From 9ca72961804fb9f704a49b89077642b9bd56f535 Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Sun, 3 Aug 2025 12:00:37 +0200 Subject: [PATCH] chore(secrets-management): expand a little --- knowledge base/cloud computing/aws/kms.md | 103 ++++++++++++++++++ .../cloud computing/aws/secrets manager.md | 8 +- knowledge base/jargon.md | 3 + knowledge base/secrets management.md | 12 ++ 4 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 knowledge base/cloud computing/aws/kms.md diff --git a/knowledge base/cloud computing/aws/kms.md b/knowledge base/cloud computing/aws/kms.md new file mode 100644 index 0000000..ee30a97 --- /dev/null +++ b/knowledge base/cloud computing/aws/kms.md @@ -0,0 +1,103 @@ +# AWS Key Management Service + +AWS' native encryption keys management service. + +1. [TL;DR](#tldr) +1. [Aliases](#aliases) +1. [Further readings](#further-readings) + 1. [Sources](#sources) + +## TL;DR + +Creates and controls encryption keys one can use to encrypt data.
+Keys created with KMS are protected by FIPS 140-3 Security Level 3 validated HSMs.
+They are created, managed, used, and deleted entirely **within** the managed service. They **never** leave KMS +unencrypted. To use or manage keys in KMS, one **must** interact with the service. + +The service costs $0.03 to $12 per 10,000 API calls, depending on the action and type of key used.
+Refer [Pricing]. + +Key policies are the **primary** way to control access to KMS keys.
+Every KMS key must have **exactly one** key policy.
+Statements in such policies determine **who** has permission to use KMS keys, and **how** they can use it. One _can_ +configure **additional** [IAM] policies and grants for keys.
+Key policies are Regional. + +> [!important] +> IAM policies manage access to a KMS key **only** if the key policy **explicitly** allows it.
+> Without permission from the key policy, IAM policies have no effect.
+> The default key policy enables IAM policies. + +**No** AWS principal, **including** the account root user and the key creator, has **any** permissions to a key until +a key policy, IAM policy, or grant **explicitly** allows, and never denies, access to it. + +Keys created by customers are referred to as _customer managed keys_.
+They are recommended when wanting **full control** over the lifecycle and usage of the keys.
+Customer managed keys incur in both management and usage costs. + +_AWS managed keys_ are keys that exists in an account, but can only be used in the context of an AWS service and only +in the same account. One **cannot** share resources encrypted under an AWS managed key with other accounts.
+They do **not** allow managing anything about their lifecycle or permissions.
+AWS managed keys do not have management costs, but incur in usage costs.
+These keys use an alias in the form `aws/`, e.g. `aws/ebs`. + +AWS managed keys are a legacy key type, and are no longer being created for new AWS services as of 2021. Instead, +services are now using _AWS owned keys_ to encrypt customer data by default.
+AWS owned keys are stored in an AWS account managed by the related AWS service. Only the service's operators can manage +the keys' lifecycle and usage permissions.
+By using AWS owned keys, AWS services can transparently encrypt data and allow for cross-account or cross-region sharing +of data.
+Customers are **not** charged for the keys' existence **nor** their usage, but they cannot change their policies, audit +activities on these keys, nor delete them. + +KMS can provide encryption keys for protecting data in other AWS services (e.g., [EBS], [RDS], [S3]). +AWS services that integrates with KMS only use _symmetric_ encryption keys to encrypt data.
+These services do **not** support encryption with _asymmetric_ keys. + +Asymmetric keys are related public key and private key pairs.
+The **private** key is created in KMS and never leaves the service unencrypted. To use the private key, one **must** +interact with KMS.
+One can use the **public** key by calling the AWS APIs, or download it and use it outside of KMS. + +Use a **symmetric** encryption KMS key to encrypt the data one stores or manages in an AWS service. + +## Aliases + +Refer [Aliases in AWS KMS]. + +Each key is represented by its key ID, but can have one or more aliases associated.
+Aliases allow using a human-friendly name to identify the key they are associated to in _some_ AWS operations.
