AWS Data Encryption: Protecting Your Data at Rest and in Transit

Data encryption is a fundamental security control for protecting sensitive information in AWS. For Australian businesses, particularly those in regulated industries, proper encryption implementation is both a security necessity and a compliance requirement.

Why Encryption Matters

Encryption provides protection when other controls fail:

Data Breaches: Encrypted data is useless without encryption keys
Compliance: Required by industry regulations, Privacy Act, and other frameworks
Defense in Depth: Additional layer beyond access controls
Customer Trust: Demonstrates commitment to data protection
Data Sovereignty: Helps ensure data remains within Australia

Encryption Fundamentals

Encryption at Rest

Protects stored data:

Hard drives and SSDs
Database tables
S3 objects
EBS volumes
Backups and snapshots

Encryption in Transit

Protects data in motion:

Between services
Between AWS and users
Between AWS and on-premises
Internal service communication

Key Management

Who controls the encryption keys:

AWS-managed keys
Customer-managed keys
Customer-provided keys
Hybrid approaches

AWS Key Management Service (KMS)

KMS is the foundation of encryption in AWS.

Key Types

AWS Managed Keys:

Created and managed by AWS
Free to use
Key rotation every 3 years (approximately)
Limited control
Named like aws/s3, aws/rds

Customer Managed Keys (CMKs):

You create and manage
Full control over key policies
Manual or automatic rotation
$1/month per key + usage fees
Audit in CloudTrail
Required for most compliance frameworks

AWS Owned Keys:

Used by AWS services
Not visible in your account
No control or visibility
Free

Customer Provided Keys:

You generate and provide
You manage lifecycle
Limited service support (S3, EBS)
Most control, most complexity

Customer Managed Keys Best Practices

1. Create CMKs for Sensitive Data

aws kms create-key \
  --description "Production database encryption key" \
  --origin AWS_KMS \
  --key-usage ENCRYPT_DECRYPT

2. Use Descriptive Aliases

aws kms create-alias \
  --alias-name alias/prod-database \
  --target-key-id <key-id>

3. Enable Key Rotation

aws kms enable-key-rotation \
  --key-id <key-id>

4. Implement Key Policies

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "Enable IAM User Permissions",
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::123456789012:root"
    },
    "Action": "kms:*",
    "Resource": "*"
  }, {
    "Sid": "Allow services to use the key",
    "Effect": "Allow",
    "Principal": {
      "Service": [
        "rds.amazonaws.com",
        "ec2.amazonaws.com"
      ]
    },
    "Action": [
      "kms:Decrypt",
      "kms:DescribeKey",
      "kms:CreateGrant"
    ],
    "Resource": "*"
  }]
}

5. Monitor Key Usage

CloudTrail logs all KMS API calls
CloudWatch Alarms for unusual activity
Access Analyzer for permissions review

Encrypting AWS Services

S3 Encryption

Server-Side Encryption Options:

SSE-S3 (AES-256):

Managed by AWS
Free
Minimal configuration
Keys managed by S3

SSE-KMS (AWS KMS):

Customer managed keys
Audit trail in CloudTrail
Fine-grained access control
Additional costs

SSE-C (Customer-Provided):

You provide encryption key with each request
Maximum control
Complex to manage

Enable Default Encryption:

aws s3api put-bucket-encryption \
  --bucket my-bucket \
  --server-side-encryption-configuration '{
    "Rules": [{
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "aws:kms",
        "KMSMasterKeyID": "arn:aws:kms:ap-southeast-2:123456789012:key/12345678-1234-1234-1234-123456789012"
      },
      "BucketKeyEnabled": true
    }]
  }'

Client-Side Encryption: Encrypt data before uploading to S3:

AWS Encryption SDK
S3 Encryption Client
Maximum security
More complexity

Best Practices:

Enable default encryption on all buckets
Use SSE-KMS for sensitive data
Enable S3 Bucket Keys to reduce KMS costs
Block public access
Use bucket policies to enforce encryption
Enable versioning and MFA delete

