Task Statement 1.3: Determine appropriate data security controls.
📘AWS Certified Solutions Architect – (SAA-C03)
1. What Is Data at Rest?
Data at rest means data that is stored somewhere and not actively moving over a network.
Examples in AWS:
- Files stored in Amazon S3
- Database data in Amazon RDS
- Volumes attached to Amazon EC2
- Snapshots and backups
- Objects in Amazon EBS
- Data stored in Amazon DynamoDB
When data is stored in these services, it must be protected from unauthorized access. This is where encryption at rest is used.
2. What Is Encryption at Rest?
Encryption at rest means:
Data is converted into unreadable format before it is stored.
Even if someone gains access to the storage system, they cannot read the data unless they also have access to the encryption keys.
Without the key → Data is useless.
3. What Is AWS KMS?
🔐 AWS KMS (Key Management Service)
AWS Key Management Service is a managed service that allows you to create, manage, and control encryption keys in AWS.
It integrates with many AWS services and handles:
- Key creation
- Key storage
- Key rotation
- Key usage control
- Audit logging
You do NOT manage physical key servers. AWS manages that for you.
4. Why Encryption at Rest Is Important for the Exam
The exam often tests:
- When to use AWS-managed keys vs customer-managed keys
- When encryption is automatic
- How KMS integrates with other services
- How to control access to encryption keys
- How to meet compliance requirements
5. Types of Encryption Keys in AWS
There are 3 important types of keys for the exam:
5.1 AWS Owned Keys
- Fully managed by AWS
- You do NOT see them
- No control over them
- No extra cost
Used by default in some services.
5.2 AWS Managed Keys (aws/service-name)
Example:
- aws/s3
- aws/ebs
Characteristics:
- Created automatically by AWS
- One per service per account
- You can see them in KMS
- You cannot rotate them manually
- AWS rotates them automatically
Good for:
- Basic encryption needs
- No special compliance requirements
5.3 Customer Managed Keys (CMKs)
You create and control them.
Features:
- Full control over permissions
- Can enable/disable keys
- Can rotate keys manually or automatically
- Can delete keys (with waiting period)
- Can control who can use the key
Required when:
- Fine-grained access control is needed
- Cross-account access required
- Strict compliance requirements
- Audit control needed
For the exam:
If question says “strict compliance, key control, cross-account, audit requirement” → Use Customer Managed Key.
6. How AWS KMS Works (Simple Explanation)
KMS uses:
Envelope Encryption
Process:
- KMS creates a data key
- Data key encrypts the actual data
- Data key itself is encrypted using a master key (CMK)
- Encrypted data + encrypted data key are stored together
This is secure and scalable.
You don’t need to manually manage this — AWS services handle it automatically.
7. Encryption in Major AWS Services (Very Important for Exam)
7.1 Amazon S3 Encryption
Options:
- SSE-S3
- S3 manages keys
- Simplest option
- SSE-KMS
- Uses AWS KMS
- More control and audit logging
- SSE-C
- Customer provides key
- Not common in exam answers
- Client-side encryption
- Encrypt before uploading
Exam Tip:
If logging, auditing, or key control is required → choose SSE-KMS.
You can also:
- Enable default bucket encryption
- Enforce encryption using bucket policies
7.2 Amazon EBS Encryption
Amazon Elastic Block Store
- Encryption happens at volume creation
- Cannot encrypt existing volume directly
- Must create snapshot → copy encrypted → create new volume
Uses:
- AWS Managed Key (default)
- Customer Managed Key (optional)
Important:
You can enable EBS encryption by default at account level.
7.3 Amazon RDS Encryption
Amazon Relational Database Service
- Encryption must be enabled when database is created
- Cannot enable after creation
- Must create snapshot → restore with encryption
Encrypts:
- Storage
- Backups
- Snapshots
- Read replicas
Uses KMS keys.
Exam favorite scenario.
7.4 Amazon DynamoDB Encryption
Amazon DynamoDB
- Encryption at rest is enabled by default
- Uses AWS owned key by default
- Can switch to AWS managed or customer managed key
7.5 Amazon EFS Encryption
Amazon Elastic File System
- Encryption enabled at creation
- Cannot change later
- Uses KMS keys
7.6 AWS Lambda Environment Variables
AWS Lambda
- Environment variables can be encrypted
- Uses KMS
8. Key Policies and IAM Policies (Very Important)
KMS uses two layers of permission control:
- Key Policy (attached directly to key)
- IAM Policy
To use a key:
- IAM must allow access
- Key policy must allow access
If either denies → access denied.
Exam trick:
If user cannot use KMS key, check key policy.
9. Key Rotation
Automatic rotation:
- Available only for customer managed symmetric keys
- Rotates every 1 year
Manual rotation:
- Create new key
- Update resources
Important:
AWS Managed Keys rotate automatically.
10. Cross-Account Access with KMS
You can allow another AWS account to use your key by:
- Modifying key policy
- Allowing external account
Used in:
- Centralized security account
- Shared encrypted backups
Exam scenario:
Company wants centralized key management → use Customer Managed Keys with cross-account access.
11. Deleting KMS Keys
- Cannot delete immediately
- Minimum waiting period: 7 days
- Maximum: 30 days
- After deletion → data encrypted with that key is unrecoverable
Very important exam concept.
12. Hardware Security Modules (HSM)
KMS keys are protected using HSMs.
If question requires:
- Dedicated hardware
- Full control over cryptographic material
Use:
- AWS CloudHSM
CloudHSM gives you full control, but requires more management.
KMS is easier and managed.
13. Encryption at Rest vs Encryption in Transit
Encryption at rest:
- Protects stored data
- Uses KMS
Encryption in transit:
- Protects moving data
- Uses SSL/TLS certificates
Exam may test difference.
14. Default Encryption Behavior (Common Exam Questions)
| Service | Encryption Default? | Can Change Later? |
|---|---|---|
| S3 | Not always | Yes |
| EBS | Optional | Snapshot required |
| RDS | Optional | Snapshot restore |
| DynamoDB | Yes | Yes |
| EFS | Optional | No (must recreate) |
15. When to Choose What (Exam Decision Guide)
Use AWS Managed Key when:
- No strict compliance
- Simple setup
- No need for custom access control
Use Customer Managed Key when:
- Cross-account sharing
- Detailed audit required
- Strict compliance
- Control over key lifecycle
Use CloudHSM when:
- Regulatory requirement
- Dedicated hardware required
- Full cryptographic control needed
16. Monitoring and Auditing
KMS integrates with:
- AWS CloudTrail
CloudTrail logs:
- Key usage
- Key creation
- Key deletion
- Policy changes
Important for compliance and exam scenarios.
17. Common Exam Traps
- Trying to encrypt RDS after creation → Not possible.
- Deleting KMS key without recovery window → Data lost.
- Forgetting key policy permissions.
- Assuming encryption is automatic for all services.
- Not enabling encryption before creating EBS or EFS.
18. Simple Summary for Non-IT Students
Think of encryption at rest as:
- Data is locked before storage.
- The key controls who can unlock it.
- AWS KMS manages those keys.
- You choose how much control you want.
- More control = Customer Managed Key.
- Simple setup = AWS Managed Key.
Final Exam Checklist
Make sure you understand:
✔ What encryption at rest means
✔ What AWS KMS does
✔ Difference between AWS managed vs customer managed keys
✔ Which services require encryption at creation
✔ How key policies work
✔ Key rotation
✔ Cross-account access
✔ CloudHSM vs KMS
✔ Snapshot method for enabling encryption later
✔ CloudTrail auditing
