AWS KMS vs Secrets Manager: Keys and Secrets in AWS

Cloud security is as much about keeping secrets as it is about protecting data. In Amazon Web Services (AWS), however, the term secrets has a special meaning, which deals with credentials for access and use of data. Encryption keys keep secrets too, but in a different way. They scramble data to keep people from reading it. In this article, we take a look at AWS KMS vs Secrets Manager and how to manage keys and secrets in AWS.

In cybersecurity, the “CIA triad” stands for confidentiality, integrity, and availability. The services we discuss in this article were developed to maintain confidentiality by keeping private information private. But of course, they differ in their methods.

AWS Key Management Service (KMS): A Quick Definition 

AWS Key Management Service (KMS) is an AWS service designed to create and manage cryptographic keys across applications and services throughout an AWS cloud environment.

Think of AWS KMS as a tool within AWS that is like a master key holder for all the secret codes used to keep your cloud data secure. It helps create and manage these codes to ensure they're used properly across different parts of your cloud setup. 

While we'll cover the basics here, you can learn more about AWS KMS on the AWS website in their guide on Encryption Cryptography Signing - AWS Key Management Service.

What Data Does AWS KMS Hide? 

AWS KMS centers around data encryption. The function of encryption is to take plaintext and scramble all the characters so that it becomes an unrecognizable ciphertext. The end effect is that even if a stranger were to get their hands on encrypted text, they wouldn’t be able to make heads or tails of it. Encryption hides data by making it unreadable. AWS KMS does this by storing the keys that would decipher the text. There would be no way to read the information without the proper key. You might even say that your data could be hidden in plain sight!

How Does AWS KMS Work?

Have you ever stayed in a vacation rental where you had to use a key code to open a key box so you could get to the physical key? AWS employs a kind of “key within a key” approach to protect data. Key management with KMS involves an encryption key hierarchy. A customer-managed key (CMK) encrypts data. The CMK is then encrypted by another key in the form of envelope encryption. 

AWS KMS uses an encryption method known as Advanced Encryption Standard with Galois Counter Mode, or AES 256-bit GCM for short. KMS keys are stored in physical devices known as hardware security modules (HSMs). The design and implementation of these HSMs are compliant with FIPS 140-2, a standard established by the U.S. National Institute of Standards and Technology (NIST)

Along with the customer-managed keys (CMKs) that you create, there are also AWS-managed keys for services like S3 and EC2, as well as AWS-owned keys, which are not visible to users. Client-side encryption (CSE) means you encrypt data and manage your keys, while with server-side encryption (SSE), AWS handles all the encryption and key management for you. The entire AWS KMS solution is scalable and enables extremely high durability and availability for encryption keys in the AWS cloud. 

How is AWS KMS Used?

AWS KMS protects your data at rest.  It handles encryption and decryption of data and enables the signing and verification of digital signatures. You can do both symmetric and asymmetric encryption with KMS, and you can use AWS CloudTrail to track and audit the access of keys in your AWS account. 

Think you might want to go further down the AWS security track? Check out this article from CBT Nuggets: Is the AWS Security Worth It? | CBT Nuggets. 

AWS Secrets Manager: A Quick Definition

AWS Secrets Manager is an AWS service that retrieves and rotates application credentials, database credentials, OAuth tokens, API keys, and other secrets throughout their life cycles. Essentially, AWS Secrets Manager is like a trusted assistant that keeps track of passwords, keys, and other important data used by your apps. It not only gets this information when you need it, but it also changes it regularly to improve overall security. 

What Data Does AWS Secrets Hide?

Like KMS, AWS Secrets Manager hides important information from the general public and deals with confidentiality. The main difference between AWS KMS and Secrets Manager is what they are hiding. KMS hides encryption keys, while Secrets Manager hides credentials. 

Think of how you enter a corporate building. You might have an electronic key card (a key) that provides access to certain doors. But you also carry or wear a picture ID (credentials) that shows you are allowed to be in the building. KMS vs Secrets Manager is a matter of keys vs credentials. 

Secrets Manager can store many kinds of credentials. Any information that gives you access to AWS services might be considered a secret. We’re discussing confidential information such as usernames and passwords, tokens, or application programming interface (API) keys. Secrets Manager makes storing and retrieving these secrets possible so that a running application doesn't leave confidential credentials in plaintext for hackers to capture. 

Learn more about this from the CBT Nuggets team on How to Share a Secret (Key) on AWS | CBT Nuggets.

How Does AWS Secrets Manager Work?

AWS Secrets Manager allows you to access applications without hardcoding your credentials in plaintext. You can also enable Secrets Manager to tap the power of KMS by encrypting your secrets. A Lambda trigger enables your application to retrieve credentials from Secrets Manager for authentication and authorization purposes. The output of your data processing can then be offloaded to a database, such as RDS, Redshift, or DocumentDB.

Notice also that AWS CloudTrail and AWS CloudWatch can track and audit any retrieval and use of your secrets. This enables you to get real-time notification when credentials are accessed or perform a forensic audit after a possible security breach.

How is AWS Secrets Manager Used?

Along with secure storage of your secrets, Secrets Manager can perform automatic rotation of your credentials to meet compliance requirements. You can also replicate secrets in other regions as backup in case of a disaster. These extra measures add to the robust cloud security provided by AWS.

The use of AWS Secrets Manager is managed by AWS Identity and Access Management (IAM) accounts and policies. For example, you can limit access to only those database engineers or software developers who need it. 

A Word about AWS SSM Parameter Store

We could easily have added AWS Systems Manager Parameter Store into the mix as a third AWS service for comparison in this article. But rather than giving it a full treatment, suffice it to say that SSM Parameter Store is similar to Secrets Manager but with a wider use case, and it’s part of Systems Manager. 

You can encrypt both secrets and parameters with KMS keys, and both services record data in a key/value fashion. However, the older SSM Parameter Store will hide a full range of information, such as URLs and license keys. SSM Parameter Store integrates well with both KMS and Secrets Manager.

Choosing the Right Security Sidekick: AWS KMS vs Secrets Manager

Keeping secrets in AWS is important, and both AWS KMS and Secrets Manager can store confidential information. However, it’s important to understand that encryption keys are stored and managed separately from the storage and management of application credentials. Knowing the distinctions between these similar AWS services will help you understand your options in AWS cloud security.