brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-08 21:34:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(secrets-management): expand a little

Browse Source
This commit is contained in:
Michele Cereda
2025-08-03 12:00:37 +02:00
parent d1c68655c8
commit 9ca7296180
4 changed files with 125 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
knowledge base/cloud computing/aws/kms.md Normal file
View File

@@ -0,0 +1,103 @@
# AWS Key Management Service
AWS' native encryption keys management service.
1. [TL;DR](#tldr)
1. [Aliases](#aliases)
1. [Further readings](#further-readings)
1. [Sources](#sources)
## TL;DR
Creates and controls encryption keys one can use to encrypt data.<br/>
Keys created with KMS are protected by FIPS 140-3 Security Level 3 validated HSMs.<br/>
They are created, managed, used, and deleted entirely **within** the managed service. They **never** leave KMS
unencrypted. To use or manage keys in KMS, one **must** interact with the service.
The service costs $0.03 to $12 per 10,000 API calls, depending on the action and type of key used.<br/>
Refer [Pricing].
Key policies are the **primary** way to control access to KMS keys.<br/>
Every KMS key must have **exactly one** key policy.<br/>
Statements in such policies determine **who** has permission to use KMS keys, and **how** they can use it. One _can_
configure **additional** [IAM] policies and grants for keys.<br/>
Key policies are Regional.
> [!important]
> IAM policies manage access to a KMS key **only** if the key policy **explicitly** allows it.<br/>
> Without permission from the key policy, IAM policies have no effect.<br/>
> The default key policy enables IAM policies.
**No** AWS principal, **including** the account root user and the key creator, has **any** permissions to a key until
a key policy, IAM policy, or grant **explicitly** allows, and never denies, access to it.
Keys created by customers are referred to as _customer managed keys_.<br/>
They are recommended when wanting **full control** over the lifecycle and usage of the keys.<br/>
Customer managed keys incur in both management and usage costs.
_AWS managed keys_ are keys that exists in an account, but can only be used in the context of an AWS service and only
in the same account. One **cannot** share resources encrypted under an AWS managed key with other accounts.<br/>
They do **not** allow managing anything about their lifecycle or permissions.<br/>
AWS managed keys do not have management costs, but incur in usage costs.<br/>
These keys use an alias in the form `aws/<service code>`, e.g. `aws/ebs`.
AWS managed keys are a legacy key type, and are no longer being created for new AWS services as of 2021. Instead,
services are now using _AWS owned keys_ to encrypt customer data by default.<br/>
AWS owned keys are stored in an AWS account managed by the related AWS service. Only the service's operators can manage
the keys' lifecycle and usage permissions.<br/>
By using AWS owned keys, AWS services can transparently encrypt data and allow for cross-account or cross-region sharing
of data.<br/>
Customers are **not** charged for the keys' existence **nor** their usage, but they cannot change their policies, audit
activities on these keys, nor delete them.
KMS can provide encryption keys for protecting data in other AWS services (e.g., [EBS], [RDS], [S3]).
AWS services that integrates with KMS only use _symmetric_ encryption keys to encrypt data.<br/>
These services do **not** support encryption with _asymmetric_ keys.
Asymmetric keys are related public key and private key pairs.<br/>
The **private** key is created in KMS and never leaves the service unencrypted. To use the private key, one **must**
interact with KMS.<br/>
One can use the **public** key by calling the AWS APIs, or download it and use it outside of KMS.
Use a **symmetric** encryption KMS key to encrypt the data one stores or manages in an AWS service.
## Aliases
Refer [Aliases in AWS KMS].
Each key is represented by its key ID, but can have one or more aliases associated.<br/>
Aliases allow using a human-friendly name to identify the key they are associated to in _some_ AWS operations.<br/>
They are **not** a property of a key, and actions on the alias do **not** affect the associated key. However, all
aliases associated with a key are deleted when that key is deleted.
> [!important]
> Specifying an alias as resource in an IAM policy will make the policy refer **to the alias**, not to the key it is
> associated with.
## Further readings
- [Secrets management]
### Sources
- [AWS Key Management Service]
<!--
Reference
═╬═Time══
-->
<!-- In-article sections -->
<!-- Knowledge base -->
[EBS]: ebs.md
[IAM]: iam.md
[RDS]: rds.md
[S3]: s3.md
[Secrets management]: ../../secrets%20management.md
<!-- Upstream -->
[AWS Key Management Service]: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
[Pricing]: https://aws.amazon.com/kms/pricing/
[Aliases in AWS KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
<!-- Others -->