EBS Encryption

Default Encryption: Enable for entire region:

aws ec2 enable-ebs-encryption-by-default \
  --region ap-southeast-2

Specify KMS Key:

aws ec2 modify-ebs-default-kms-key-id \
  --kms-key-id arn:aws:kms:ap-southeast-2:123456789012:key/12345678-1234-1234-1234-123456789012 \
  --region ap-southeast-2

Encrypt Existing Volume:

Create snapshot of unencrypted volume
Copy snapshot with encryption enabled
Create new volume from encrypted snapshot
Replace volume on instance

Best Practices:

Enable default EBS encryption
Use customer managed keys
Encrypt all volumes
Encrypt snapshots
Don’t share unencrypted snapshots

RDS Encryption

Enable at Creation:

aws rds create-db-instance \
  --db-instance-identifier mydb \
  --db-instance-class db.t3.micro \
  --engine mysql \
  --storage-encrypted \
  --kms-key-id arn:aws:kms:ap-southeast-2:123456789012:key/12345678-1234-1234-1234-123456789012 \
  --master-username admin \
  --master-user-password SecurePassword123!

Encrypting Existing Database: Cannot encrypt in place:

Create snapshot of unencrypted database
Copy snapshot with encryption enabled
Restore from encrypted snapshot
Update application connection strings

What Gets Encrypted:

Database storage
Automated backups
Snapshots
Read replicas

Best Practices:

Always enable encryption for new databases
Use customer managed keys
Encrypt backups
Encrypt snapshots before sharing
Enable SSL/TLS for connections

DynamoDB Encryption

Encryption at Rest: All DynamoDB tables are encrypted by default.

Choose KMS Key:

aws dynamodb create-table \
  --table-name MyTable \
  --attribute-definitions AttributeName=Id,AttributeType=S \
  --key-schema AttributeName=Id,KeyType=HASH \
  --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=arn:aws:kms:ap-southeast-2:123456789012:key/12345678-1234-1234-1234-123456789012 \
  --billing-mode PAY_PER_REQUEST

Encryption in Transit: Use HTTPS endpoints for all DynamoDB API calls.

Lambda Encryption

Environment Variables: Encrypted at rest with AWS managed key by default.

Use CMK:

aws lambda create-function \
  --function-name my-function \
  --runtime python3.11 \
  --handler index.handler \
  --kms-key-arn arn:aws:kms:ap-southeast-2:123456789012:key/12345678-1234-1234-1234-123456789012 \
  --environment Variables={DB_PASSWORD=encrypted_password} \
  --code S3Bucket=my-bucket,S3Key=function.zip

Best Practices:

Use customer managed keys for sensitive environment variables
Store secrets in Secrets Manager or Parameter Store
Encrypt data processed by function
Use VPC endpoints for KMS access

Secrets Manager and Parameter Store

AWS Secrets Manager:

aws secretsmanager create-secret \
  --name prod/database/password \
  --kms-key-id arn:aws:kms:ap-southeast-2:123456789012:key/12345678-1234-1234-1234-123456789012 \
  --secret-string '{"username":"admin","password":"SecurePass123!"}'

Systems Manager Parameter Store:

aws ssm put-parameter \
  --name /prod/database/password \
  --value "SecurePass123!" \
  --type SecureString \
  --key-id arn:aws:kms:ap-southeast-2:123456789012:key/12345678-1234-1234-1234-123456789012

When to Use Each:

Secrets Manager: Database credentials, API keys, automatic rotation
Parameter Store: Configuration values, less frequent rotation

Encryption in Transit

TLS/SSL Everywhere

Application Load Balancer:

aws elbv2 create-listener \
  --load-balancer-arn <alb-arn> \
  --protocol HTTPS \
  --port 443 \
  --certificates CertificateArn=<acm-cert-arn> \
  --default-actions Type=forward,TargetGroupArn=<tg-arn> \
  --ssl-policy ELBSecurityPolicy-TLS-1-2-2017-01

CloudFront:

Enforce HTTPS viewer protocol
Use custom SSL certificate from ACM
Select modern SSL protocol (TLSv1.2 minimum)

API Gateway:

All API Gateway endpoints use HTTPS
Configure custom domains with ACM certificates

RDS/DynamoDB/S3:

Use SSL/TLS endpoints
Enforce in application code
Validate certificates

AWS Certificate Manager (ACM)

