Menu Close

Chapter 11(2/4) – Security Services

AWS Directory Service

AWS Key Management Service (KMS)

AWS CloudHSM – A hardware device stores the key

AWS CloudTrail – API calls activities recorder

AWS Directory Service

You can choose from three directory types:

  • AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also referred to as Microsoft AD – MS AD on AWS
  • Simple AD – the AD service of AWS
  • AD Connector – proxy for connecting existing on-premises AD to AWS

AWS Directory Service for Microsoft Active Directory (Enterprise Edition)

  • A managed Microsoft Active Directory hosted on the AWS cloud
  • Easy to build up trust relationships with your existing AD domains

Use case: 5000+ users and need a trust relationships set up between an AWS hosted directory and on-premises directories

Simple AD

  • AWS Directory Service that is powered by Samba 4.
  • Microsoft Active Directory-compatible
  • Cannot set up trust relationship between Simple AD and other Active Directory Domains

Use case: less than 5000 users and don’t need the advanced MS AD features

AD Connector

  • A proxy service for connecting your on-premises Microsoft Active Directory to the AWS cloud
  • After setup, can use existing corporate credentials to log on to AWS applications, such as Amazon WorkSpaces, Amazon WorkDocs..

User case: if you want to keep using your existing on-premises directory with AWS cloud services

AWS Key Management Service (KMS) and AWS CloudHSM

The 2 services that AWS provide with the ability to manage your own symmetric or asymmetric cryptographic keys

AWS Key Management Service (AWS KMS)

  • A service to let you create and control the encryption keys
  • keys that can never be exported from the service

Customer Managed Keys

  • Used by KMS to encrypt and decrypt data
  • fundamental resources that AWS KMS manages
  • CMKs can never leave KMS unencrypted
  • Data keys can leave KMS unencrypted

Data Keys

  • To encrypt large data objects within your own application outside AWS KMS
  • When call GenerateDataKey,KMS returns a plaintext version of the key and ciphertext that contains the key encrypted under the specified CMK
  • Security best practice is to remove the plaintext key as soon as used

Envelope Encryption

  • KMS uses envelope encryption to protect data
  • KMS creates a data key, encrypts it under a CMK, returns plaintext and encrypted versions of the key to you
  • You use the plaintext key to encrypt data and store the encrypted key alongside the encrypted data

Encryption Context

  • All KMS cryptographic operations accept an optional key/value map of additional contextual information called an encryption context
  • The specified context must be the same for both the encrypt and decrypt operations or decryption will not succeed


A hardware appliance that provides secure key storage and cryptographic operations

  • A dedicated HSM appliance in AWS cloud
  • help meet corporate, contractual,  and regulatory compliance requirements for data security
  • Designed to store cryptographic key and use the key material without exposing it outside the cryptographic boundary of the appliance

AWS CloudTrail

  • Shows API calls record activities
  • Include name of the API, identity of the caller, the time of the call, the request parameters and the response elements returned by the AWS service
  • Log files delivered the S3 bucket
  • 2 types of trails – to all regions or to one region

Leave a Reply

Your email address will not be published. Required fields are marked *