VISTABNN

Appearance

Topic — AWS SAA Foundational Knowledge Supplement
Exam scope — AWS SAA (Solutions Architect Associate)
Services covered — ACM, Secrets Manager, CloudHSM, Firewall Manager

These notes were written during SAA exam prep to fill in gaps on AWS services I was less familiar with — a quick reference for future review.

AWS Certificate Manager (ACM)

ACM is the "one-stop shop for SSL/TLS certificate issuance and management," keeping websites securely encrypted so the padlock icon appears in the browser address bar.

  • Fully automated management: Creation, storage, and renewal are all handled by ACM; public certificates auto-renew before expiration, preventing "Not Secure" warnings
  • Two certificate sources:
    • Request a free certificate directly from AWS and attach it to a Load Balancer or CloudFront
    • Import third-party certificates (GoDaddy, etc.) for centralized management
  • Coverage scope:
    • Single domain: www.example.com
    • Multiple specific domains: one certificate protecting both example.com and example.net
    • Wildcard: *.example.com protects unlimited subdomains with a single certificate
  • Enterprise private certificates: Combined with AWS Private CA, you can issue private certificates and export them for use in enterprise internal PKI environments

AWS Secrets Manager

Secrets Manager is a "cloud digital vault with automatic password rotation," allowing applications to dynamically retrieve credentials rather than hard-coding them in source code.

  • Eliminate hard-coded credentials: No real passwords appear in the code — only calls to the Secrets Manager API. Even if source code leaks, attackers only see a command that says "go retrieve the password from the vault"
  • Automatic rotation: Configure a schedule (e.g., every 30 days) to automatically rotate database passwords, reducing the attack window after a credential compromise
  • No redeployment needed: After rotation, the application requires no code changes and no redeployment — it automatically retrieves the latest credentials on the next execution

AWS CloudHSM

CloudHSM is a physical cryptographic hardware machine provided by AWS in its data centers — single-tenant, inaccessible even to AWS employees.

  • Dedicated physical hardware: Single-tenant, physically isolated from other customers at the hardware level; AWS handles machine maintenance but control remains entirely with you
  • Military-grade certification: Supports FIPS 140-2 / 140-3 Level 3 certification, meeting the strictest regulatory requirements for industries like finance; can also switch to non-FIPS mode for special algorithms
  • Even AWS cannot see your keys: Data plane is end-to-end encrypted (E2E); AWS cannot read your keys. The trade-off is that IAM cannot be used to manage it — you must manage user accounts directly on the device
  • 100% key ownership: Freely generate, import, and export any symmetric or asymmetric keys without being limited by KMS algorithm constraints
  • Painless cloud migration: Full support for industry-standard APIs including PKCS #11, JCE, and CNG — existing on-premises HSM applications can connect with virtually no code changes

AWS Firewall Manager

Firewall Manager is the "central security command center" for multi-account enterprise environments — responsible for uniformly managing all firewall rules rather than being a new firewall itself.

  • Define once, deploy everywhere: Write security rules in Firewall Manager and they automatically propagate to all accounts and resources under AWS Organizations — centrally managing WAF, Shield Advanced (DDoS protection), and VPC Security Groups
  • Automated coverage:
    • New servers or websites automatically inherit protection rules — no manual intervention
    • New accounts joining the AWS Organization are automatically brought under the protection umbrella
  • Precise conditional application: Apply rules by resource type (e.g., only to all CloudFront distributions) or by tag (e.g., apply the strictest rules only where Environment = Production) for fine-grained control
  • Centralized monitoring: A unified dashboard displays DDoS attack status and non-compliant accounts across the entire organization — the full picture in a single view

Quick Review

ServicePositioning
ACMFully automated SSL/TLS certificate issuance, renewal, and centralized management
Secrets ManagerCentralized credential storage, dynamic access, automatic rotation
CloudHSMSingle-tenant physical encryption hardware; even AWS cannot access the keys
Firewall ManagerCentralized firewall rule management and automatic enforcement across multi-account environments