Data Protection on AWS
Data Encryption and Key Management on S3
Data protection in general refers to protecting data while in-transit (ingest) and at rest (while it is stored in S3). Data ingest can be protected using Secure Socket Layer/Transport Layer Security (SSL/TLS) or client-side encryption. Amazon S3 offers out-of-the-box Server Side Encryption (SSE) that encrypts or decrypts data seamlessly. You have the following options for protecting data at rest in Amazon S3:
Server-Side Encryption – Request Amazon S3 to encrypt your object before saving it on disks in its data centers, and then decrypt it when you download the objects.
To configure server-side encryption, see Specifying server-side encryption with AWS KMS (SSE-KMS) or Specifying Amazon S3 encryption.
Client-Side Encryption – Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.
To configure client-side encryption, see Protecting data using client-side encryption.
For comprehensive information about server-side encryption and client-side encryption, review the topics listed below.
Topics
AWS Key Management Service (KMS) is a second layer of security and a practical way to implement security best practice policies. AWS makes it easy to create and manage cryptographic keys and control their use across a wide range of AWS services and in applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
KMS gives you control. You can define who can:
Create a master key
Use a master key
Create and export a data key that is encrypted by a master key
Enable/disable master keys
Audit use of master keys in AWS CloudTrail
How AWS Key Management Service Works
This guide discusses data-encryption and key management. It is highly recommended reviewing the AWS security blog, for a complete overview and information on how to use KMS and IAM to enable independent security controls for encrypted data in S3.
You may explore the AWS Partner Network and Marketplace for professional cost-management consulting services.
Last updated