Please enable JavaScript.
Coggle requires JavaScript to display documents.
Encryption KMS CloudHSM Certificate Manager - Coggle Diagram
Encryption
KMS
CloudHSM
Certificate Manager
at Rest
encrypted where it is stored
in transit
is encrypted as it flows in the network
KMS
store keys
manages keys
auditing keys
Tightly integrated into many aws services
Lamdba
S3
EBS
EFS
DynamoDB
SQS ets
Audit use of keys via CloudTrail
diff to Secret Manager --> build encryption key management
many compliance schemes (PCI DSS Level 1, FIPS 140-2 Level2
CloudHSM
Hardware device
must be located within a VPC
not natively integrated with many AWS Services
requires custom app scripts to be used
Act as Issuing CA, enables TDE for Oracle databases, Offload SSL from web servers
classic vs. current
classic
upfront costs 5000$
HA only when buy a second device
FIBS 140-2
current
Prorietary
No upfront costs
Clustered (HA included)
FIPS 140-3
CloudHSM
single tenant HSM
Customer Managed durability and available
customer managed root of trust
FIPS 140-2
Broad 3rd Party Support
AWS KMS
HA by default
Durable
AWS manages root of trust
FIPS 140-2 & FIPS 140-3
Integrates well in AWS Services
AWS Certificate Manager
Managed
public or private SSL/TLS certificates
Free public to use with AWS Services
Can import 3rd Party certificates for use on AWS
Supports wildcards
Managed cert renewals
Can create a managed Private Certificate Authority as well for internal or proprietary apps, services or devices