---
# System prepended metadata

title: AWS Certified Solutions Architect - Associate (Security)
tags: [AWS]

---

# AWS Certified Solutions Architect - Associate (Security) 

###### tags: `AWS`

### Reducing security threats
- Using NACL
![](https://i.imgur.com/jjOTCJF.png)
> Notes: NACL operate at Layer 4
- Using NACL + ALB
![](https://i.imgur.com/KTF1Ogb.png)
- Using Web Application Firewall (WAF)
![](https://i.imgur.com/9LaIudr.png)
> Note: WAF operate at Layer 7
- Using WAF + CloudFront
![](https://i.imgur.com/7HghYOW.png)

### Key Management Service (KMS)
- **Regional** secure key management and encryption and decryption
- Manages **customer master keys** (CMKs)
- Ideal for S3 objects, DB passwords and API keys stored in Systems Manager Parameter Store
- Encrypt and decrypt data up to **4KB** in size
- Integrated with most AWS services
- Pay per API call
- Audit capability using CloudTrail - logs delivered to S3
- **FIPS 140-2 Level2**
- Level 3 is CloudHSM


#### Types of CMKs
- AWS Managed CMK
Free; used by default if you pick encryption in most AWS services. Only that service can use them directly.
- Customer Managed CMK
Allows key **rotation**; controlled via key policies and can be enabled/disabled.
- AWS Owned CMK
Used by AWS on a shared basis across many accounts; you typically won't see these.

![](https://i.imgur.com/VfaUIPH.png)


#### Symmetric vs. Asymmetric CMKs
- Symmetric
    - **Same** key used for encryption and decryption
    - **AES-256**
    - Never leaves AWS unencrypted 
    - Must call th KMS APIs to use
    - AWS services integrated with KMS use symmetric CMKs
    - Encrypt, decrypt, and re-encrypt data
    - Generate data keys, data key pairs, and random byte strings
    - **Import** your own key material
- Asymmetric
    - Methematically related public/private key pair
    - **RSA** and **ECC**
    - **Private** key never leaves AWS unencrypted
    - Must call the KMS APIs to use **private** key
    - **Download** the public key and use outside AWS
    - Used outside AWS by users who can't call KMS APIs
    - AWS services integrated with KMS **do not support** asymmetric CMKs
    - Sign messages and verify signatures

> Default Policy
> - Grant AWS account (root user) **full access** to the CMK
> ![](https://i.imgur.com/wXNglGi.png)
> - Grants IAM role access to crypto actions for encrypting and decrypting data
> ![](https://i.imgur.com/Szyakv3.png)

### CloudHSM
- **Dedicated** harware security module (HSM)
- **FIPS 140-2 Level3**
- Level 2 is KMS
- **Manage your own key** (vs. KMS)
- **NO access** to the AWS-managed component
- Runs within a VPC in your account
- Single tenanat, dedicated harware, multi-AZ cluster
- Industry-standard APIs - **no AWS APIs**
- **PKCS#11**
- **Java Cryptography Extensions (JCE)**
- **Microsoft CryptoNG(CNG)**
- Keep your keys safe - **irretrievable** if lost.

![](https://i.imgur.com/m9xdClQ.png)
 
### System Manager Parameter Store
- Component of AWS Systems Manager (SSM)
- Secure **severless** storage for configuration and secrets:
    - Passwords
    - DB connection strings
    - License codes
    - API keys
- Values can be stored encrypted(KMS) or plaintext
- Separate data from source control
- Store parameters in **hierarchies**
- Track versions
- Set TTL to expire values such as passwords
![](https://i.imgur.com/Px2omaO.png)


![](https://i.imgur.com/HEAnVVr.png)