How to Encrypt Data at Rest and in Transit on AWS

Want to protect your sensitive data on AWS? Encryption is your best defence. Whether it's data stored in Amazon S3 or transmitted across networks, encryption ensures your information stays secure and unreadable to unauthorised parties. Here's a quick breakdown:

• Data at Rest: AWS automatically encrypts stored data in services like S3 and RDS. Options include Amazon-managed keys (SSE-S3), customer-managed keys (SSE-KMS), or self-managed keys (SSE-C).
• Data in Transit: AWS enforces TLS encryption for secure communication. Use HTTPS with bucket policies, secure CloudFront distributions, and SSL for database connections.
• Key Management: AWS Key Management Service (KMS) simplifies encryption key management. Choose from customer-managed keys for full control, AWS-managed keys for simplicity, or AWS-owned keys for hands-off security.

Quick Tip: Regularly monitor and audit your encrypted resources with AWS CloudTrail and Config. This ensures compliance and helps you detect potential issues.

Encryption isn't just about security - it's about building trust and meeting regulatory requirements like GDPR. Follow this guide to secure your data and focus on growing your business with confidence.

DATA Encryption at Rest and in Transit - AWS S3

Understanding Data Encryption on AWS

Data encryption transforms plain, readable information into an unintelligible format using complex mathematical algorithms. Without the right decryption key, this data is essentially useless to unauthorised users. AWS incorporates encryption as an extra layer of security alongside identity controls and network protections. Every AWS service that interacts with customer data comes with encryption features, ensuring that sensitive information remains safeguarded. This encryption framework underpins how AWS secures data both at rest and in transit.

Data at Rest vs Data in Transit

Grasping the distinction between these two encryption types is essential for small and medium-sized businesses (SMBs) aiming to create a robust security plan. Data at rest refers to information stored on systems like databases, hard drives, or cloud storage solutions - for instance, data saved in Amazon S3. While this data isn't actively moving, it still requires stringent protection.

On the other hand, data in transit pertains to information being transmitted across networks, such as emails, file transfers, or database queries. Since data in transit often travels through unsecured networks, it is at a higher risk of interception. Protecting sensitive information during both storage and transmission is crucial, especially as cyber threats continue to evolve. With this foundation in place, let’s delve into how AWS handles encryption key management.

Key Management in AWS

The AWS Key Management Service (KMS) plays a central role in managing the encryption keys that secure your data. This service forms part of AWS's multi-layered encryption strategy. These cryptographic keys essentially act as the locks and keys for your encrypted data, ensuring that only authorised access is possible. AWS KMS is responsible for generating, storing, and managing these keys, offering a high level of security.

One of the standout features of AWS KMS is that your encryption keys never leave the service unencrypted. Even AWS employees cannot access your plaintext keys.

AWS provides three types of encryption keys to cater to different business needs and control requirements:

Customer managed keys provide the highest level of control, allowing you to define access policies, set rotation schedules, and oversee the entire key lifecycle. AWS managed keys, meanwhile, offer a balance between simplicity and security. AWS handles the technical aspects of key management, while you can still monitor key usage through AWS CloudTrail. For businesses seeking to minimise management efforts, AWS owned keys deliver strong encryption without requiring any direct involvement.

Key management is a cornerstone of AWS's shared responsibility model. While AWS ensures the security of the infrastructure and the key management service, you are responsible for defining how the keys are used. This includes configuring Identity and Access Management (IAM) policies and monitoring key access through tools like AWS CloudTrail. Such monitoring provides critical audit capabilities, allowing you to track who accessed specific keys, which resources were involved, and when. This information is invaluable for compliance reporting and investigating potential security incidents.

Encrypting Data at Rest on AWS

Securing your stored data is a critical step in protecting your business information. AWS simplifies this process by automatically encrypting uploads to Amazon S3. However, understanding the available options ensures you can tailor encryption to meet your specific needs.

Encrypting Data in Amazon S3

Amazon S3 automatically applies server-side encryption with Amazon S3 managed keys (SSE-S3) to all new object uploads. This default setting provides basic protection without requiring any extra configuration. However, depending on your compliance or operational needs, you may want to explore other encryption methods.

• SSE-S3: This is the easiest option. Each object gets a unique encryption key, and AWS manages the keys using the AES-256 algorithm.
• SSE-KMS: For those needing more control, this integrates with AWS Key Management Service (KMS), enabling you to define access policies and monitor key usage.
• SSE-C: The most hands-on approach, where you provide and manage your own encryption keys.

If you want to adjust the default encryption for a specific bucket, go to the S3 console, select the bucket, and update the encryption settings under the Properties tab. Options include SSE-KMS or dual-layer encryption with AWS KMS keys (DSSE-KMS) for extra security.

