AWS KMS và Secrets Manager là gì? Giải thích envelope encryption và khi nào dùng từng service.

AWS KMS (Key Management Service) là managed service tạo và quản lý cryptographic keys (CMK — Customer Master Key, nay gọi là KMS Key); keys không bao giờ rời khỏi KMS hardware (FIPS 140-2 validated HSM); tích hợp hầu hết AWS services (S3, EBS, RDS, DynamoDB encryption at rest).

Envelope Encryption: dùng KMS để generate Data Encryption Key (DEK) — DEK encrypt plaintext data, sau đó chính DEK được encrypt bởi KMS Key (encrypted DEK lưu cùng data); khi decrypt, gửi encrypted DEK tới KMS để decrypt → dùng DEK để decrypt data; KMS chỉ decrypt DEK, không handle bulk data — giúp giảm latency và cost.

Key types:
- AWS managed keys: free, managed by AWS.
- Customer managed keys: $1/month/key + $0.03/10,000 API calls.
- Customer managed keys in CloudHSM: dedicated HSM.

AWS Secrets Manager lưu trữ và quản lý secrets (database passwords, API keys, OAuth tokens) có encrypt bằng KMS; tính năng nổi bật: automatic rotation (Lambda function tự đổi password DB theo schedule), versioning, cross-account access, audit via CloudTrail.

Dùng Secrets Manager khi: cần rotate secrets tự động, cần audit trail, cần chia sẻ secret cross-account.
Dùng Parameter Store (SSM) khi: lưu config đơn giản (không cần rotation), free tier (Standard parameters miễn phí, Advanced tốn phí).

Không bao giờ hardcode secrets trong code hay environment variables plaintext.

AWS KMS (Key Management Service) is a managed service for creating and managing cryptographic keys (CMK — Customer Master Key, now called KMS Key); keys never leave the KMS hardware (FIPS 140-2 validated HSM); it integrates with most AWS services (S3, EBS, RDS, DynamoDB encryption at rest).

Envelope Encryption: use KMS to generate a Data Encryption Key (DEK) — the DEK encrypts plaintext data, and then the DEK itself is encrypted by a KMS Key (the encrypted DEK is stored alongside the data); to decrypt, send the encrypted DEK to KMS to decrypt, then use the DEK to decrypt the data; KMS only decrypts the DEK, not bulk data — reducing latency and cost.

Key types:
- AWS managed keys: free, managed by AWS.
- Customer managed keys: $1/month/key + $0.03/10,000 API calls.
- Customer managed keys in CloudHSM: dedicated HSM.

AWS Secrets Manager stores and manages secrets (database passwords, API keys, OAuth tokens) encrypted with KMS; key features: automatic rotation (a Lambda function rotates DB passwords on a schedule), versioning, cross-account access, and audit via CloudTrail.

Use Secrets Manager when: automatic secret rotation is needed, an audit trail is required, or sharing secrets cross-account.
Use Parameter Store (SSM) when: storing simple configuration without rotation (Standard parameters are free; Advanced costs extra).

Never hardcode secrets in code or plaintext environment variables.

Xem toàn bộ AWS & Cloud cùng filter theo level & chủ đề con.

Mở danh sách AWS & Cloud

Key types:
- AWS managed keys: free, managed by AWS.
- Customer managed keys: $1/month/key + $0.03/10,000 API calls.
- Customer managed keys in CloudHSM: dedicated HSM.

Dùng Secrets Manager khi: cần rotate secrets tự động, cần audit trail, cần chia sẻ secret cross-account.
Dùng Parameter Store (SSM) khi: lưu config đơn giản (không cần rotation), free tier (Standard parameters miễn phí, Advanced tốn phí).

Không bao giờ hardcode secrets trong code hay environment variables plaintext.

Key types:
- AWS managed keys: free, managed by AWS.
- Customer managed keys: $1/month/key + $0.03/10,000 API calls.
- Customer managed keys in CloudHSM: dedicated HSM.

Use Secrets Manager when: automatic secret rotation is needed, an audit trail is required, or sharing secrets cross-account.
Use Parameter Store (SSM) when: storing simple configuration without rotation (Standard parameters are free; Advanced costs extra).

Never hardcode secrets in code or plaintext environment variables.