8
knowledge base/cloud computing/aws/secrets manager.md
View File

@@ -19,7 +19,7 @@ Critical secrets can be replicated cross-region.
Costs $0.40 per secret per month, plus $0.05 per 10,000 API calls.<br/>
Secrets that are marked for deletion are not paid for.
Secrets Manager uses keys from KMS to encrypt the secrets it manages.<br/>
Secrets Manager uses keys from [KMS] to encrypt the secrets it manages.<br/>
On first use, Secrets Manager creates the AWS-managed key `aws/secretsmanager` to encrypt the secrets given to it. There
is **no** cost for using this key.<br/>
When _automatic_ rotation is turned on for a secret, Secrets Manager uses a Lambda function to rotate it. The use of the
@@ -58,6 +58,10 @@ Managed secrets use a naming convention that includes the ID of the service mana
## Further readings
- [Secrets management]
- [KMS]
- [IAM]
### Sources
<!--
@@ -68,6 +72,8 @@ Managed secrets use a naming convention that includes the ID of the service mana
<!-- In-article sections -->
<!-- Knowledge base -->
[IAM]: iam.md
[KMS]: iam.md
[Secrets management]: ../../secrets%20management.md
<!-- Upstream -->
<!-- Others -->

3
knowledge base/jargon.md
View File

@@ -58,6 +58,7 @@
| FHS | [Filesystem Hierarchy Standard][fhs] | |
| FIFO | First In First Out | |
| FILO | First In Last Out | |
| FIPS | Federal Information Protection Standard | Security standard created by NIST to protect US government data |
| FISH | [Friendly Interactive SHell][fish] | |
| FQDN | Fully Qualified Domain Name | |
| FS | FileSystem | |
@@ -67,6 +68,7 @@
| GUI | Graphical User Interface | |
| HA | High Availability | Characteristic of a system which aims to ensure better or longer availability for its services |
| HPC | High Performance Computing | Collections of systems and tools used to achieve a greater processing capacity than the single unit |
| HSM | Hardware Security Module | Hardware cryptographic appliance designed to provide dedicated cryptographic functions |
| IaC | [Infrastructure as Code][iac] | |
| IC | Integrated Circuit | |
| IDP | Internal Developer Platform | |
@@ -91,6 +93,7 @@
| M2COTS | Mass Market COTS | Widely available COTS products |
| MR | Merge Request | Prevalently used in GitLab |
| NACL | Network ACL | |
| NIST | National Institute of Science and Technology | |
| OAM | [Open Application Model] | |
| OAM | Operations, Administration and Management | |
| ODBC | Open DataBase Connectivity | Open standard API used for accessing databases |

12
knowledge base/secrets management.md
View File

@@ -47,8 +47,18 @@ This is what _secrets orchestration platforms_ try to solve.
## Further readings
- [1Password Secrets Automation]
- [Akeyless]
- [AWS KMS]
- [AWS Secrets Manager]
- [Bitwarden Secrets Manager]
- [CyberArk Conjur]
- [Doppler]
- [HashiCorp Vault]
- [Infisical]
- [OpenBao]
- [Phase]
- [Pulumi ESC]
### Sources
@@ -61,6 +71,8 @@ This is what _secrets orchestration platforms_ try to solve.
<!-- In-article sections -->
<!-- Knowledge base -->
[AWS KMS]: cloud%20computing/aws/kms.md
[AWS Secrets Manager]: cloud%20computing/aws/secrets%20manager.md
[HashiCorp Vault]: hashicorp%20vault.md
[Infisical]: infisical.md
[Pulumi ESC]: pulumi.md#esc