Data Protection on AWS

Data Encryption and Key Management on S3

Data protection in general refers to protecting data while in-transit (ingest) and at rest (while it is stored in S3). Data ingest can be protected using Secure Socket Layer/Transport Layer Security (SSL/TLS) or client-side encryption. Amazon S3 offers out-of-the-box Server Side Encryption (SSE) that encrypts or decrypts data seamlessly. You have the following options for protecting data at rest in Amazon S3:

For comprehensive information about server-side encryption and client-side encryption, review the topics listed below.

Topics

AWS Key Management Service (KMS) is a second layer of security and a practical way to implement security best practice policies. AWS makes it easy to create and manage cryptographic keys and control their use across a wide range of AWS services and in applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

KMS gives you control. You can define who can:

  • Create a master key

  • Use a master key

  • Create and export a data key that is encrypted by a master key

  • Enable/disable master keys

  • Audit use of master keys in AWS CloudTrail

How AWS Key Management Service Works

This guide discusses data-encryption and key management. It is highly recommended reviewing the AWS security blog, for a complete overview and information on how to use KMS and IAM to enable independent security controls for encrypted data in S3.

You may explore the AWS Partner Network and Marketplace for professional cost-management consulting services.

AWS Marketplace

AWS Partner Network

PreviousAWS Reference ArchitectureNextServer-Side Encryption

Last updated