AWS KMS/Cloud HSM

Able to manage the keys & policies (but you never “see” the real keys yourself)
To give access to KMS make sure the key policy allows use and IAM policy allows the API calls
Can only help in encrypting up to 4KB of data per call. If it’s ore use envelope encryption
Pay for API calls to KMS ($.03 / 10000 calls)
KMS has Encrypt and Decrypt API
In-place encryption: S3

Cloud HSM
Aws provides dedicated encryption hardware
You manage the keys entirely
FIPS 140-2 Level 3 compliance
Clusters are spread across multi-AZ
Supports symmetric & asymmetric encryption

Posted in: AWS

Leave a Reply

Your email address will not be published. Required fields are marked *