AWS Encryption: Encrypting data at rest vs data in transit

Published by

Sagar Mendiratta

on

Data at Rest vs Data in Transit

This section is really important to understand what is Data at rest and what is Data in Transit. The data that resides with your cloud or is brought into the AWS account has to be secure always. So, all the AWS services has ability to encrypt the data either at rest or during in transit.

AWS services uses encryption either using service side encryption or a client side encryption where AWS manages service side using AWS KMS keys and for client side encryption client manages it using various methods including AWS KMS keys.

Data at rest means the data is kept and stored and to encrypt the data we can use AWS KMS keys however for data in transit customers have a choice either by using a protocol like Transport Layer Security (TLS). All AWS service endpoints support TLS to create a secure HTTPS connection to make API requests.

Using services like AWS KMS, AWS CloudHSM, and AWS ACM, customers can implement a comprehensive data at rest and data in transit encryption strategy across their AWS account.

Encryption at rest is when data is stored on disks in Amazon SNS data centers. You can protect data at rest by requesting Amazon SNS to encrypt your messages before saving them to disk in its data centers and then decrypt them when the messages are received.

  • Server side encryption ( SSE ) lets you store sensitive data in encrypted topics by using AWS KMS Keys.
  • SSE encrypts the body of a message in an Amazon SNS topic.

Example of KMS policy that allows a user to send a message to a topic with SSE. 

{
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "kms:GenerateDataKey",
      "kms:Decrypt"
    ],
    "Resource": "arn:aws:kms:us-east-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
  }, {
    "Effect": "Allow",
    "Action": [
      "sns:Publish"
    ],
    "Resource": "arn:aws:sns:*:123456789012:MyTopic"
  }]
}
  • To enable server-side encryption (SSE) for an Amazon SNS topic using the AWS Management Console.
  • Sign in to the Amazon SNS console. On the navigation panel, choose Topics and the Encryption section and choose Enable encryption and specify the AWS KMS Key .
Checkout Our Latest tutorials….