In the AWS cloud security system, data encryption, key management, and confidential information protection are the core links to ensure system security. AWS provides a variety of security services. Among them, AWS Key Management Service (KMS), AWS CloudHSM and AWS Secrets Manager are the three most commonly used ones. However, they are not functionally repetitive but are oriented towards different security requirements:
- AWS KMS: Managed key Management and encryption service, suitable for the vast majority of application scenarios. It is characterized by ease of use, low cost, and high integration with AWS services.
- AWS CloudHSM: Exclusive hardware security module service, providing the highest key autonomy and compliance guarantee, suitable for industries with extremely high security requirements (such as finance, government).
- AWS Secrets Manager: Focuses on the secure storage and automatic rotation of application confidential information (such as passwords, API keys, OAuth Tokens), reducing the risk of manual maintenance.
Understanding the working methods, advantages and disadvantages, and differences of these three is of great significance for making reasonable choices in architectural design.
What is AWS KMS?
AWS KMS is a fully managed key management service that enables users to securely generate, store and use encryption keys in the cloud, and can be seamlessly integrated with almost all AWS services such as S3, EBS, RDS, Lambda, etc. The KMS relies on a hardware security module (HSM) that complies with the FIPS 140-2 standard behind it to protect the encryption material of the key.
1. Key types of KMS
The Key in KMS is called KMS Key (formerly known as CMK), which is divided into three categories:
1.Customer managed keys
- Created and maintained by users, they have full control rights.
- You can customize key policies, set aliases and labels, enable or disable keys, and rotate them manually or automatically.
- It is suitable for scenarios that require refined permission control, such as SSE-KMS encrypted S3 buckets.
2.AWS managed keys
- Automatically created and managed by AWS, it is typically used in default encryption scenarios.
- The operation and maintenance cost is low, but the control authority is limited.
3.AWS owned keys (AWS Owned Keys)
- Not displayed in the user account, AWS uses it to encrypt some resources.
- Users do not need to manage, but they also cannot directly control.
2. Symmetric Keys vs. Asymmetric keys
- Symmetric key: The same key is used for both encryption and decryption. It is fast and suitable for most applications.
- Asymmetric keys: including public keys and private keys, they are suitable for scenarios such as cross-system encryption and digital signatures.
If the data needs to be encrypted and decrypted outside AWS, an asymmetric key might be more appropriate. Otherwise, in most cases, choosing symmetric keys is more efficient.
3. KMS cost
(Taking the 2025 standard as an example)
- Each key: 1 USD per month
- Regular request: 0.03 USD per 10,000 times
- Asymmetric key generation is more costly. For instance, RSA generation pairs are relatively expensive (over $10 per 10,000 times).
What is AWS Secret Manager?
Secrets Manager focuses on the management of application confidential information, such as database passwords, API keys, third-party service credentials, etc. It integrates with KMS to automatically encrypt the stored confidential information and decrypt it back when necessary.
1. Why is Secrets Manager needed?
The traditional approach is to directly write the password in the configuration file or code, which has two problems:
- The risk of password exposure is high. Once the code is leaked, the credentials will be stolen.
- Password rotation is complex and requires manual updates to multiple applications and configurations, making it very easy to miss any changes.
Secrets Manager addresses these pain points:
- Automatic rotation: Supports regular automatic password updates for databases such as RDS, Aurora, and Redshift.
- Centralized storage: All confidential information is centralized in secure storage and no longer scattered across the code.
- Version control: Manage the confidentiality of multiple versions through tags (such as AWSCURRENT, AWSPENDING) to achieve smooth switching.
2. Use the process example
- Create a Secret (such as the database connection password) and select the KMS Key used for encryption.
- Configure the automatic rotation strategy (for example, update every 30 days).
- When the application is running, it acquires the currently valid confidential information through the API instead of hard-coded passwords.
3. Secrets Manager cost
- Free trial for the first 30 days
- After that, each Secret: 0.4 USD per month
- API request: 0.05 USD per 10,000 requests
What is AWS CloudHSM?
CloudHSM is a service that provides a dedicated hardware security module, allowing you to obtain an HSM instance that belongs only to you on the AWS cloud, and you are the sole holder of the key, with no access from AWS.
1. Main features
It complies with the FIPS 140-2 Level 3 security standard and meets the compliance requirements of industries such as finance, healthcare, and government.
Supports standard encryption apis (PKCS#11, JCE, CNG), facilitating integration into existing systems.
Keys can be generated, imported and exported, and operations such as encryption and decryption, signature, HMAC and random number generation can be performed.
2. Differences from KMS
KMS: Fully managed, AWS manages infrastructure and high availability.
CloudHSM: You manage the HSM yourself, including key backup, recovery, high availability deployment, etc.
3. CloudHSM cost
(Take the Tokyo area as an example)
- 1.81 USD per hour
- One instance costs approximately 1,321 USD per month (excluding additional network/storage fees).
A comparison and summary of the three
| Feature | AWS KMS | AWS Secrets Manager | AWS CloudHSM |
|---|---|---|---|
| Core Functionality | Managed key management & encryption | Secret storage & rotation | Dedicated hardware security module |
| Fully Managed | Yes | Yes | No |
| AWS Integration Level | High | High | Medium |
| Control Level | Medium (partially configurable) | Medium | Highest (fully self-managed) |
| Common Use Cases | S3/EBS data encryption | Database passwords, API key management | Financial-grade encryption, digital signatures |
| Cost | Low | Medium | High |
| Compliance Level | High | High | Highest |
Selection suggestions
- For daily cloud-based data encryption, KMS is the top choice as it is simple, easy to use and cost-effective.
- Apply Credentials and Password Management → Use Secrets Manager to reduce the risk of manual maintenance.
- High security & compliance requirements → Choose CloudHSM to gain full key control.
In many practical architectures, the three are often used in combination:
Generate the top-level master key with CloudHSM → Import it into KMS for daily encryption → Manage application credentials through Secrets Manager.
This solution takes into account security, operation and maintenance efficiency, and cost control.