Unit 5: Data Protection - Curriculum Overview

This curriculum overview covers the strategies, services, and implementation patterns required to secure data within the AWS ecosystem. As data is often an organization's most valuable asset, this unit focuses on ensuring confidentiality, integrity, and availability through encryption, lifecycle management, and secure secret handling.

Prerequisites

Before starting this unit, learners should have a firm grasp of the following:

• Identity and Access Management (IAM): Understanding of IAM policies, roles, and the principle of least privilege.
• VPC Fundamentals: Knowledge of subnets, security groups, and Network ACLs.
• Encryption Basics: Conceptual understanding of symmetric vs. asymmetric encryption and hashing.
• AWS CLI: Comfort using the terminal for basic resource inspection.

Module Breakdown

Learning Objectives per Module

M5.1: Data in Transit

• Enforce Encryption: Configure Elastic Load Balancing (ELB) security policies to require modern TLS versions.
• Private Connectivity: Implement AWS PrivateLink and VPC Endpoints to keep traffic within the AWS network, bypassing the public internet.
• Inter-resource Security: Design inter-node encryption for high-performance clusters like Amazon EMR and EKS.

M5.2: Data at Rest

• Storage Encryption: Choose and implement the correct encryption type (Server-Side vs. Client-Side) for S3 and EBS.
• Key Management Selection: Determine when to use AWS KMS (multi-tenant) versus AWS CloudHSM (dedicated, single-tenant hardware).
• Encryption Mapping: Map encryption requirements to specific database services (RDS, DynamoDB).

M5.3: Integrity & Retention

• Immutability: Configure S3 Object Lock and Glacier Vault Lock to prevent data deletion for compliance.
• Lifecycle Automation: Design S3 Lifecycle policies to transition data to cheaper storage tiers or expire it automatically.
• Recovery: Implement AWS Backup and DataSync for ransomware protection and multi-region replication.

M5.4: Secrets & Cryptographic Materials

• Secret Management: Use AWS Secrets Manager to automate the rotation of database credentials.
• Key Governance: Manage KMS key policies and handle imported key material (BYOK).
• Data Masking: Apply CloudWatch Logs data protection policies to mask PII in transit.

Visual Overview

Data State Transitions

Key Management Selection Logic

Success Metrics

To demonstrate mastery of Unit 5, a learner must be able to:

1. Verify Encryption: Use the AWS CLI to confirm an S3 bucket has AES256 or aws:kms encryption enforced via policy.
2. Audit Connectivity: Identify and remediate resources that are accessible over the public internet instead of using a VPC Interface Endpoint.
3. Automate Rotation: Successfully configure a Secrets Manager secret to rotate every 30 days using a Lambda function.
4. Compliance Validation: Generate a report showing that all EBS volumes in an account are encrypted using a Customer Managed Key (CMK).

Real-World Application

Data protection is not just a technical requirement; it is a legal and business necessity:

• Regulatory Compliance: Meeting GDPR, HIPAA, or PCI-DSS requirements through mandated encryption and audit logs.
• Ransomware Mitigation: Using S3 Versioning and Object Lock (WORM - Write Once Read Many) to ensure that even if an attacker gains access, they cannot overwrite or delete critical backups.
• Intellectual Property: Ensuring that proprietary code or data packets cannot be intercepted via "Man-in-the-Middle" attacks between distributed systems.

[!IMPORTANT] Domain 5 accounts for 18% of the AWS Certified Security - Specialty (SCS-C03) exam. Focus heavily on the differences between KMS key types and S3 security features.