
AWS Key Management Service - leef
https://aws.amazon.com/kms/
======
toyg
I put on my robe and tinfoil hat...

Managing all my keys on such a service would mean trusting Amazon will not
hand them over to NSA and friends (with our without NSL or sealed indictment).
Which I'm rather sceptical about, tbh, considering Amazon makes quite a lot of
business with governments of all sorts.

EDIT: to clarify, my comment was about keys that would otherwise not sit on,
or be used by, AWS images. If you make the effort to use such a tool, it makes
sense to store all your keys, not just stuff that would have ended up on AWS
anyway; and that's where the risk lies.

~~~
iancarroll
The keys are stored on SafeNet HSMs, you'd have to trust that they don't do
anything with them but they can't exactly export them.

~~~
Terretta
_How does AWS KMS compare to AWS CloudHSM?_

AWS CloudHSM provides you with a dedicated hardware device installed in your
Amazon Virtual Private Cloud (VPC) that provides a FIPS 140-2 Level 2
validated single-tenant HSM to store and use your keys. You have total control
over your keys and the application software that uses them with CloudHSM.

AWS KMS allows you to control the encryption keys used by your applications
and supported AWS services in multiple regions around the world from a single
console. Centralized management of all your keys in AWS KMS lets you enforce
who can use your keys, when they get rotated, and who can manage them. AWS KMS
integration with AWS CloudTrail gives you the ability to audit the use of your
keys to support your regulatory and compliance activities.

------
iancarroll
This is actually a really cool feature - the CloudHSM offering is both (very)
expensive and not user friendly. This should help with big clients requiring
HSMs or the like.

So many cool services could be built with this if there's an open API.

Edit: Sadly, it seems there's no out of the box ELB support... Would be great
for TLS termination.

~~~
bgentry
For ELB TLS termination, AWS already stores your TLS key securely in IAM,
probably using some of the same underlying technologies. What sort of
integration do you want between KMS and ELB?

~~~
iancarroll
Securely doesn't equate to what a HSM provides. I'd be doubtful if they are
(using them) right now...

If IAM gets compromised, an attacker can take the key and run, opposed to them
only being able to use it while they have access to the HSM. Not saying it's
likely to happen.

------
EGreg
Usually when I read "security" and "centralized" in the same sentence, I think
of an unsustainable model that will be disrupted in a few years.

------
neals
Lots of new Amazon services today?

~~~
martey
There is currently an AWS conference going on:
[https://reinvent.awsevents.com/](https://reinvent.awsevents.com/)

~~~
kaivi
A re:Invent banner was all over AWS sites for half a year now, I can't believe
that this is it.

I was expecting Jeff standing up in a suit and talking to a live audience.
Instead, there is what appears to be a pre-recorded video stream of
advertisements on how AWS is great:

> _Think you 're a good architect? These 12 tips will help you get around our
> global, fast and secure AWS infrastructure._

~~~
jeffbarr
Andy Jassy delivered the keynote earlier this morning to a capacity crowd. We
made 5 big announcements today and have more in store for tomorrow.

~~~
kaivi
Thanks, just figured out how huge this event actually is.

Any chance that VPC will support broadcast? The FAQ page is quite dry on
details.

------
lewaldman
Could any one point me what's wrong with nominal users and keys managed by
system automation (AKA Puppet/Chef/SaltStack)?

~~~
ermintrude
PCI compliance.

