Please enable JavaScript.

Coggle requires JavaScript to display documents.

AWS Security & Encryption, KMS - Coggle Diagram

- - - - Sym: AES-256 keys
      - Asym: RSA & ECC key pairs
        (use case: outside AWS)
  - - - define user, role can access KMS key
      - define who can admin they key
      - useful for cross-account access KMS key
        
        .ie copy snapshot: attach KMS key policy
        -> cross-account access
  - - - Envelope Encryption
        
        flow encrypt: GenerateDataKey API -> IAM perm -> plaintext data key -> final file (encrypted dek + encrypted file)
        
        flow decrypt: Decrypt API -> API perm -> plaintext key + final file
        
        SDK
        
        Feature: Data Key caching
        
        LocalCryptoMaterialsCache (max age, max bytes, max nr of msgs)
- - - - Use SDK cache
      - request increase quota
        through AWS support
      - exponentially backof
- - - - GetParameters
      - GetParametersByPath
    - - Standard (4kb) - free; 10k params
      - Advance (8kb) - 100k params - charge
        
        allow TL to param
        
        policy type
        
        Expiration
        
        ExpirationNotification
        
        NoChangeNotification
- - - - ManageMasterUserPassword: true
        Outputs/Secret/Value: !GetAtt MyCluster.MasterUserSecret.SecretArn
    - - Type:: AWS::SecretsManager::Secret -> Properties/GenerateSecretStrings
        Type:: ::DBInstance -> MasterUsername, MasterUserPassword