This content is part of the Essential Guide: An admin's guide to AWS data management
Get started Bring yourself up to speed with our introductory content.

What are my options for data encryption in AWS?

We're not sure a public cloud is right for us, as we have high standards for data privacy. How does AWS encrypt data, and what key management options does it offer?

AWS provides 256-bit Advanced Encryption Standard in its Amazon Simple Storage Service, but a variety of other...

AWS products also support encryption. With encryption in AWS, it is important to distinguish data in motion and data at rest.

Encryption in motion is used to protect data during transmission, such as when an admin uploads data to Amazon Simple Storage Service (S3), queries an Amazon Relational Database Service (RDS) database or shares data between nodes in an Elastic MapReduce cluster. With S3, policies control this type of encryption; configurations control encryption with RDS. For example, an S3 bucket policy can refuse connections over unencrypted channels. Users can configure an RDS instance to use encryption, then the DB instance storage, backups, read replicas and snapshots are all encrypted.

With server-side encryption, users transmit unencrypted data to AWS, where it is then encrypted during the upload on the server side.

Data stored in S3, a relational database or another persistent data store should often be encrypted. Data stored in an encrypted form is data that is encrypted at rest. Cloud users have two options for encrypting data at rest: client-side encryption or server-side encryption. With client-side encryption, an administrator encrypts data prior to sending it, instead of handling encryption in AWS. The admin manages encryption keys and is the only person who can decrypt the data. In the case of Amazon DynamoDB, customers can access a Java library for client-side encryption in AWS; developers can also use their own encryption library.

With server-side encryption, users transmit unencrypted data to AWS, where it is then encrypted during the upload on the server side. AWS manages keys for server-side encryption, reducing the burden on users, but that means AWS has access to the keys that encrypt your data.

Enterprises should consider AWS CloudHSM if they need server-side encryption in AWS and control over keys. CloudHSM uses a hardware encryption module to manage keys, but the encryption hardware is under the control of the customer -- not AWS.

Next Steps

Encryption is a crucial component of cloud compliance

Is Amazon Aurora secure enough?

Manage AWS access through keys and policies

Dig Deeper on AWS security