK Used by AWS on a shared basis across many accounts; you typically won't see these.  #### Symmetric vs. Asymmetric CMKs - Symmetric - **Same** key used for encryption and decryption - **AES-256** - Never leaves AWS unencrypted - Must call th KMS APIs to use - AWS services integrated with KMS use symmetric CMKs - Encrypt, decrypt, and re-encrypt data - Generate data keys, data key pairs, and random byte strings - **Import** your own key material - Asymmetric - Methematically related public/private key pair - **RSA** and **ECC** - **Private** key never leaves AWS unencrypted - Must call the KMS APIs to use **private** key - **Download** the public key and use outside AWS - Used outside AWS by users who can't call KMS APIs - AWS services integrated with KMS **do not support** asymmetric CMKs - Sign messages and verify signatures > Default Policy > - Grant AWS account (root user) **full access** to the CMK >  > - Grants IAM role access to crypto actions for encrypting and decrypting data >  ### CloudHSM - **Dedicated** harware security module (HSM) - **FIPS 140-2 Level3** - Level 2 is KMS - **Manage your own key** (vs. KMS) - **NO access** to the AWS-managed component - Runs within a VPC in your account - Single tenanat, dedicated harware, multi-AZ cluster - Industry-standard APIs - **no AWS APIs** - **PKCS#11** - **Java Cryptography Extensions (JCE)** - **Microsoft CryptoNG(CNG)** - Keep your keys safe - **irretrievable** if lost.  ### System Manager Parameter Store - Component of AWS Systems Manager (SSM) - Secure **severless** storage for configuration and secrets: - Passwords - DB connection strings - License codes - API keys - Values can be stored encrypted(KMS) or plaintext - Separate data from source control - Store parameters in **hierarchies** - Track versions - Set TTL to expire values such as passwords