Q
Get started Bring yourself up to speed with our introductory content.

What are my options for data encryption in AWS?

We're not sure a public cloud is right for us, as we have high standards for data privacy. How does AWS encrypt data, and what key management options does it offer?

AWS provides 256-bit Advanced Encryption Standard in its Amazon Simple Storage Service, but a variety of other...

AWS products also support encryption. With encryption in AWS, it is important to distinguish data in motion and data at rest.

Encryption in motion is used to protect data during transmission, such as when an admin uploads data to Amazon Simple Storage Service (S3), queries an Amazon Relational Database Service (RDS) database or shares data between nodes in an Elastic MapReduce cluster. With S3, policies control this type of encryption; configurations control encryption with RDS. For example, an S3 bucket policy can refuse connections over unencrypted channels. Users can configure an RDS instance to use encryption, then the DB instance storage, backups, read replicas and snapshots are all encrypted.

With server-side encryption, users transmit unencrypted data to AWS, where it is then encrypted during the upload on the server side.

Data stored in S3, a relational database or another persistent data store should often be encrypted. Data stored in an encrypted form is data that is encrypted at rest. Cloud users have two options for encrypting data at rest: client-side encryption or server-side encryption. With client-side encryption, an administrator encrypts data prior to sending it, instead of handling encryption in AWS. The admin manages encryption keys and is the only person who can decrypt the data. In the case of Amazon DynamoDB, customers can access a Java library for client-side encryption in AWS; developers can also use their own encryption library.

With server-side encryption, users transmit unencrypted data to AWS, where it is then encrypted during the upload on the server side. AWS manages keys for server-side encryption, reducing the burden on users, but that means AWS has access to the keys that encrypt your data.

Enterprises should consider AWS CloudHSM if they need server-side encryption in AWS and control over keys. CloudHSM uses a hardware encryption module to manage keys, but the encryption hardware is under the control of the customer -- not AWS.

Next Steps

Encryption is a crucial component of cloud compliance

Is Amazon Aurora secure enough?

Manage AWS access through keys and policies

This was last published in January 2016

Essential Guide

An admin's guide to AWS data management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your enterprise manage encryption keys?
Cancel

-ADS BY GOOGLE

SearchCloudApplications

TheServerSide.com

SearchSoftwareQuality

SearchCloudComputing

Close