AWS prescriptive-guidance documentation change
Summary
Updated documentation links, corrected service name references to CloudHSM, added bold formatting to section headers, and fixed punctuation/grammar
Security assessment
Changes are editorial improvements (link updates, formatting, grammar) rather than security-related updates. No new security vulnerabilities addressed or security features documented. References to CloudHSM/KMS remain consistent with existing security documentation.
Diff
diff --git a/prescriptive-guidance/latest/strategy-data-at-rest-encryption/implementation.md b/prescriptive-guidance/latest/strategy-data-at-rest-encryption/implementation.md index 88994691f..b2459d0d7 100644 --- a//prescriptive-guidance/latest/strategy-data-at-rest-encryption/implementation.md +++ b//prescriptive-guidance/latest/strategy-data-at-rest-encryption/implementation.md @@ -5 +5 @@ -[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Creating an enterprise encryption strategy for data at rest](welcome.html) +[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Creating an enterprise encryption strategy for data at rest](introduction.html) @@ -15 +15 @@ AWS KMS is a managed service that helps you create and control the cryptographic -AWS CloudHSM is a cryptographic service for creating and maintaining _hardware security modules_ (HSMs) in your AWS environment. HSMs are computing devices that process cryptographic operations and provide secure storage for cryptographic keys. If your standards requires you to use FIPS 140-2 Level 3 validated hardware, or if your standards dictate use of industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG), then you might consider using AWS CloudHSM. +CloudHSM is a cryptographic service for creating and maintaining _hardware security modules_ (HSMs) in your AWS environment. HSMs are computing devices that process cryptographic operations and provide secure storage for cryptographic keys. If your standards requires you to use FIPS 140-2 Level 3 validated hardware, or if your standards dictate use of industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG), then you might consider using CloudHSM. @@ -17 +17 @@ AWS CloudHSM is a cryptographic service for creating and maintaining _hardware s -You can configure AWS CloudHSM as a custom key store for AWS KMS. This solution combines the convenience and service integration of AWS KMS with the added control and compliance benefits of using a AWS CloudHSM cluster in your AWS account. For more information, see [Custom key stores](https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) (AWS KMS documentation). +You can configure CloudHSM as a custom key store for AWS KMS. This solution combines the convenience and service integration of AWS KMS with the added control and compliance benefits of using a CloudHSM cluster in your AWS account. For more information, see [Custom key stores](https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) (AWS KMS documentation). @@ -25 +25 @@ AWS KMS offers different types of keys. Some are owned or managed by AWS, and ot - * AWS owned keys – AWS owns and manages these keys, and they are used in multiple AWS accounts. Some AWS services support AWS owned keys. You can use these keys for no charge. This key type relieves you from the cost and administrative overhead of managing the key lifecycle and access to it. For more information about this type of key, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) (AWS KMS documentation). + * **AWS owned keys** – AWS owns and manages these keys, and they are used in multiple AWS accounts. Some AWS services support AWS owned keys. You can use these keys for no charge. This key type relieves you from the cost and administrative overhead of managing the key lifecycle and access to it. For more information about this type of key, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) (AWS KMS documentation). @@ -27 +27 @@ AWS KMS offers different types of keys. Some are owned or managed by AWS, and ot - * AWS managed keys – If an AWS service is integrated with AWS KMS, it can create, manage, and use this type of keys on your behalf, in order to protect your resources in that service. These keys are created in your AWS account, and only AWS services can use them. There is no monthly fee for an AWS managed key. They can be subject to fees for use in excess of the free tier, but some AWS services cover these costs for you. You can use identity policies to control view and audit access for these keys, but AWS manages the key lifecycle. For more information about this type of key, see [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) (AWS KMS documentation). For a comprehensive list of the AWS services that integrate with AWS KMS, see [AWS service integration](https://aws.amazon.com/kms/features/#AWS_Service_Integration) (AWS marketing). + * **AWS managed keys** – If an AWS service is integrated with AWS KMS, it can create, manage, and use this type of keys on your behalf, in order to protect your resources in that service. These keys are created in your AWS account, and only AWS services can use them. There is no monthly fee for an AWS managed key. They can be subject to fees for use in excess of the free tier, but some AWS services cover these costs for you. You can use identity policies to control view and audit access for these keys, but AWS manages the key lifecycle. For more information about this type of key, see [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) (AWS KMS documentation). For a comprehensive list of the AWS services that integrate with AWS KMS, see [AWS service integration](https://aws.amazon.com/kms/features/#AWS_Service_Integration) (AWS marketing). @@ -29 +29 @@ AWS KMS offers different types of keys. Some are owned or managed by AWS, and ot - * Customer managed keys – You create, own, and manage this type of key, and you have full control over the key lifecycle. For segregation of duties, you can use both identity and resource-based policies to control access to the key. You can also set up automated [key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). Customer managed keys incur a monthly fee, and if you exceed the free tier, they also incur a fee for use. For more information about this type of key, see [Customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) (AWS KMS documentation). + * **Customer managed keys** – You create, own, and manage this type of key, and you have full control over the key