AWS Security Blog

Tracy Pierce

Author: Tracy Pierce

How to migrate a digital signing workload to AWS CloudHSM

Note from July 18, 2019: We added information about AWS Certificate Manager (ACM) Private Certificate Authority (CA) to the introduction. Is your on-premises Hardware Security Module (HSM) at end-of-life? Does continued maintenance of your on-premises hardware take a lot of time and cost a lot of money? You should consider migrating your workloads to AWS […]

Read More

How to BYOK (bring your own key) to AWS KMS for less than $15.00 a year using AWS CloudHSM

Note: BYOK is helpful for certain use cases, but I recommend that you familiarize yourself with KMS best practices before you adopt this approach. You can review best practices in the AWS Key Management Services Best Practices (.pdf) whitepaper. May 14, 2019: We’ve updated a sentence to clarify that this solution does not include instructions […]

Read More

How to migrate your EC2 Oracle Transparent Data Encryption (TDE) database encryption wallet to CloudHSM

In this post, I’ll show you how to migrate an encryption wallet for an Oracle database installed on Amazon EC2 from using an outside HSM to using AWS CloudHSM. Transparent Data Encryption (TDE) for Oracle is a common use case for Hardware Security Module (HSM) devices like AWS CloudHSM. Oracle TDE uses what is called […]

Read More

How to eliminate EC2 keypairs from password retrieval of provisioned Windows instances using Secrets Manager and CloudFormation

Update on April 26, 2019: We’ve adjusted a sentence to clarify that the scope of this post does not include automatic password rotation. In my previous post, I showed you how you can increase the durability of your applications and prepare for disaster recovery by using AWS Secrets Manager to replicate your secrets across AWS […]

Read More

How to automate replication of secrets in AWS Secrets Manager across AWS Regions

August 2, 2019: We updated the policy based on customer feedback. May 28, 2019: To correct a small bug, we’ve updated line 41 of the Python script provided below. Assume that you make snapshot copies or read-replicas of your RDS databases in a secondary or backup AWS Region as a best practice. By using AWS […]

Read More

How to clone an AWS CloudHSM cluster across regions

You can use AWS CloudHSM to generate, store, import, export, and manage your cryptographic keys. It also permits hash functions to compute message digests and hash-based message authentication codes (HMACs), as well as cryptographically sign data and verify signatures. To help ensure redundancy of data and simplification of the disaster recovery process, you’ll typically clone […]

Read More

How to Update AWS CloudHSM Devices and Client Instances to the Software and Firmware Versions Supported by AWS

Note from September 18, 2017: In this blog post, “AWS CloudHSM” refers to the product that’s now known as AWS CloudHSM Classic. As I explained in my previous Security Blog post, a hardware security module (HSM) is a hardware device designed with the security of your data and cryptographic key material in mind. It is […]

Read More

How to Remove Single Points of Failure by Using a High-Availability Partition Group in Your AWS CloudHSM Environment

A hardware security module (HSM) is a hardware device designed with the security of your data and cryptographic key material in mind. It is tamper-resistant hardware that prevents unauthorized users from attempting to pry open the device, plug any extra devices in to access data or keys such as subtokens, or damage the outside housing. […]

Read More

How to Use the REST API to Encrypt S3 Objects by Using AWS KMS

AWS Key Management Service (AWS KMS) allows you to use keys under your control to encrypt data at rest stored in Amazon S3. The two primary methods for implementing this encryption are server-side encryption (SSE) and client-side encryption (CSE). Each method offers multiple interfaces and API options to choose from. In this blog post, I […]

Read More

How to Set Up Uninterrupted, Federated User Access to AWS Using AD FS

Microsoft Active Directory Federation Services (AD FS) is a common identity provider that many AWS customers use to give federated users access to the AWS Management Console. AD FS uses multiple certificates to ensure secure communication between servers and to act as authentication mechanisms. One such mechanism is called the token-signing certificate. When the token-signing certificate expires, […]

Read More