I need to store user database credentials securely for an application to access.
I have considered: - using AWS RDS with an encrypted PostgreSQL instance - using the AWS key management system, backed by a hardware security module
Doesn't the KMS still create a single point of failure? If my application's keys to the KMS API are stolen, they will be able to read all the passwords stored in the KMS (even if each user is using their own key)?
What is the recommended setup for something like this?
The HSM only makes it so that you know there is only 1 copy of the key. Use of the key is a separate issue. You do get the peace of mind that someone hasn't copied the key and is using it somewhere else. If the HSM is safe, the key is safe.
You could use an HSM-backed Azure KeyVault with only a Service Principal that has permissions to the Key Vault via certificate and set the permissions to Get only. That way, that way the only way for an attacker to access the key vault is via the same machine/resource that is using the certificate authentication to the Key Vault and even then it needs the exact name of the secret you are looking for to get the value. Here is the getting started on Key Vault that details what you need.
I work with Key Vault heavily so I'll be happy to provide additional details if needed.
