- S3: SSE-S3 (AWS-managed keys), SSE-KMS (customer-controlled keys in KMS), SSE-C (customer-provided keys; uncommon).
- DynamoDB: encryption at rest enabled by default; KMS customer managed keys for compliance needs.
- RDS: encryption at creation time; KMS key for storage.
TLS everywhere for public endpoints (API Gateway, ALB). VPC endpoints for private connectivity to AWS APIs without internet egress.
Customer master keys (CMKs): symmetric (most common) vs asymmetric.
Envelope encryption: Data keys are encrypted under KMS; your app encrypts the payload with the data key. That way you are not calling KMS for every byte of a large object.
Key policies are mandatory on KMS keys. IAM alone is not always enough; both IAM and the key policy have to allow the use you need.
Grants and delegation show up for cross-account or narrow access. You only need to know they are options, not every API detail.
| Aspect | Secrets Manager | Parameter Store |
|---|---|---|
| Rotation | Native rotation for RDS and others | Custom Lambda rotation possible |
| Cost | Per-secret monthly + API | Standard free tier; Advanced tier pricing |
| Use case | DB passwords, OAuth tokens | Config, feature flags, hierarchical paths |
Rough split: rotating database credentials usually points to Secrets Manager. Non-secret config and paths → Parameter Store (String or StringList).
- User Pools: authentication; JWT contains claims for authorization decisions.
- API Gateway JWT authorizer validates tokens issued by User Pool.
Fine-grained authorization in app: parse JWT scopes / groups or call custom authorizer Lambda.
- WAF: Web ACL rules on CloudFront, API Gateway, ALB (block SQLi, rate limits, geo match, and similar).
- Shield Standard: free DDoS protection for CloudFront and Route 53.
- Shield Advanced: paid, 24/7 DRT support.
- No secrets in Git; use Secrets Manager, Parameter Store SecureString, or CI/CD secrets.
- Least privilege IAM; separate roles per Lambda function where practical.
- Audit: CloudTrail logs API calls (who did what); Config tracks resource compliance (Associate-level awareness).