Curriculum Overview: Designing and Implementing Controls for Data at Rest

This curriculum provides a comprehensive roadmap for mastering data protection in the AWS cloud, specifically focusing on persistent data. It covers the encryption lifecycle, integrity mechanisms, and automated retention strategies required for the AWS Certified Security - Specialty (SCS-C03) exam.

Prerequisites

Before starting this curriculum, students should have a solid foundation in the following areas:

• AWS Identity and Access Management (IAM): Understanding of policies, roles, and the principle of least privilege.
• Cryptographic Basics: Familiarity with symmetric vs. asymmetric encryption and hashing algorithms.
• Core AWS Storage Services: Basic operational knowledge of Amazon S3, EBS, RDS, and EFS.
• Shared Responsibility Model: Clear understanding of where AWS's responsibility ends and the customer's responsibility begins regarding data encryption.

Module Breakdown

Key Decision Flow: KMS vs. CloudHSM

Learning Objectives per Module

Module 1: Encryption Foundations

• Differentiate between AWS Managed Keys and Customer Managed Keys (CMKs).
• Explain the envelope encryption process used by AWS services.
• Evaluate when to use AWS KMS versus AWS CloudHSM based on FIPS compliance levels.

Module 2: Storage-Specific Encryption

• Implement Server-Side Encryption (SSE) options (SSE-S3, SSE-KMS, SSE-C).
• Configure encryption for Amazon EBS volumes, including default encryption at the account level.
• Apply encryption to Amazon RDS instances and DynamoDB tables.

Module 3: Data Integrity & Immutability

• Configure S3 Object Lock (Governance vs. Compliance modes) to prevent data deletion.
• Utilize S3 Versioning to protect against accidental overwrites.
• Implement S3 Glacier Vault Lock for long-term immutable archival.

Module 4: Lifecycle & Backup Management

• Design S3 Lifecycle policies to transition data to lower-cost storage classes.
• Centralize backup operations using AWS Backup and Amazon Data Lifecycle Manager (DLM).
• Implement ransomware protection strategies using cross-account and cross-region backups.

Module 5: Advanced Key Management

• Manage and rotate imported key material effectively.
• Configure External Key Stores (XKS) to hold keys outside the AWS cloud.

Success Metrics

To demonstrate mastery of this curriculum, the learner must be able to:

1. Select Encryption Types: Correctly identify whether client-side or server-side encryption is appropriate for a given compliance scenario.
2. Architect Integrity: Successfully configure a WORM (Write Once, Read Many) storage solution using S3 Object Lock.
3. Policy Interpretation: Interpret KMS Key Policies to determine which principals have decryption rights.
4. Cost Optimization: Design a lifecycle strategy that reduces storage costs by at least 30% without violating retention requirements.
5. Audit Readiness: Use IAM Access Analyzer and CloudTrail to investigate an unauthorized attempt to access encrypted data.

Real-World Application

[!IMPORTANT] Data at rest controls are not just for passing exams; they are the final line of defense in a "Defense in Depth" strategy.

• Regulatory Compliance: Meeting HIPAA, PCI-DSS, or GDPR requirements for "Encryption at Rest."
• Ransomware Mitigation: Using immutable backups (Object Lock) to ensure data can be restored even if primary systems are compromised.
• Data Sovereignty: Using CloudHSM or Imported Key Material to maintain control over cryptographic keys in specific geographic jurisdictions.
• Automated Governance: Implementing account-wide EBS encryption defaults to ensure that no unencrypted disk is ever provisioned by developers.

Visualizing S3 Server-Side Encryption (SSE-KMS)

\begin{center} \begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, align=center, minimum height=1cm}] \node (User) [fill=blue!10] {User/Application}; \node (S3) [right=of User, fill=orange!10] {Amazon S3}; \node (KMS) [below=of S3, fill=green!10] {AWS KMS};

\end{tikzpicture} \end{center}