For existing unencrypted objects, use S3 Batch Operations along with S3 Inventory to encrypt them efficiently. This is particularly useful for small and medium-sized businesses (SMBs) migrating older data to encrypted storage.

To enforce encryption for all uploads to a bucket, you can implement a bucket policy requiring server-side encryption. This ensures no unencrypted data is accidentally uploaded.

Next, let’s look at how to secure databases with encryption in Amazon RDS.

Setting Up Encryption for Amazon RDS

When creating a database instance in Amazon RDS, you must enable encryption at the start - it cannot be added to an unencrypted database later. Proper planning is essential here.

Amazon RDS encryption uses the AES-256 algorithm to secure your database, along with automated backups, read replicas, and snapshots. The encryption also extends to the underlying Amazon EBS volumes where your data resides.

"When you create an encrypted database instance with Amazon RDS, Amazon RDS creates an encrypted Amazon EBS volume on your behalf to store the database. Data stored at rest on the volume, database snapshots, automated backups, and read replicas are all encrypted under the KMS key that you specified when you created the database instance."

When setting up an encrypted RDS instance, you’ll need to select a KMS key - either AWS managed or customer managed - at the time of creation. This choice cannot be changed later, so ensure the correct permissions are in place for customer-managed keys.

Important Note: If access to your KMS key is lost or the key is disabled, the database becomes inaccessible for seven days before being permanently unusable. Regular backups are critical to avoid data loss.

To enable encryption, select the "Enable encryption" option in the RDS console during database setup or use the AWS CLI with the --storage-encrypted parameter. Specify your KMS key either from the dropdown menu or by entering the key ARN in the CLI command.

Encryption for Other AWS Services

AWS provides encryption capabilities across many services, making it easier to secure your entire infrastructure. Here’s a quick overview of how encryption works in some key services commonly used by SMBs:

• Amazon EBS: Encrypt volumes during creation or by creating encrypted snapshots of existing volumes. EBS encryption uses your default KMS key unless you specify another, and it operates transparently without affecting performance for most workloads.
• Amazon DynamoDB: By default, DynamoDB encrypts data at rest using AWS-owned keys. You can upgrade to AWS-managed or customer-managed keys for greater control. Encryption covers tables, indexes, streams, and backups.
• Amazon FSx: Both Windows File Server and Lustre file systems support encryption at rest, integrating seamlessly into existing workflows.

For SMBs in the UK, these encryption features support GDPR compliance requirements. AWS offers over 500 security and compliance tools, including AWS CloudTrail for auditing and Amazon Macie for sensitive data discovery. These encryption methods align with industry standards, ensuring a strong defence for your data.

The real advantage for SMBs is that AWS handles the technical complexities of encryption while allowing you to retain control over data location and access policies. This lets you focus on running your business while maintaining robust security.

Encrypting Data in Transit on AWS

Securing your data as it moves between your systems and AWS services is just as important as protecting it when stored. AWS enforces the use of TLS version 1.2 or higher for all service API endpoints.

Using HTTPS/TLS for Secure Communication

TLS encryption through HTTPS ensures data in transit is protected from eavesdropping and tampering. Configuring HTTPS enforcement across your AWS setup requires adjustments tailored to each service.

For Amazon S3, you can enforce HTTPS-only access by using bucket policies. The recommended approach is to apply the aws:SecureTransport condition. This setting blocks any requests that aren't encrypted. To implement it, include a bucket policy with a Deny effect for non-encrypted requests using the aws:SecureTransport condition [38, 42].

Amazon CloudFront adds another layer of protection, ensuring encrypted access to your S3 objects. You can configure CloudFront distributions to automatically redirect HTTP requests to HTTPS or reject them entirely by modifying the Viewer Protocol Policy setting. CloudFront also manages older TLS versions for connections between your distribution and S3. If you’re using custom domain names, CloudFront supports custom SSL certificates, providing a secure interface for your applications. Once the setup is complete, update your DNS records to direct traffic to the CloudFront distribution domain.

S3 Access Points allow you to set specific encryption requirements for different access scenarios, offering more granular control.

After securing HTTPS for web assets, the next step is to safeguard database communications.

Setting Up Encryption for RDS in Transit

Database connections often handle sensitive information, making encryption essential. When you create an Amazon RDS instance, AWS automatically generates an SSL certificate. This certificate uses the database endpoint as the Common Name, helping to prevent spoofing attacks.

To enforce SSL, adjust the custom parameter or option group settings for your database engine. For example, in PostgreSQL, set rds.force_ssl to 1 (on). Ensure your database clients reference the correct certificate bundle. Keep these certificates updated as part of your key management practices.

