AWS KMS vs CloudHSM vs Secrets Manager vs Parameter Store

~ Last updated on : ~ Kiro Agent
Table of Contents hide
AWS KMS vs CloudHSM vs Secrets Manager vs Parameter Store
KMS vs CloudHSM vs Secrets Manager vs Parameter Store Comparison
AWS KMS (Key Management Service)
AWS CloudHSM
AWS Secrets Manager
Systems Manager Parameter Store
When to Choose Which
AWS Certification Exam Practice Questions
Related Posts

AWS KMS vs CloudHSM vs Secrets Manager vs Parameter Store

  • AWS provides multiple services for managing encryption keys and secrets, each designed for different security requirements and use cases.
  • KMS is managed key management, CloudHSM is dedicated hardware security modules, Secrets Manager is for rotating secrets, and Systems Manager Parameter Store is for configuration and secrets storage.
  • Choice depends on compliance requirements (FIPS 140-2 Level 3), key control needs, rotation requirements, and cost.

KMS vs CloudHSM vs Secrets Manager vs Parameter Store Comparison

Feature KMS CloudHSM Secrets Manager Parameter Store
Purpose Managed encryption key service Dedicated HSM for key management Secret storage with automatic rotation Configuration & secret storage
Key Control AWS manages HSM, you manage keys You manage everything (single-tenant HSM) Uses KMS for encryption Uses KMS for encryption (SecureString)
FIPS 140-2 Level 3 (since 2023) Level 3 N/A (uses KMS) N/A (uses KMS)
Multi-tenancy Multi-tenant (shared infrastructure) Single-tenant (dedicated hardware) Multi-tenant Multi-tenant
Automatic Rotation Yes (annual for AWS-managed, configurable 90-365 days for customer-managed) Manual (you control rotation) Yes (built-in for RDS, Redshift, DocumentDB; Lambda for custom) No built-in rotation
Cross-account Yes (key policy + IAM) No (same VPC/account) Yes (resource policy) Yes (resource policy, Advanced tier)
Cross-region Multi-Region keys Cluster in single region Multi-Region secret replication No native replication
Max Secret Size 4KB (symmetric key operations) Unlimited (HSM capacity) 64KB 4KB (Standard) / 8KB (Advanced)
Pricing $1/month per key + API calls ~$1.50/hour per HSM ($1,095/month) $0.40/secret/month + API calls Free (Standard) / $0.05/parameter/month (Advanced)
Versioning Automatic (rotation creates new version) Manual Yes (staging labels: AWSCURRENT, AWSPREVIOUS) Yes (up to 100 versions)
Audit CloudTrail CloudTrail + HSM audit logs CloudTrail CloudTrail
AWS Integration 100+ services natively Custom integration required RDS, Redshift, DocumentDB, ECS, Lambda ECS, Lambda, CloudFormation, CodeDeploy
Key Types Symmetric (AES-256), Asymmetric (RSA, ECC), HMAC Symmetric, Asymmetric, HMAC, custom algorithms N/A (stores secrets, not keys) N/A (stores values)

AWS KMS (Key Management Service)

  • Fully managed encryption key service integrated with 100+ AWS services.
  • Three key types: AWS owned (free, AWS-managed), AWS managed (auto-created per service), Customer managed (full control).
  • Envelope encryption – generates data keys for encrypting data locally; KMS never stores data keys.
  • Multi-Region keys – replicate keys across regions for cross-region encryption/decryption.
  • Key policies + IAM – fine-grained access control; grants for temporary access.
  • Automatic key rotation – configurable 90-365 days for customer-managed keys (was annual only before 2024).
  • External Key Store (XKS) – use keys stored in your own HSM outside AWS.
  • FIPS 140-2 Level 3 validated since March 2023.
  • Best for: Most encryption use cases – S3, EBS, RDS, DynamoDB, Lambda, and 100+ other AWS services.

AWS CloudHSM

  • Dedicated, single-tenant HSM instances in your VPC – you own and manage the keys.
  • FIPS 140-2 Level 3 validated hardware – required for certain regulatory compliance.
  • Full key control – AWS cannot access your keys; AWS manages hardware only.
  • Supports PKCS#11, JCE, CNG, and OpenSSL interfaces for custom applications.
  • Cluster-based – deploy across multiple AZs for HA; keys automatically replicated.
  • Custom key store for KMS – back KMS keys with CloudHSM for compliance + service integration.
  • SSL/TLS offloading – use CloudHSM for web server private keys.
  • Code signing, certificate authority – custom crypto operations not available in KMS.
  • Best for: Regulatory compliance (PCI-DSS, HIPAA requiring dedicated HSM), custom cryptographic operations, SSL offloading, certificate authorities.

