Encryption and Key Management

Data protection is as important in cloud-native applications as writing performant and reliable code. Securing that data is foundational, whether our application stores personal user data, financial transactions, or internal logs. Encryption ensures that data remains confidential and tamper-proof, even if unauthorized access occurs. In the AWS ecosystem, encryption is embedded deeply in services across computing, storage, and networking. However, as developers, we must actively configure and manage encryption and its associated keys to meet technical and compliance requirements.

Core encryption concepts in AWS

AWS supports both symmetric and asymmetric encryption:

• Symmetric encryption: This method uses a single shared key to encrypt and decrypt the data. Anyone who has a copy of the key can encrypt and decrypt. The main challenge is securely sharing the key and preventing it from falling into the wrong hands.

• Asymmetric encryption: Uses a pair of keys, a public key to encrypt data, and a separate private key to decrypt it. Anyone can encrypt the data with the public key, but only the authorized individual can decrypt it using the private key.

Encryption is also categorised based on the state of the encrypted data, whether it’s being stored or moved. Here’s a simple breakdown:

• Encryption at rest: This refers to protecting data that is not moving on the client or server side, such as data stored on a hard drive, in a database, in an S3 bucket, or on a backup tape.

• Encryption in transit: This refers to protecting the data while it is actively moving from one place to another, such as across the internet or between different services within your network. We use HTTPS with an SSL/TLS certificate to secure the connection between the client and server. ...

AWS Key Management Service (KMS)