The process involves downloading the appropriate certificate bundle for your AWS Region from AWS Trust Services [43, 44]. Configure your database client to use this certificate for connections, and update your application's trust store to include the new CA certificates. Test the SSL/TLS connection to confirm it works before deploying to production. If you’re using Amazon RDS Proxy, it uses certificates from AWS Certificate Manager, which might eliminate the need to download RDS certificates.

Beyond databases, securing large-scale file transfers is another key consideration.

Encrypting File Shares and DataSync Transfers

For businesses managing large file transfers or synchronisation tasks, AWS DataSync uses TLS 1.3 to encrypt network traffic during data transfers. DataSync supports various storage systems, including NFS, SMB, HDFS, and object storage, and integrates with AWS solutions such as Amazon S3, Amazon EFS, and Amazon FSx.

When setting up storage locations, choose the highest available security level, like SSE-S3 or SSE-KMS encryption.

Some organisations have already leveraged DataSync for significant migrations. For example, the London Stock Exchange Group transferred 30 PB of market data using the service, while Globe Telecom moved 7.2 PB of Hadoop data.

To maximise performance, schedule transfers during off-peak hours and consider deploying multiple DataSync agents to boost throughput. DataSync also works with Amazon CloudWatch for monitoring and supports VPC endpoints, allowing transfers without using the public internet [50, 51]. Pricing is based on the volume of data transferred, calculated per GB, helping you plan costs effectively.

These practices round out the measures needed to secure data in transit across your AWS environment.

Best Practices for SMBs

To make the most of AWS encryption features, small and medium-sized businesses (SMBs) should follow these practices to secure their environment and keep operations efficient.

Key Rotation and Access Management

For complete control over your encryption keys, use customer managed keys (CMKs) and stick to the principle of least privilege. Avoid assigning broad permissions like kms:* in IAM or key policies, as this grants both administrative and usage rights to the same individual or role. Instead, separate the roles of those who manage keys from those who use them.

Regular key rotation is critical for reducing risk. While AWS automatically rotates AWS-managed keys annually, customer managed keys require manual scheduling. To add an extra layer of security, enable multi-factor authentication (MFA) for key deletion and restrict who can schedule such deletions.

If your business operates across multiple AWS Regions, consider multi-region keys to meet compliance or disaster recovery needs. However, only allow these keys to be replicated into the necessary Regions and ensure permissions are granted sparingly.

Service control policies (SCPs) in AWS Organizations can block unauthorised users or roles from deleting KMS keys. Alongside key management, keep an eye on encrypted resources to ensure everything remains secure.

Monitoring and Auditing Encrypted Resources

Monitoring encryption ensures it stays effective and aligns with compliance requirements. AWS CloudTrail logs all API calls, providing a complete audit trail.

Set up a multi-region trail to track events across all AWS Regions and enable log file integrity validation to ensure the logs haven’t been tampered with. While CloudTrail shows who made changes and when, AWS Config offers insights into what has changed.

AWS Config also supports rules to enforce encryption settings. For example, you can create rules specifying correct encryption configurations and receive alerts via SNS if these rules are violated. This complements the activity tracking provided by CloudTrail.

For real-time alerts, integrate CloudTrail with Amazon CloudWatch Logs. This setup can notify you immediately about events like unauthorised attempts to use keys or changes to policies. AWS Security Hub adds another layer of monitoring by checking resource configurations against security standards.

Store your CloudTrail logs in S3 buckets with server-side encryption using AWS KMS managed keys. Apply least privilege access to these buckets and enable MFA delete to prevent unauthorised deletions. To manage costs, configure lifecycle policies for these buckets to balance audit needs with storage expenses.

Once your encryption setup is secure, take steps to manage costs effectively.

Cost Management and Optimisation Tips

AWS KMS charges approximately £0.80 per month per customer managed key (billed hourly), with each of the first two key rotations adding another £0.80 monthly. Additionally, AWS provides 20,000 free requests per month across all Regions, with usage fees applying beyond that.

To cut costs, enable S3 Bucket Keys for buckets with high request volumes. This feature can reduce AWS KMS expenses by up to 99%. Data key caching with the AWS Encryption SDK can also improve application performance while lowering KMS costs.

Choose the appropriate key type for your needs:

• AWS owned keys: Free and ideal for convenience.
• AWS managed keys: No cost for the key itself, but usage fees apply.
• Customer managed keys: Best for scenarios requiring full control over the key lifecycle.

To save on compute costs, consider Reserved Instances or Savings Plans, which can reduce expenses by up to 75% and 72%, respectively. EC2 Spot Instances are another option, offering up to 90% savings for suitable workloads.

Leverage AWS Cost Explorer for regular cost reviews to identify savings opportunities. The Flexera 2022 State of the Cloud Report revealed that 32% of cloud spending is often wasted. Tagging resources can help you better analyse costs and determine which encryption strategies offer the best value.

