Please enable JavaScript.
Coggle requires JavaScript to display documents.
KMS (default policy (reencrypt (Grants (short term basis), passes…
KMS
default policy
account is trusted
reencrypt
Grants
short term basis
passes reencrypted
allow to encrypt without decrypt
Multiaccount
<acc ID>:key/<key id>
permissions centered around CMK
trust between account and key
4kb
fips 140-2
CMK
AWS/managed
Envelope Encryption
protect encryption key
Master key stored
fast
large objects
CloudHSM
No HA
applications can be outside the VPC
on prem if you have to control hardware
single dedicated hardware
h
JCE
PKCS 11
CNG
Encryption SDK
works with 3rd party
limit API calls
Data Key Caching
S3
DEK
KMS at rest
EBS
DynamoDB
RDS
s3
every object in bucket encrypted with DK
ciphertext stored as metadata
ec2 instances
EBS volumes
Encryption same as EBS
encrypted table in region
uses service default in region
stored in table
table encrypted with own key
12 hours in plaintext
request after 5 minutes of inactivity
volume encrypted using data key
encrypted key stored with metadata
hypervisor decrypt
IO/snapshot/persisted data encrypted
ACM
x509
assymetric
13 months
native integration with ELB/cloudfront/beanstalk
no cost with certs
integrates with route53
regional
KMS is used