https://tofl.github.io/docs/9-security-encryption-deep-dive/Recent content in Security & Encryption — Deep Dive on 🏠Hugoen-ushttps://tofl.github.io/docs/9-security-encryption-deep-dive/kms-deep-dive/Mon, 01 Jan 0001 00:00:00 +0000https://tofl.github.io/docs/9-security-encryption-deep-dive/kms-deep-dive/<h1 id="kms-key-management-service--deep-dive">KMS (Key Management Service) — Deep Dive<a class="anchor" href="#kms-key-management-service--deep-dive">#</a></h1> <p>AWS Key Management Service (KMS) is a managed service that lets you create, control, and use cryptographic keys to protect your data. Its core purpose is simple: rather than managing raw encryption keys yourself — which is error-prone and operationally burdensome — KMS centralises key management, enforces access control via IAM and key policies, and maintains an audit trail through CloudTrail. Every call to KMS is logged, which makes it the default choice for encryption across nearly every AWS service.</p>https://tofl.github.io/docs/9-security-encryption-deep-dive/secrets-manager-ssm-parameter-store/Mon, 01 Jan 0001 00:00:00 +0000https://tofl.github.io/docs/9-security-encryption-deep-dive/secrets-manager-ssm-parameter-store/<h2 id="secrets-manager--ssm-parameter-store">Secrets Manager &amp; SSM Parameter Store<a class="anchor" href="#secrets-manager--ssm-parameter-store">#</a></h2> <p>Applications constantly need access to sensitive configuration: database passwords, API keys, OAuth tokens, and feature flags. Hardcoding these into source code or environment variables is a well-known security risk. AWS provides two services to solve this: <strong>Secrets Manager</strong> for sensitive credentials that need lifecycle management (rotation, auditing, cross-account sharing), and <strong>SSM Parameter Store</strong> for general-purpose configuration storage, including secrets. Knowing which to reach for — and when — is a frequently tested decision on the DVA-C02 exam.</p>https://tofl.github.io/docs/9-security-encryption-deep-dive/acm-private-ca/Mon, 01 Jan 0001 00:00:00 +0000https://tofl.github.io/docs/9-security-encryption-deep-dive/acm-private-ca/<h2 id="acm--acm-private-ca">ACM / ACM Private CA<a class="anchor" href="#acm--acm-private-ca">#</a></h2> <p>TLS certificates are what enable HTTPS — they authenticate your server&rsquo;s identity and encrypt traffic between clients and your application. Without them, browsers display security warnings and connections are unencrypted. The problem they solve sounds simple, but managing certificates manually is error-prone: you have to generate them, validate domain ownership, deploy them to the right services, and renew them before they expire (typically every 13 months). A missed renewal causes an outage. <strong>AWS Certificate Manager (ACM)</strong> <a href="https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html">🔗</a> automates all of this — provisioning, validation, deployment, and renewal — at no cost for certificates used with supported AWS services.</p>https://tofl.github.io/docs/9-security-encryption-deep-dive/macie/Mon, 01 Jan 0001 00:00:00 +0000https://tofl.github.io/docs/9-security-encryption-deep-dive/macie/<h2 id="macie">Macie<a class="anchor" href="#macie">#</a></h2> <p>As applications grow, so does the amount of data they store in S3 — user uploads, logs, exports, backups. It becomes increasingly difficult to track whether any of that data contains sensitive information like names, email addresses, credit card numbers, or API keys. Amazon Macie exists to solve exactly this problem: it automatically scans S3 buckets using machine learning to detect sensitive and personally identifiable information (PII), and alerts you when it finds something — or when your bucket configurations expose data in risky ways.</p>