Encryption and Key Management
Learn how AWS empowers cloud-native applications to securely encrypt data at rest and in transit using KMS and encryption best practices.
Data protection is as important in cloud-native applications as writing performant and reliable code. Securing that data is foundational, whether our application stores personal user data, financial transactions, or internal logs. Encryption ensures that data remains confidential and tamper-proof, even if unauthorized access occurs. In the AWS ecosystem, encryption is embedded deeply in services across computing, storage, and networking. However, as developers, we must actively configure and manage encryption and its associated keys to meet technical and compliance requirements.
Core encryption concepts in AWS
AWS supports both symmetric and asymmetric encryption:
Symmetric encryption: This method uses a single shared key to encrypt and decrypt the data. Anyone who has a copy of the key can encrypt and decrypt. The main challenge is securely sharing the key and preventing it from falling into the wrong hands.
Asymmetric encryption: Uses a pair of keys, a public key to encrypt data, and a separate private key to decrypt it. Anyone can encrypt the data with the public key, but only the authorized individual can decrypt it using the private key.
Encryption is also categorised based on the state of the encrypted data, whether it’s being stored or moved. Here’s a simple breakdown:
Encryption at rest: This refers to protecting data that is not moving on the client or server side, such as data stored on a hard drive, in a database, in an S3 bucket, or on a backup tape.
Encryption in transit: This refers to protecting the data while it is actively moving from one place to another, such as across the internet or between different services within your network. We use HTTPS with an SSL/TLS certificate to secure the connection between the client and server.
AWS Key Management Service (KMS)
Encryption in AWS relies on the AWS Key Management Service (KMS). Instead of each service managing its encryption methods, AWS provides KMS as a centralized and secure service to create, store, and control access to the cryptographic keys that protect the data.
Note: AWS provides multi-Region keys to create replicas of a primary key across regions. These are especially useful in applications with cross-region data replication or geographically distributed users.
AWS KMS is designed to protect the keys by FIPS 140-2 Validated Hardware Security Modules (HSMs). All KMS keys are generated and stored within HSMs, which are specialized, tamper-resistant hardware devices certified under the U.S. government’s FIPS 140-2 standard. This provides a powerful guarantee that the plaintext key material can never leave the physical boundary of the HSM, not even to AWS employees. All cryptographic operations happen securely inside this hardened device, including encrypting or decrypting data.
Every key in KMS has a well-defined life cycle to further ensure that ...