lifecycle. For segregation of duties, you can use both identity and resource-based policies to control access to the key. You can also set up automated [key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). Customer managed keys incur a monthly fee, and if you exceed the free tier, they also incur a fee for use. For more information about this type of key, see [Customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) (AWS KMS documentation). @@ -40 +40 @@ Based upon the chosen encryption type in standards, you can use two types of KMS - * Symmetric – All of the AWS KMS key types support symmetric encryption. When encrypting customer managed keys, you can use a single-strength key for encryption and decryption with AES-256-GCM. + * **Symmetric** – All of the AWS KMS key types support symmetric encryption. When encrypting customer managed keys, you can use a single-strength key for encryption and decryption with AES-256-GCM. @@ -42 +42 @@ Based upon the chosen encryption type in standards, you can use two types of KMS - * Asymmetric – Customer managed keys support asymmetric encryption. You can choose between different key strengths and algorithms, based upon your intended use. Asymmetric keys can encrypt and decrypt with RSA and can sign and verify operations with RSA or ECC. Asymmetric key algorithms inherently provide separation of roles and simplify key management. When using asymmetric encryption with AWS KMS, some operations aren’t supported, such as rotating keys and importing external key material. + * **Asymmetric** – Customer managed keys support asymmetric encryption. You can choose between different key strengths and algorithms, based upon your intended use. Asymmetric keys can encrypt and decrypt with RSA and can sign and verify operations with RSA or ECC. Asymmetric key algorithms inherently provide separation of roles and simplify key management. When using asymmetric encryption with AWS KMS, some operations aren't supported, such as rotating keys and importing external key material. @@ -57 +57 @@ You use policies to manage access to AWS KMS resources. _Policies_ describe who -Key policies provide flexibility to store the encryption key in a central location or store it closer to the data, in a distributed manner. Consider the following AWS KMS features when you’re deciding where to store KMS keys in your AWS account: +Key policies provide flexibility to store the encryption key in a central location or store it closer to the data, in a distributed manner. Consider the following AWS KMS features when you're deciding where to store KMS keys in your AWS account: @@ -59 +59 @@ Key policies provide flexibility to store the encryption key in a central locati - * Single-Region infrastructure support – By default, KMS keys are Region-specific, and they never leave AWS KMS unencrypted. If your standards have strict requirements for controlling keys in a specific geographical location, explore using single-Region keys. + * **Single-Region infrastructure support** – By default, KMS keys are Region-specific, and they never leave AWS KMS unencrypted. If your standards have strict requirements for controlling keys in a specific geographical location, explore using single-Region keys. @@ -61 +61 @@ Key policies provide flexibility to store the encryption key in a central locati - * Multi-Region infrastructure support – AWS KMS also supports special-purpose key type called _multi-Region keys_. Storing data in multiple AWS Regions is a common configuration for disaster recovery. By using multi-Region keys, you can transfer data between Regions without re-encrypting it, and you can manage the data as if you had the same key in each Region. This functionality is highly useful if your standards require that your encryption infrastructure spans multiple Regions in an active-active configuration. For more information, see [Multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) (AWS KMS documentation). + * **Multi-Region** **infrastructure support** – AWS KMS also supports special-purpose key type called _multi-Region keys_. Storing data in multiple AWS Regions is a common configuration for disaster recovery. By using multi-Region keys, you can transfer data between Regions without re-encrypting it, and you can manage the data as if you had the same key in each Region. This functionality is highly useful if your standards require that your encryption infrastructure spans multiple Regions in an active-active configuration. For more information, see [Multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) (AWS KMS documentation). @@ -63 +63 @@ Key policies provide flexibility to store the encryption key in a central locati - * Centralized management – If your standards require that you store keys in a centralized location, you can use AWS KMS to store all of your encryption keys in a single AWS account. You use key policies to grant access to other applications, which can be in different accounts in the same Region. Centralized key management can reduce the administrative overhead of managing the key lifecycle and key access control. + * **Centralized management** – If your standards require that you store keys in a centralized location, you can use AWS KMS to store all of your encryption keys in a single AWS account. You use key policies to grant access to other applications, which can be in different accounts in the same Region. Centralized key management can reduce the administrative overhead of managing the key lifecycle and key access control. @@ -65 +65 @@ Key policies provide flexibility to store the encryption key in a central locati - * External key material – You can import externally generated key material into AWS KMS. Support for this functionality is available for single and multi-Region symmetric keys. Because the material of the symmetric key is generated externally, you are responsible for protecting the generated key materials. For more information, see [Imported key material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) (AWS KMS documentation). + * **External key material** – You can import externally generated key material into AWS KMS. Support for this functionality is available for single and multi-Region symmetric keys. Because the material of the symmetric key is generated externally, you are responsible for protecting the generated key materials. For more information, see [Imported key material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) (AWS KMS documentation).