Encryption Fundamentals: At Rest and In Transit

This study guide focuses on the critical security concepts of protecting data both while it moves through a network and when it is stored on physical media, specifically within the AWS ecosystem.

Learning Objectives

Define and distinguish between encryption at rest and encryption in transit.
Identify the protocols used to secure data in transit (SSL/TLS).
Evaluate the different server-side encryption (SSE) options for Amazon S3.
Understand the required API headers for implementing various S3 encryption methods.
Differentiate between AWS-managed keys and customer-provided keys.

Key Terms & Glossary

Ciphertext: The result of encryption performed on plaintext using an algorithm and a key; it is unreadable without decryption.
SSL/TLS (Secure Sockets Layer/Transport Layer Security): Cryptographic protocols designed to provide communications security over a computer network.
AES-256: Advanced Encryption Standard with a 256-bit key; a symmetric-key algorithm used widely for data at rest.
Symmetric Encryption: A type of encryption where the same key is used for both encryption and decryption.
Server-Side Encryption (SSE): Encryption that occurs at the destination (the server) before the data is written to disk.
KMS (Key Management Service): An AWS service that makes it easy for you to create and manage cryptographic keys.

The "Big Idea"

[!IMPORTANT] Encryption is the primary mechanism for ensuring Confidentiality in the CIA Triad (Confidentiality, Integrity, Availability). In AWS, encryption is a shared responsibility: AWS provides the tools and infrastructure (like KMS and SSL endpoints), while the developer must choose and configure the correct encryption level based on compliance and security requirements.

Formula / Concept Box

When performing PUT operations to S3, the following headers determine the encryption behavior:

Encryption Type	Required Header Key	Required Header Value
SSE-S3	`x-amz-server-side-encryption`	`AES256`
SSE-KMS	`x-amz-server-side-encryption`	`aws:kms`
DSSE-KMS	`s3:x-amz-server-side-encryption`	`aws:kms:dsse`
SSE-C	`x-amz-server-side-customer-key`	Base64-encoded key

Hierarchical Outline

Encryption in Transit
- Protects data as it travels between client and server.
- Mechanism: SSL/TLS.
- Example: HTTPS requests to an S3 bucket endpoint.
Encryption at Rest
- Protects data when it is stored on physical disks (HDD/SSD).
- Mechanism: AES-256 (standard).
- Amazon S3 Implementation Options:
  - SSE-S3: Default, managed entirely by AWS.
  - SSE-KMS: Managed via AWS KMS; provides audit logs and key rotation.
  - DSSE-KMS: Dual-layer encryption for high-security compliance.
  - SSE-C: Customer manages keys; AWS performs the encryption/decryption logic.
Key Permissions for SSE-KMS
- User needs kms:GenerateDataKey to upload.
- User needs kms:Decrypt to download.

Visual Anchors

S3 Encryption Decision Flow

Loading Diagram...

Visualization of Data States

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Definition-Example Pairs

SSE-S3 (Server-Side Encryption with Amazon S3 Managed Keys)
- Definition: AWS manages the encryption keys and handles the cryptographic processes automatically.
- Example: A standard backup bucket where you want basic security without managing keys manually. From Jan 5, 2023, this is the default for all new objects.
SSE-KMS (Server-Side Encryption with AWS KMS Keys)
- Definition: Encryption using keys stored in AWS KMS, providing an audit trail of key usage via CloudTrail.
- Example: A financial application requiring strict compliance where every access to the data must be logged and keys must be rotated annually.
SSE-C (Server-Side Encryption with Customer-Provided Keys)
- Definition: You provide the key in the API request; S3 uses it to encrypt/decrypt then immediately discards it from memory.
- Example: A highly regulated legal firm that must maintain physical possession of their cryptographic keys but wants to use S3 for storage.

Worked Examples

Example 1: Uploading an Object with SSE-S3 via CLI

To ensure an object is encrypted using the default SSE-S3 method, you include the server-side encryption flag.

Command:

bash

aws s3 cp myfile.txt s3://my-secure-bucket/ --sse AES256

What's happening?

The CLI sends the PUT request with the header x-amz-server-side-encryption: AES256.
S3 receives the plaintext data over an SSL/TLS connection (Transit).
S3 generates a unique data key, encrypts the file, and stores it on disk (Rest).

Example 2: Accessing SSE-KMS Objects

If an object was encrypted with SSE-KMS, the IAM principal (User or Role) attempting to download it must have permissions in their IAM policy AND the KMS Key Policy.

Required JSON Policy Fragment:

json

{
    "Effect": "Allow",
    "Action": ["kms:Decrypt"],
    "Resource": "arn:aws:kms:us-east-1:123456789012:key/your-key-id"
}

Checkpoint Questions

What protocol is used to secure data in transit when communicating with AWS APIs?
- Answer: SSL/TLS (HTTPS).
Since January 2023, what is the default encryption state for new S3 objects?
- Answer: SSE-S3 (AES-256) is applied automatically at no extra cost.
Which S3 encryption method should you choose if you need an audit trail of when the encryption key was used?
- Answer: SSE-KMS.
True or False: In SSE-C, AWS manages the storage and rotation of your encryption keys.
- Answer: False. The customer must manage the keys; AWS only uses them temporarily for the operation.
Which header must be set to use SSE-KMS in a REST API request?
- Answer: x-amz-server-side-encryption: aws:kms.

Study Guide: Encryption at Rest and In Transit