Encryption & Security

KMS Integration & Comprehensive Security Controls

Encryption Overview

AWS Secrets Manager provides comprehensive encryption capabilities using AWS KMS for encryption at rest and TLS for encryption in transit, ensuring your secrets are protected throughout their lifecycle.

At Rest: All secrets encrypted using AWS KMS
In Transit: TLS 1.2 encryption for all API calls
Compliance: FIPS 140-2 Level 2 compliant

KMS Integration

AWS Managed Keys

Default encryption, no additional charges, managed by AWS

Customer Managed Keys

Full control over key policies and rotation schedules

Key Rotation

Automatic annual rotation, transparent to applications

Create Secret with Custom KMS Key

aws secretsmanager create-secret \
  --name "prod/myapp/db" \
  --kms-key-id "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" \
  --secret-string '{"username":"admin","password":"mypass"}'

Security Standards

  • SOC 1, 2, and 3
  • ISO 27001
  • PCI DSS Level 1
  • FIPS 140-2 Level 2

Regulatory

  • HIPAA eligible
  • GDPR compliant
  • FedRAMP authorized
  • DoD SRG compliance

Audit & Monitoring

  • CloudTrail integration
  • CloudWatch metrics
  • AWS Config rules
  • SIEM integration

Data Residency

  • Regional data storage
  • Cross-region replication
  • Data sovereignty
  • Encryption key locality

Key Management

  • Use customer-managed KMS keys
  • Enable automatic key rotation
  • Implement least privilege policies
  • Monitor key usage with CloudTrail

Network Security

  • Use VPC endpoints
  • Security group restrictions
  • Enable VPC Flow Logs
  • Endpoint policies for access

Monitoring

  • Enable CloudTrail for all operations
  • CloudWatch alarms for unusual activity
  • Regular security assessments
  • Automated compliance checking

Exam Strategy Tip

Remember: All secrets are encrypted by default using AWS managed KMS keys. Customer managed keys provide additional control but incur extra costs. VPC endpoints provide private connectivity, eliminating the need for internet gateways.

Back to Access Control Next: Integration & APIs