While AWS provides a number of security options to help users safeguard their data, data encryption may be the most crucial. This key technology can protect critical customer data stored on various AWS solutions.
In this article we’ll take a look at the data encryption options available on AWS, including the server-side encryption methods available on the platform and AWS Key Management Service (KMS).
Data typically tends to exist in two states: “at-rest” or “in-transit.” Data “at-rest” is the data that is stored on a storage medium for later access, such as in an AWS S3 bucket, while “in-transit” is data that is in-flight of being transferred from one place to another (such as when an application accesses the data from its at-rest storage for example).
In both cases, if an unauthorized party gains access to your data and it's compromised, there can be irrevocable consequences.
Depending on your application and data, AWS gives customers many options to encrypt their data which complement their identity, resource, and network-based access controls. Many key AWS services can implement data at rest encryption, including Amazon EBS, Amazon S3, Amazon RDS, Amazon Redshift, and AWS Lambda. AWS also provides in-transit data encryption capabilities for solutions such as Amazon SQS to create encrypted communication queues.
To further protect data, AWS also provides flexible encryption key management options including a native AWS Key Management Service and full API capabilities for users to integrate these encryption capabilities to their applications or services. AWS KMS tightly integrates with these services.
It’s important to understand how encryption works before implementing it, for at-rest encryption. The figure below gives us a high-level understanding of the process. A plaintext file uses an encryption key which, after going through an encryption algorithm, results in the plaintext data being encrypted.
There are two ways to go about encrypting data at rest on AWS: client-side encryption and server-side encryption.
There are three server-side encryption options available on AWS:
Whenever an S3 object is created or uploaded, the SSE-S3 option can be specified on demand. An Amazon S3 bucket policy can also be leveraged to define SSE-S3 for all the objects stored in the bucket.
Let's take a closer look at Server Side Encryption with AWS Key Management Service below.
AWS Key Management Service (KMS) is an AWS managed service that simplifies the creation and the management lifecycle of cryptographic keys that are used for data encryption. AWS KMS provides the tools to encrypt your at-rest data using the AES-256 encryption, which is the industry standard.
Behind the scenes, AWS KMS utilizes a hardware security module (HSM) for protecting and validating keys. It is natively integrated to support many AWS services to meet data encryption requirements. AWS KMS also integrates with AWS CloudTrail for logging the use of KMS keys for audit, regulatory, and compliance purposes.
To understand the main benefits of AWS KMS, it is important to understand some of the key concepts behind the encryption process.
Data keys are the encryption keys used to encrypt data sets that are very large. These data keys are normally in plaintext unless encrypted themselves for additional security.
Encrypting data is of no use if your encryption keys get stolen. Envelope encryption, as depicted below, is the process of encrypting the plaintext data with a plaintext data key and encrypting that data key with customer master key (CMK) to create an encrypted data key (hence the name “envelope”). The customer master key is also known as the “root key.”
AWS KMS helps customers protect encryption keys by storing and managing them securely on the AWS cloud. This includes creating data keys as well as encrypting and decrypting these data keys for additional security. When KMS generates a data key, the data key itself is not stored within the KMS (usually returned to you for use outside of the AWS KMS) however the data encryption key can be stored with the data. The KMS key never leaves the KMS environment for security purposes.
The “GenerateDataKey” API command can be leveraged to create a data key on AWS KMS. As a part of the data key creation, AWS KMS will also encrypt a copy of the data key as illustrated below.
During the envelope encryption process, AWS KMS keys perform the role of a customer master key/root key.
An AWS KMS key can be customer managed or AWS managed:
* In addition to these two key types, there are also AWS-owned keys which is a collection of AWS KMS keys that are owned and managed by AWS that reside within AWS KMS. However, these sit outside the user's AWS account and the user does not have the ability to manage or interact with them. They also don’t count against the user’s AWS KMS key quota.
Server-side encryption with AWS Key Management Service provides a simple, secure and a balanced option for many AWS customers who can simplify their encryption tasks such as key generation and root key management tasks. With AWS KMS, encryption and decryption take place in a transparent, independent manner, so you don’t need to make any changes to your application.
Let's have a look at Amazon S3 as a use case for encryption. When an S3 bucket is created, you can easily specify the use of SSE-KMS as the option to use for the encryption key type and pick AWS managed or your own KMS key option.
Similarly, Amazon EFS for example also enables users to easily enable data at rest encryption with AWS KMS integration for encryption keys during and after the creation of a new file system.
AWS KMS is often the de-facto choice for many other application services on AWS for at-rest data encryption. It helps customers create and manage KMS keys and track their usage in transactions as well as in audit logs via AWS CloudTrail. It is predominantly used to encrypt data keys themselves. As such, AWS KMS does not store or manage data keys and customers need to use the AWS encryption SDK for data key use.
Users who need to manage their own hardware security modules (HSM) rather than leveraging AWS managed HSMs would need to resort to using custom key store (AKA: CloudHSM) option rather than AWS KMS option. AWS server-Side encryption with KMS operations can also be programmatically invoked via the AWS KMS CLI & AWS KMS API.
With AWS, customers have the choice to leverage both client-side encryption as well as server-side encryption to protect their data. Server-side encryption is often popular and supports three options including customer managed and S3 managed options. However the most convenient and therefore popular server-side encryption option for many customers is leveraging AWS KMS given its versatility and the balanced approach.
For more protection for your AWS workloads, turn to NetApp Cloud Volumes ONTAP. While AWS KMS can help protect your data with encryption, Cloud Volumes ONTAP has a suite of security features to help protect your data beyond the native capabilities on AWS:
AWS provides data at rest encryption for various AWs services such as Amazon S3, Amazon EBS, Amazon RDS, Lambda and Amazon Elastic File Service.
AWS provides both at rest as well as in transit data encryption options for customers to safeguard and protect their data with. There are various encryption options and modes available for customers to choose from, depending on the AWS application and service they’d like to use.
Server side encryption with Amazon Key Management Service is one of the most popular encryption options available on AWS cloud. It takes the hassle of encryption key management off the hands of the users who can continue to focus on developing applications on AWS cloud.