AWS Secrets Manager

  • Purpose-built for managing secrets (database credentials, API keys, tokens).
  • Automatic rotation – built-in for RDS (MySQL, PostgreSQL, Oracle, SQL Server, MariaDB), Redshift, DocumentDB; Lambda-based for custom secrets.
  • Multi-Region replication – replicate secrets across regions for DR and multi-region applications.
  • Versioning with staging labels – AWSCURRENT, AWSPREVIOUS, AWSPENDING during rotation.
  • Resource-based policies – share secrets cross-account.
  • Integration – ECS/Fargate (inject as environment variables), Lambda, RDS Proxy.
  • Batch retrieval – retrieve up to 20 secrets in a single API call.
  • Best for: Database credentials that need automatic rotation, API keys, OAuth tokens, any secret requiring lifecycle management.

Systems Manager Parameter Store

  • Hierarchical configuration storage for both configuration data and secrets.
  • Two tiers: Standard (free, 4KB, 10K params) and Advanced ($0.05/month, 8KB, 100K params).
  • Parameter types: String, StringList, SecureString (encrypted with KMS).
  • Hierarchy and tagging – organize parameters like /prod/db/password, /dev/api/key.
  • No built-in rotation – use EventBridge + Lambda for custom rotation.
  • Parameter policies (Advanced tier) – expiration notifications, no-change notifications.
  • Public parameters – AWS provides latest AMI IDs, ECS-optimized AMI, etc.
  • CloudFormation integration – resolve parameters dynamically during stack creation.
  • Best for: Application configuration, feature flags, non-rotating secrets, AMI IDs, and cost-sensitive use cases where rotation isn’t needed.

When to Choose Which

  • Choose KMS – Encrypting data in AWS services (S3, EBS, RDS), envelope encryption, most standard encryption needs.
  • Choose CloudHSM – Regulatory requirement for dedicated HSM (FIPS 140-2 Level 3 single-tenant), custom cryptographic operations, SSL offloading, running your own CA.
  • Choose Secrets Manager – Database credentials needing automatic rotation, API keys with lifecycle management, cross-region secret replication.
  • Choose Parameter Store – Application configuration, feature flags, non-rotating secrets, cost-sensitive (free tier), hierarchical organization of config data.
  • Combine KMS + Secrets Manager – Secrets Manager uses KMS for encryption; use customer-managed KMS key for additional control.
  • Combine CloudHSM + KMS – Use CloudHSM as a custom key store backing KMS keys (compliance + service integration).

AWS Certification Exam Practice Questions

  1. A company needs to store database credentials that automatically rotate every 30 days and are accessible from ECS tasks as environment variables. Which service is most appropriate?
    1. KMS with custom rotation
    2. Parameter Store SecureString
    3. Secrets Manager
    4. CloudHSM
  2. A financial institution must use dedicated hardware security modules (not shared) for key management to satisfy PCI-DSS Level 1 compliance. Which service meets this requirement?
    1. KMS with customer-managed keys
    2. CloudHSM
    3. KMS with external key store
    4. Secrets Manager with KMS
  3. A development team needs to store application configuration values (non-sensitive) and sensitive database passwords together in a hierarchical structure with minimal cost. Which approach is recommended?
    1. Secrets Manager for all values
    2. Parameter Store (String for config, SecureString for passwords)
    3. KMS encrypted S3 bucket
    4. DynamoDB with encryption
  4. An application needs encryption keys that work identically across 3 AWS regions for cross-region data encryption/decryption without re-encrypting. Which feature enables this?
    1. CloudHSM cluster replication
    2. Secrets Manager multi-region secrets
    3. KMS Multi-Region keys
    4. KMS key import in each region
  5. A company wants to use AWS KMS for service integrations but needs their keys to remain in their on-premises HSM that they fully control. Which KMS feature supports this?
    1. CloudHSM custom key store
    2. KMS imported key material
    3. KMS External Key Store (XKS)
    4. KMS with VPN connection

Related Posts

References

AWS KMS Developer Guide

AWS CloudHSM User Guide

AWS Secrets Manager User Guide

AWS Systems Manager Parameter Store

Posted in AWS

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.