AWS Security Blog

Category: Advanced (300)

Solution overview: migrate keys

How to migrate symmetric exportable keys from AWS CloudHSM Classic to AWS CloudHSM

In August 2017, we announced the “new” AWS CloudHSM service, which had a lot of improvements over AWS CloudHSM Classic (for clarity in this post I will refer to the services as New CloudHSM and CloudHSM Classic). These advantages in security, scalability, usability, and economy, included FIPS 140-2 Level 3 certification, fully managed high availability […]

Read More

How to use AWS Secrets Manager to securely store and rotate SSH key pairs

October 4, 2019: We’ve updated the estimated solution cost for accuracy. AWS Secrets Manager provides full lifecycle management for secrets within your environment. In this post, Maitreya and I will show you how to use Secrets Manager to store, deliver, and rotate SSH keypairs used for communication within compute clusters. Rotation of these keypairs is […]

Read More

How to add DNS filtering to your NAT instance with Squid

Note from September 4, 2019: We’ve updated this blog post, initially published on January 26, 2016. Major changes include: support of Amazon Linux 2, no longer having to compile Squid 3.5, and a high availability version of the solution across two availability zones. Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources […]

Read More

How to migrate a digital signing workload to AWS CloudHSM

Note from July 18, 2019: We added information about AWS Certificate Manager (ACM) Private Certificate Authority (CA) to the introduction. Is your on-premises Hardware Security Module (HSM) at end-of-life? Does continued maintenance of your on-premises hardware take a lot of time and cost a lot of money? You should consider migrating your workloads to AWS […]

Read More

How to set up an outbound VPC proxy with domain whitelisting and content filtering

Update on July 24, 2019: We’ve added a link to a GitHub repository that contains the stack content for this solution. Controlling outbound communication from your Amazon Virtual Private Cloud (Amazon VPC) to the internet is an important part of your overall preventive security controls. By limiting outbound traffic to certain trusted domains (called “whitelisting”) […]

Read More

How to securely provide database credentials to Lambda functions by using AWS Secrets Manager

As a solutions architect at AWS, I often assist customers in architecting and deploying business applications using APIs and microservices that rely on serverless services such as AWS Lambda and database services such as Amazon Relational Database Service (Amazon RDS). Customers can take advantage of these fully managed AWS services to unburden their teams from […]

Read More

How to use AWS Secrets Manager client-side caching in .NET

AWS Secrets Manager now has a client-side caching library for.NET that makes it easier to access secrets from .NET applications. This is in addition to client-side caching libraries for Java, JDBC, Python, and Go. These libraries help you improve availability, reduce latency, and reduce the cost of retrieving your secrets. Secrets Manager cache library does […]

Read More

Simplify DNS management in a multi-account environment with Route 53 Resolver

Note from June 5, 2019: We updated all of the figures in the post for clarity and added two paragraphs in the “Additional considerations and limitations” section. In a previous post, I showed you a solution to implement central DNS in a multi-account environment that simplified DNS management by reducing the number of servers and […]

Read More

How to decrypt ciphertexts in multiple regions with the AWS Encryption SDK in C

You’ve told us that you want to encrypt data once with AWS Key Management Service (AWS KMS) and decrypt that data with customer master keys (CMKs) that you specify, often with CMKs in different AWS Regions. Doing this saves you compute resources and helps you to enable secure and efficient high-availability schemes. The AWS Crypto […]

Read More

Create fine-grained session permissions using IAM managed policies

As a security best practice, AWS Identity and Access Management (IAM) recommends that you use temporary security credentials from AWS Security Token Service (STS) when you access your AWS resources. Temporary credentials are short-term credentials generated dynamically and provided to the user upon request. Today, one of the most widely used mechanisms for requesting temporary […]

Read More