Which of the following services is managed by aws and is used to manage encryption keys?

Manage single-tenant hardware security modules (HSMs) on AWS

Generate and use cryptographic keys on dedicated FIPS 140-2 Level 3 single-tenant HSM instances.

Deploy workloads with high reliability and low latency, and help meet regulatory compliance.

Pay by the hour, and backup and shut down HSMs when they’re not needed.

Manage HSM capacity and control your costs by adding and removing HSMs from your cluster.

How it works

AWS CloudHSM helps you meet corporate, contractual, and regulatory compliance requirements for data security.

What is AWS CloudHSM? (1:22)

What is AWS CloudHSM?

AWS CloudHSM lets you manage and access your keys on FIPS-validated hardware, protected with customer-owned, single-tenant HSM instances that run in your own Virtual Private Cloud (VPC).

To watch in your local language, select this video, choose the settings icon, and pick your preferred subtitle option.

What is AWS CloudHSM?

AWS CloudHSM lets you manage and access your keys on FIPS-validated hardware, protected with customer-owned, single-tenant HSM instances that run in your own Virtual Private Cloud (VPC).

To watch in your local language, select this video, choose the settings icon, and pick your preferred subtitle option.

Use cases

Offload SSL processing for web servers

Confirm web service identities and establish secure HTTPS connections over the internet using SSL and TLS.

Learn more about SSL processing »

Protect private keys for an issuing CA

Secure and house your private keys, and sign certificate requests, so you can act securely as an issuing certificate authority (CA).

Learn more about issuing CA »

Activate TDE for Oracle databases

Store the transparent data encryption (TDE) encryption key for supported Oracle database servers.

Learn more about activating TDE »

How to get started

Start using AWS CloudHSM

Start generating and using your own encryption keys with ease on AWS.

Review documentation and examples

Learn how to integrate CloudHSM into your own applications.

Contact an expert

Learn more about how CloudHSM is standards compliant.

Explore more of AWS

AWS support for Internet Explorer ends on 07/31/2022. Supported browsers are Chrome, Firefox, Edge, and Safari. Learn more »

AWS Secrets Manager is an AWS service that encrypts and stores your secrets, and transparently decrypts and returns them to you in plaintext. It's designed especially to store application secrets, such as login credentials, that change periodically and should not be hard-coded or stored in plaintext in the application. In place of hard-coded credentials or table lookups, your application calls Secrets Manager.

Secrets Manager also supports features that periodically rotate the secrets associated with commonly used databases. It always encrypts newly rotated secrets before they are stored.

Secrets Manager integrates with AWS Key Management Service (AWS KMS) to encrypt every version of every secret value with a unique data key that is protected by an AWS KMS key. This integration protects your secrets under encryption keys that never leave AWS KMS unencrypted. It also enables you to set custom permissions on the KMS key and audit the operations that generate, encrypt, and decrypt the data keys that protect your secrets.

For information about how Secrets Manager uses KMS keys to protect your secrets, see Encrypting and decrypting secrets in the AWS Secrets Manager User Guide.

AWS Key Management Service (AWS KMS) is an AWS service that makes it easy for you to create and control the encryption keys that are used to encrypt your data. The customer master keys (CMKs) that you create in AWS KMS are protected by FIPS 140-2 validated cryptographic modules. They never leave AWS KMS unencrypted. To use or manage your CMKs, you interact with AWS KMS.

Many AWS services are integrated with AWS KMS so they encrypt your data with CMKs in your AWS account. AWS KMS is also integrated with AWS CloudTrail to deliver detailed logs of all cryptographic operations that use your CMKs and management operations that change their configuration. This detailed logging helps you fulfill your auditing, regulatory and compliance requirements.

Why use AWS KMS?

AWS KMS protects the customer master keys that protect your data.

In the classic scenario, you encrypt your data using data key A. But you need to protect data key A, so you encrypt data key A by using data key B. Now data key B is vulnerable, so you encrypt it by using data key C. And, so on. This encryption technique, which is called envelope encryption, always leaves one last encryption key unencrypted so you can decrypt your encryption keys and data. That last unencrypted (or plaintext) key is called a master key.

AWS KMS protects your master keys. The customer master keys (CMKs) that KMS supports are created, managed, used, and deleted entirely within KMS. They never leave the service unencrypted. To use or manage your CMKs, you call KMS.

Using and managing AWS KMS customer master keys

AWS KMS customer master keys (CMKs) are 256-bit Advanced Encryption Standard (AES) symmetric keys that are not exportable. They spend their entire lifecycle entirely within AWS KMS.

You can also create asymmetric RSA or elliptic curve (ECC) CMKs backed by asymmetric key pairs. The public key in each asymmetric CMK is exportable, but the private key remains within AWS KMS.

You can create, view, and manage the AWS KMS customer master keys (CMKs) in your AWS account from the AWS Management Console and AWS KMS API operations. You have full control over your CMKs:

• Establish policies that determine who can use and manage CMKs.

• Enable and disable CMKs.

• Rotate CMK key material.

• Schedule deletion of CMKs when you are finished using them.

You can also use your CMKs in cryptographic operations. You can encrypt and decrypt small amounts of data directly under the CMK. But CMKs are typically used to generate, encrypt, decrypt, and reencrypt exportable data keys that protect your data outside of AWS KMS. You can also give other AWS services permission to use your CMKs on your behalf to encrypt the data that the service stores and manages for you.

More resources and information

You can read about AWS Key Management Service in the AWS Key Management Service Developer Guide and the AWS Key Management Service API Reference. If you have questions, read and post on the AWS KMS Discussion Forum.

If you are required to control and manage the hardware security modules that generate and store your encryption keys, learn about AWS CloudHSM.

If you need help using encryption keys to encrypt your data, such as the data keys that AWS KMS returns, learn about the AWS Encryption SDK.

Which of the following AWS services can be used to generate use and manage encryption keys on the AWS cloud?

Which AWS service is involved with encryption?

Which AWS service or feature is used to manage the keys used to encrypt customer data?

Which of the following are the keys supported by AWS Key Management Service?