Mastering AWS Data Encryption: At Rest and In Transit

This guide explores the critical security controls for protecting data throughout its lifecycle in the AWS ecosystem, specifically focusing on encryption strategies for storage and transmission as required for the SAP-C02 Professional exam.

Learning Objectives

• Differentiate between encryption at rest and encryption in transit across core AWS services.
• Evaluate the appropriate key management solution (KMS vs. CloudHSM vs. XKS) based on compliance requirements.
• Identify service-specific encryption capabilities for S3, FSx, DataSync, and the Snow Family.
• Analyze the trade-offs of performance, control, and latency in encryption architectures.

Key Terms & Glossary

• FIPS 140-2 Level 3: A US government security standard for hardware security modules; AWS KMS and CloudHSM meet this level for physical tamper resistance.
• SSE (Server-Side Encryption): Data is encrypted at its destination by the AWS service before being written to disk.
• TLS (Transport Layer Security): The standard protocol for encrypting data in transit over a network.
• HYOK (Hold Your Own Key): A security model where the customer maintains physical control of cryptographic material outside the cloud provider's perimeter.
• PII (Personally Identifiable Information): Sensitive data that can identify an individual, which Amazon Macie is designed to discover.

The "Big Idea"

Encryption is the "least you can do" for security. In modern cloud architecture, the compute cost of encryption is negligible, but the cost of a data breach is catastrophic. Effective encryption requires a Defense in Depth strategy where data is never "clear text" while sitting on a disk (At Rest) or moving across a wire (In Transit).

Formula / Concept Box

Hierarchical Outline

1. Encryption at Rest (Storage)
   • Amazon S3: Supports SSE-S3, SSE-KMS, and Bucket Keys for reduced KMS costs.
   • Amazon FSx: Uses AWS KMS to encrypt file systems automatically.
   • Storage Gateway: Encrypts volumes and tapes using KMS; cached data is encrypted at rest.
   • Snow Family: Devices (Snowcone, Snowball) use 256-bit encryption; keys are managed by KMS and never stored on the device.
2. Encryption in Transit (Movement)
   • SSL/TLS: The primary mechanism for almost all AWS APIs and service-to-service communication.
   • AWS DataSync: Uses various TLS ciphers depending on the agent endpoint; does not store data (no at-rest encryption needed).
   • S3 Transfer Acceleration: Combines SSL/TLS with the option for client-side encryption for secure, high-speed ingestion.
3. Key Management Services
   • AWS KMS (Shared): Managed fleet of HSMs; easy integration with most services.
   • AWS CloudHSM (Dedicated): Customer-controlled single-tenant HSMs for specific compliance (PKCS #11, JCE).
   • External Key Store (XKS): Keys held on-premises; highest control but introduces latency and availability risks.

Visual Anchors

Data Protection Workflow

The Control Spectrum

\begin{tikzpicture}[node distance=2cm] \draw[latex-latex, thick] (0,0) -- (10,0); \node at (0,-0.5) {Ease of Use}; \node at (10,-0.5) {Customer Control}; \draw[fill=blue!20] (1,0.2) rectangle (3,0.8) node[pos=.5] {SSE-S3}; \draw[fill=green!20] (4,0.2) rectangle (6,0.8) node[pos=.5] {AWS KMS}; \draw[fill=orange!20] (7,0.2) rectangle (9,0.8) node[pos=.5] {CloudHSM/XKS}; \node at (5, -1.5) {\textbf{Encryption Key Management Options}}; \end{tikzpicture}

Definition-Example Pairs

• Asynchronous Encryption: Using a public key to encrypt and a private key to decrypt.
  • Example: Creating an encrypted session for S3 Transfer Acceleration using SSL certificates.
• Server-Side Encryption (SSE): The cloud provider handles the encryption process after receiving the data.
  • Example: Toggling the "Encrypt" checkbox on an S3 bucket so all uploaded .pdf files are automatically encrypted by AWS before they touch the physical disk.
• Pattern Matching Discovery: Using AI to find sensitive strings like credit card numbers.
  • Example: Running Amazon Macie on an S3 bucket to identify accidentally uploaded PII (Personally Identifiable Information).

Worked Examples

Scenario: Migrating Financial Records to AWS

Requirement: Move 50TB of sensitive records from on-premises to S3. Data must be encrypted during the 2-week transfer and must be stored using keys that only the Security Team can rotate.

1. In-Transit Solution: Use AWS DataSync. It will automatically apply TLS encryption to the data as it moves from the local agent to the AWS endpoint.
2. At-Rest Solution: Configure the destination S3 bucket to use SSE-KMS.
3. Key Management: The Security Team creates a Customer Managed Key (CMK) in AWS KMS. They set a rotation policy and define an IAM Key Policy that limits kms:Decrypt permissions to the specific Financial Application IAM role.

Checkpoint Questions

1. Does AWS DataSync provide encryption at rest? (Answer: No, it is a transfer service; it only manages encryption in transit).
2. What is the main risk of using an External Key Store (XKS)? (Answer: Increased latency and the risk of data becoming inaccessible if the on-premises HSM goes offline).
3. Which service would you use to find unencrypted PII in an S3 bucket? (Answer: Amazon Macie).

Muddy Points & Cross-Refs

• KMS vs. CloudHSM: Students often confuse these. Remember: KMS is managed/shared (you manage keys, AWS manages hardware). CloudHSM is unmanaged/dedicated (you manage the hardware/users/keys). Use CloudHSM only for specific regulatory requirements or legacy APIs (PKCS#11).
• XKS Latency: Using XKS means every read/write operation on AWS must call back to your on-premises data center. If your network link is slow, your AWS application performance will tank.

Comparison Tables

Transport Security Comparison

AWS KMS Key Types