+They are **not** a property of a key, and actions on the alias do **not** affect the associated key. However, all +aliases associated with a key are deleted when that key is deleted. + +> [!important] +> Specifying an alias as resource in an IAM policy will make the policy refer **to the alias**, not to the key it is +> associated with. + +## Further readings + +- [Secrets management] + +### Sources + +- [AWS Key Management Service] + + + + + +[EBS]: ebs.md +[IAM]: iam.md +[RDS]: rds.md +[S3]: s3.md +[Secrets management]: ../../secrets%20management.md + + +[AWS Key Management Service]: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html +[Pricing]: https://aws.amazon.com/kms/pricing/ +[Aliases in AWS KMS]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html + + diff --git a/knowledge base/cloud computing/aws/secrets manager.md b/knowledge base/cloud computing/aws/secrets manager.md index 7bc0687..4ea9f02 100644 --- a/knowledge base/cloud computing/aws/secrets manager.md +++ b/knowledge base/cloud computing/aws/secrets manager.md @@ -19,7 +19,7 @@ Critical secrets can be replicated cross-region. Costs $0.40 per secret per month, plus $0.05 per 10,000 API calls.
Secrets that are marked for deletion are not paid for. -Secrets Manager uses keys from KMS to encrypt the secrets it manages.
+Secrets Manager uses keys from [KMS] to encrypt the secrets it manages.
On first use, Secrets Manager creates the AWS-managed key `aws/secretsmanager` to encrypt the secrets given to it. There is **no** cost for using this key.
When _automatic_ rotation is turned on for a secret, Secrets Manager uses a Lambda function to rotate it. The use of the @@ -58,6 +58,10 @@ Managed secrets use a naming convention that includes the ID of the service mana ## Further readings +- [Secrets management] +- [KMS] +- [IAM] + ### Sources [IAM]: iam.md +[KMS]: iam.md +[Secrets management]: ../../secrets%20management.md diff --git a/knowledge base/jargon.md b/knowledge base/jargon.md index d114e9d..c5df59c 100644 --- a/knowledge base/jargon.md +++ b/knowledge base/jargon.md @@ -58,6 +58,7 @@ | FHS | [Filesystem Hierarchy Standard][fhs] | | | FIFO | First In First Out | | | FILO | First In Last Out | | +| FIPS | Federal Information Protection Standard | Security standard created by NIST to protect US government data | | FISH | [Friendly Interactive SHell][fish] | | | FQDN | Fully Qualified Domain Name | | | FS | FileSystem | | @@ -67,6 +68,7 @@ | GUI | Graphical User Interface | | | HA | High Availability | Characteristic of a system which aims to ensure better or longer availability for its services | | HPC | High Performance Computing | Collections of systems and tools used to achieve a greater processing capacity than the single unit | +| HSM | Hardware Security Module | Hardware cryptographic appliance designed to provide dedicated cryptographic functions | | IaC | [Infrastructure as Code][iac] | | | IC | Integrated Circuit | | | IDP | Internal Developer Platform | | @@ -91,6 +93,7 @@ | M2COTS | Mass Market COTS | Widely available COTS products | | MR | Merge Request | Prevalently used in GitLab | | NACL | Network ACL | | +| NIST | National Institute of Science and Technology | | | OAM | [Open Application Model] | | | OAM | Operations, Administration and Management | | | ODBC | Open DataBase Connectivity | Open standard API used for accessing databases | diff --git a/knowledge base/secrets management.md b/knowledge base/secrets management.md index 137e277..ac9bc2e 100644 --- a/knowledge base/secrets management.md +++ b/knowledge base/secrets management.md @@ -47,8 +47,18 @@ This is what _secrets orchestration platforms_ try to solve. ## Further readings +- [1Password Secrets Automation] +- [Akeyless] +- [AWS KMS] +- [AWS Secrets Manager] +- [Bitwarden Secrets Manager] +- [CyberArk Conjur] +- [Doppler] - [HashiCorp Vault] - [Infisical] +- [OpenBao] +- [Phase] +- [Pulumi ESC] ### Sources @@ -61,6 +71,8 @@ This is what _secrets orchestration platforms_ try to solve. +[AWS KMS]: cloud%20computing/aws/kms.md +[AWS Secrets Manager]: cloud%20computing/aws/secrets%20manager.md [HashiCorp Vault]: hashicorp%20vault.md [Infisical]: infisical.md [Pulumi ESC]: pulumi.md#esc