Finally, clean up unused resources systematically. Enable "Delete on termination" for unattached EBS volumes when launching instances. Periodically remove unused EBS snapshots and volumes to avoid unnecessary charges. For infrequently accessed encrypted data, consider moving it to lower-cost storage tiers like S3 Intelligent-Tiering.

For more tips on managing AWS costs, check out the blog AWS Optimization Tips, Costs & Best Practices for Small and Medium sized business.

Conclusion

Encrypting data at rest and in transit on AWS provides small and medium-sized businesses (SMBs) with a solid foundation for securing their operations. By implementing the steps covered in this guide - such as enabling Amazon S3 server-side encryption, activating Amazon RDS encryption, and configuring HTTPS/TLS for secure communications - SMBs can establish strong data protection measures that enhance their overall security framework.

Encryption plays a key role in a layered security approach, shielding sensitive information from unauthorised access while supporting compliance with regulatory standards and industry guidelines. For SMBs dealing with sensitive customer data or operating in regulated sectors, encryption highlights a clear commitment to safeguarding information within various compliance frameworks.

AWS simplifies the encryption process with tools like AWS Key Management Service (KMS), offering powerful protection. When combined with thoughtful cost and key management strategies, SMBs can maintain both security and compliance. As Amazon.com CTO Werner Vogels aptly advises:

"Encrypt everything".

Cost efficiency can also be achieved with careful planning - leveraging options like S3 Bucket Keys and Reserved Instances helps optimise expenses without compromising security.

To strengthen your security, consider a comprehensive approach that includes effective key management and continuous monitoring. Classify your data based on its sensitivity and compliance needs, and apply encryption across multiple layers to build a robust defence strategy.

Regularly updating your security practices ensures your encryption efforts stay effective against evolving threats. With the right implementation and ongoing management, encryption becomes more than just a security measure - it’s a competitive edge that fosters customer trust and supports business growth.

Start by prioritising your most sensitive data and gradually expand encryption to cover all critical areas. The time and resources invested in encryption yield significant returns through enhanced security, regulatory compliance, and the reassurance of knowing your business data is protected, whether at rest or in transit.

For more tips on cost management, cloud security, and tailored best practices for SMBs, visit AWS Optimization Tips, Costs & Best Practices for Small and Medium Sized Businesses.

FAQs

What are the differences between AWS-managed, customer-managed, and AWS-owned keys, and how do I decide which is best for my business?

AWS-Managed Keys vs Customer-Managed Keys vs AWS-Owned Keys

AWS-managed keys are an easy-to-use option provided by AWS. These keys are automatically created and managed by AWS, making them perfect for general scenarios where simplicity is a priority.

Customer-managed keys (CMKs), however, put you in the driver’s seat. You have complete control over their policies, permissions, and lifecycle. This makes them a great fit for businesses handling sensitive data or needing to align with strict compliance requirements.

AWS-owned keys serve a completely different purpose. These are used internally by AWS for its own operations. Customers don’t have access to or control over these keys, so they’re not something you’ll directly interact with for your business needs.

When choosing between these options, think about the level of control and security your organisation requires. For basic needs, AWS-managed keys are usually enough. But if your focus is on advanced security or meeting compliance standards, customer-managed keys are the way to go. As for AWS-owned keys, they’re managed entirely by AWS, so there’s no action required on your part.

How can I ensure my data encryption on AWS complies with GDPR and other regulations?

To comply with GDPR and other regulations when encrypting data on AWS, it's essential to use services specifically designed for secure encryption and compliance. AWS Key Management Service (KMS) and CloudHSM offer scalable solutions for encrypting data both at rest and in transit, helping you meet legal requirements.

Make sure to use strong encryption protocols, such as AES-256, and establish robust key management policies to protect sensitive data. Regularly reviewing AWS's compliance resources, like the GDPR Center, is also a smart move to stay informed about best practices and ensure your configurations meet regulatory standards.

By leveraging these strategies alongside AWS's built-in security tools, small and medium-sized businesses can maintain a secure, regulation-compliant cloud environment while streamlining their operations.

What should I do if I lose access to my AWS KMS key or it becomes disabled, and how can I ensure data availability?

If you lose access to an AWS KMS key or it gets disabled, you have the option to re-enable it or cancel its scheduled deletion - provided you're still within the waiting period. Once the key is permanently deleted, any data encrypted with it becomes unrecoverable, so quick action is essential.

To prevent losing access to important data, it’s safer to disable keys instead of deleting them if there’s a chance you’ll need them later. You might also want to set up multi-region key replication or maintain backups for important data. These measures can help ensure your data remains accessible and secure, even if issues arise with a specific key.

Related posts

• Common AWS Storage Options: Which One Fits Your SMB?
• How to Choose Cost-Effective AWS Services
• How to Secure AWS Serverless Databases