AWS Security Blog

Category: Advanced (300)

Solution overview: migrate keys

How to migrate symmetric exportable keys from AWS CloudHSM Classic to AWS CloudHSM

In August 2017, we announced the “new” AWS CloudHSM service, which had a lot of improvements over AWS CloudHSM Classic (for clarity in this post I will refer to the services as New CloudHSM and CloudHSM Classic). These advantages in security, scalability, usability, and economy, included FIPS 140-2 Level 3 certification, fully managed high availability […]

Read More

How to use AWS Secrets Manager to securely store and rotate SSH key pairs

October 4, 2019: We’ve updated the estimated solution cost for accuracy. AWS Secrets Manager provides full lifecycle management for secrets within your environment. In this post, Maitreya and I will show you how to use Secrets Manager to store, deliver, and rotate SSH keypairs used for communication within compute clusters. Rotation of these keypairs is […]

Read More

How to migrate a digital signing workload to AWS CloudHSM

Note from July 18, 2019: We added information about AWS Certificate Manager (ACM) Private Certificate Authority (CA) to the introduction. Is your on-premises Hardware Security Module (HSM) at end-of-life? Does continued maintenance of your on-premises hardware take a lot of time and cost a lot of money? You should consider migrating your workloads to AWS […]

Read More

How to set up an outbound VPC proxy with domain whitelisting and content filtering

November 16, 2020: We’ve updated the CloudFormation template and the launch stack URL used in this solution. July 24, 2019: We’ve added a link to a GitHub repository that contains the stack content for this solution. Controlling outbound communication from your Amazon Virtual Private Cloud (Amazon VPC) to the internet is an important part of […]

Read More

How to securely provide database credentials to Lambda functions by using AWS Secrets Manager

As a solutions architect at AWS, I often assist customers in architecting and deploying business applications using APIs and microservices that rely on serverless services such as AWS Lambda and database services such as Amazon Relational Database Service (Amazon RDS). Customers can take advantage of these fully managed AWS services to unburden their teams from […]

Read More

How to use AWS Secrets Manager client-side caching in .NET

December 5, 2019: We removed some information about ASP .NET projects that is no longer relevant. November 14, 2019: We updated the cache library code sample. AWS Secrets Manager now has a client-side caching library for.NET that makes it easier to access secrets from .NET applications. This is in addition to client-side caching libraries for […]

Read More

Simplify DNS management in a multi-account environment with Route 53 Resolver

April 15, 2021: In the section “Third use case,” we updated the diagram and steps for clarity. April 2, 2021: In the section “Step 1: Set up a centralized DNS account,” we updated step 4. June 5, 2019: We updated all of the figures in the post for clarity and added two paragraphs in the […]

Read More

How to decrypt ciphertexts in multiple regions with the AWS Encryption SDK in C

You’ve told us that you want to encrypt data once with AWS Key Management Service (AWS KMS) and decrypt that data with customer master keys (CMKs) that you specify, often with CMKs in different AWS Regions. Doing this saves you compute resources and helps you to enable secure and efficient high-availability schemes. The AWS Crypto […]

Read More

Create fine-grained session permissions using IAM managed policies

As a security best practice, AWS Identity and Access Management (IAM) recommends that you use temporary security credentials from AWS Security Token Service (STS) when you access your AWS resources. Temporary credentials are short-term credentials generated dynamically and provided to the user upon request. Today, one of the most widely used mechanisms for requesting temporary […]

Read More

Improve availability and latency of applications by using AWS Secret Manager’s Python client-side caching library

Note from May 10, 2019: We’ve updated a code sample for accuracy. Today, AWS Secrets Manager introduced a client-side caching library for Python that improves the availability and latency of accessing and distributing credentials to your applications. It can also help you reduce the cost associated with retrieving secrets. In this post, I’ll walk you […]

Read More