Request Certificate:

aws acm request-certificate \
  --domain-name example.com.au \
  --subject-alternative-names www.example.com.au \
  --validation-method DNS \
  --region ap-southeast-2

Best Practices:

Use ACM for managing certificates
Enable automatic renewal
Use DNS validation
Monitor certificate expiration
Use wildcard certificates where appropriate

VPN and Direct Connect

Site-to-Site VPN:

Automatic IPsec encryption
AES-256-GCM encryption
Perfect Forward Secrecy

Direct Connect:

Not encrypted by default
Use MACsec for layer 2 encryption
Or run VPN over Direct Connect
Or encrypt at application layer

Service-to-Service Communication

VPC Endpoints:

Traffic stays on AWS network
Use PrivateLink for encryption

TLS for Internal Communication: Even within VPC, use TLS for sensitive data:

Microservices communication
Database connections
API calls

Compliance and Encryption

industry regulations

Requirements:

Encryption of sensitive data at rest
Encryption of data in transit
Secure key management
Regular access reviews

Privacy Act (Australian)

Requirements:

Reasonable steps to protect personal information
Encryption as reasonable security measure
Breach notification (encryption may exempt)

Industry Standards

PCI DSS:

Encrypt cardholder data at rest
Encrypt transmission of cardholder data
Use strong cryptography

HIPAA:

Encryption of ePHI at rest (addressable)
Encryption of ePHI in transit (addressable)
Documented encryption processes

Key Management Best Practices

Separation of Duties

Key Administrators: Manage keys
Key Users: Use keys for encryption/decryption
Auditors: Review key usage

Different IAM roles for each.

Key Lifecycle

Creation: Document purpose and owners
Distribution: Grant access via key policies
Usage: Monitor with CloudTrail
Rotation: Annual rotation of CMKs
Retirement: Disable, then schedule deletion
Deletion: 7-30 day waiting period

Backup and Recovery

KMS keys are backed up automatically
Document key IDs and aliases
Test decryption regularly
Have process for key recovery
Consider multi-region keys for DR

Monitoring and Auditing

CloudTrail Monitoring:

kms:Decrypt calls
kms:Encrypt calls
kms:ScheduleKeyDeletion
kms:DisableKey
Failed decrypt attempts

CloudWatch Alarms:

{
  "source": ["aws.kms"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventName": ["ScheduleKeyDeletion", "DisableKey"]
  }
}

Common Encryption Mistakes

Using AWS managed keys for sensitive data: Use CMKs instead
Not enabling default encryption: Enable on all services
Forgetting encryption in transit: TLS everywhere
Overly permissive key policies: Least privilege for keys too
No key rotation: Enable automatic rotation
Not monitoring key usage: CloudTrail is essential
Sharing unencrypted snapshots: Always encrypt before sharing
Hardcoded encryption keys: Use KMS, Secrets Manager

Cost Optimisation

Encryption costs:

KMS CMKs: $1/month per key
KMS API calls: $0.03 per 10,000 requests
S3 Bucket Keys: Reduce KMS costs by 99%
Secrets Manager: $0.40/month per secret + API calls
Parameter Store: Free for standard parameters

Optimisation tips:

Use S3 Bucket Keys
Cache decrypted data appropriately
Consolidate secrets
Use Parameter Store for non-rotated values
Monitor KMS usage with Cost Explorer

Implementation Checklist

Conclusion

Encryption is a critical security control that protects your data when other defenses fail. For Australian businesses, particularly those subject to Privacy Act, or industry regulations, comprehensive encryption is both a security necessity and a compliance requirement.

By encrypting data at rest and in transit, properly managing encryption keys with KMS, and following best practices, you significantly reduce your risk of data breaches and demonstrate your commitment to protecting sensitive information.

CloudPoint can assess your current encryption posture, implement comprehensive encryption strategies, and ensure compliance with Australian regulatory requirements. Contact us for an encryption security review.

Need Help with AWS Data Security?

CloudPoint’s security reviews assess your encryption and data protection practices against best practices and compliance requirements. Get in touch to discuss your security needs.

Learn more about our Security Review service →