What is AWS Key Management Service (AWS KMS), Amazon Cognito, and AWS Shield?

 

AWS Key Management Service (AWS KMS) is a service that enables you to create and manage encryption keys, and to control the use of encryption across a wide range of AWS services and your applications. AWS KMS is a secure and resilient service that uses hardware security modules (HSMs) that were validated under Federal Information Processing Standards (FIPS) 140-2 (or are in the process of being validated) to protect your keys. AWS KMS also integrates with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

Customer master keys (CMKs) are used to control access to data encryption keys that encrypt and decrypt your data. You can create new keys when you want, and you can manage who has access to these keys and who can use them. You can also import keys from your own key management infrastructure into AWS KMS. AWS KMS integrates with most AWS services, which means that you can use AWS KMS CMKs to control the encryption of the data that you store in these services.

Amazon Cognito provides solutions to control access to AWS resources from your application. You can define roles and map users to different roles so your application can access only the resources that are authorized for each user.

Amazon Cognito uses common identity management standards, such as Security Assertion Markup Language (SAML) 2.0. SAML is an open standard for exchanging identity and security information with applications and service providers. Applications and service providers that support SAML enable you to sign in by using your corporate directory credentials, such as your username and password from Microsoft Active Directory. With SAML, you can use single sign-on (SSO) to sign in to all of your SAML-enabled applications by using a single set of credentials.

Amazon Cognito helps you meet multiple security and compliance requirements, including requirements for highly regulated organizations such as healthcare companies and merchants.

AWS Shield is a managed distributed denial of service (DDoS) protection service that safeguards applications that run on AWS. It provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection.

AWS Shield helps protects your website from all types of DDoS attacks, including Infrastructure layer attacks (like User Datagram Protocol—or UDP—floods), state exhaustion attacks (like TCP SYN floods), and application-layer attacks (like HTTP GET or POST floods)