I need to store user database credentials securely for an application to access.
I have considered: - using AWS RDS with an encrypted PostgreSQL instance - using the AWS key management system, backed by a hardware security module
Doesn't the KMS still create a single point of failure? If my application's keys to the KMS API are stolen, they will be able to read all the passwords stored in the KMS (even if each user is using their own key)?
What is the recommended setup for something like this?