Task Statement 1.3: Determine appropriate data security controls.
📘AWS Certified Solutions Architect – (SAA-C03)
1. What is Encryption?
Encryption is the process of converting readable data (plaintext) into unreadable data (ciphertext).
Only someone with the correct decryption key can read the data again.
In AWS, encryption protects:
- Stored data
- Data being transferred
- Database records
- Backups
- Secrets (passwords, API keys)
For the exam, you must understand:
✔ Encryption at Rest
✔ Encryption in Transit
✔ Client-Side vs Server-Side Encryption
✔ Key Management
✔ AWS KMS
✔ Customer-managed vs AWS-managed keys
2. Encryption at Rest
Encryption at Rest protects data that is stored on disk.
This includes:
- Databases
- EBS volumes
- S3 objects
- Snapshots
- Backups
If someone gains access to physical storage, the data is unreadable.
AWS Services Supporting Encryption at Rest
- Amazon S3
- Amazon EBS
- Amazon RDS
- Amazon DynamoDB
- Amazon Redshift
Most AWS services support encryption using AWS KMS keys.
Exam Tip
If the question says:
- “Protect stored data”
- “Encrypt database”
- “Encrypt S3 bucket”
- “Meet compliance requirements”
The answer usually involves:
- Enable encryption at rest
- Use AWS KMS
3. Encryption in Transit
Encryption in Transit protects data while it is moving between systems.
Example:
- Browser → Web server
- EC2 → RDS
- On-premises → AWS
This uses:
- TLS (Transport Layer Security)
- HTTPS
- SSL certificates
AWS Services for Encryption in Transit
- Elastic Load Balancing – Supports HTTPS listeners
- AWS Certificate Manager – Manages SSL/TLS certificates
- Amazon CloudFront – Supports HTTPS delivery
Exam Tip
If a question says:
- “Data must be encrypted while being transferred”
- “Secure communication between services”
Look for:
- HTTPS
- TLS
- ACM certificates
- Encrypted connections
4. Client-Side vs Server-Side Encryption
This is commonly tested.
Server-Side Encryption (SSE)
AWS encrypts the data after receiving it.
You upload data → AWS encrypts it.
Used in:
- S3
- EBS
- RDS
Types in S3:
- SSE-S3 (AWS manages keys)
- SSE-KMS (Uses AWS KMS)
- SSE-C (Customer provides key)
Exam Tip
If you want:
- Simple encryption → SSE-S3
- Control over keys → SSE-KMS
Client-Side Encryption
The application encrypts data before sending it to AWS.
AWS never sees the unencrypted data.
Used when:
- Very high security required
- Organization must control encryption process
Exam clue:
- “Data must be encrypted before leaving application”
- “AWS should not access plaintext data”
Answer → Client-side encryption
5. AWS Key Management
Encryption always requires keys.
If keys are not protected properly, encryption is useless.
In AWS, key management is handled by:
AWS Key Management Service (KMS)
KMS is a fully managed service to:
- Create keys
- Store keys securely
- Control key usage
- Rotate keys
- Audit key usage
6. Types of KMS Keys
This is VERY important for the exam.
1️⃣ AWS Managed Keys
- Created automatically by AWS
- Used automatically by services
- Limited control
- No manual rotation control
Good for:
- Simple setups
- No special compliance needs
2️⃣ Customer Managed Keys (CMKs)
Created and controlled by you.
You can:
- Enable/disable key
- Rotate manually or automatically
- Control IAM permissions
- Define key policies
- Delete key
Used when:
- Strict security requirements
- Compliance requirements
- Fine-grained access control needed
Exam Tip
If question says:
- “Full control over encryption keys”
- “Control who can use the key”
- “Custom key rotation policy”
Answer → Customer Managed KMS Key
7. Key Policies vs IAM Policies
This is a common exam trap.
In KMS:
- Key Policy controls access to the key
- IAM Policy controls user permissions
Both must allow access.
If either denies → access denied.
8. Envelope Encryption (Very Important)
AWS KMS uses Envelope Encryption.
How it works:
- A Data Key encrypts the data.
- The Data Key is encrypted using a KMS Key.
- Only encrypted data key is stored.
Benefits:
- Better performance
- Secure key storage
- Scalable encryption
Used in:
- S3
- EBS
- RDS
- Many AWS services
Exam clue:
- “Large-scale encryption”
- “Performance optimized encryption”
- “Minimize direct KMS usage”
Answer → Envelope encryption
9. Key Rotation
Key rotation improves security.
AWS KMS supports:
- Automatic annual rotation (for customer-managed keys)
- Manual rotation
Why important?
- Limits exposure if key compromised
- Meets compliance standards
Exam clue:
- “Rotate keys automatically”
- “Meet compliance requirement for rotation”
Answer → Enable automatic key rotation in KMS
10. CloudHSM (Advanced but Exam Relevant)
AWS CloudHSM
CloudHSM provides:
- Dedicated hardware security module
- Full control over keys
- FIPS 140-2 Level 3 compliance
Used when:
- Strict regulatory requirements
- Customer must control hardware keys
Difference:
- KMS = Managed, shared service
- CloudHSM = Dedicated hardware control
Exam Tip:
If question says:
- “Dedicated HSM”
- “Single-tenant hardware”
- “Regulatory requirement for hardware isolation”
Answer → CloudHSM
11. Encryption for Specific Services (Exam Focus)
Amazon S3
- Enable bucket encryption
- Use SSE-S3 or SSE-KMS
- Enforce encryption using bucket policy
Amazon EBS
- Enable encryption when creating volume
- Snapshots inherit encryption
- Cannot remove encryption after enabling
Amazon RDS
- Enable encryption at creation time
- Cannot enable after DB creation (must create new encrypted DB)
DynamoDB
- Encryption enabled by default
- Uses AWS owned or KMS keys
12. Secrets Protection
Sensitive information like:
- Database passwords
- API keys
- Tokens
Should NOT be stored in code.
Use:
- AWS Secrets Manager
- AWS Systems Manager Parameter Store
Secrets Manager:
- Automatic rotation
- Encryption using KMS
Exam clue:
- “Automatically rotate database credentials”
Answer → Secrets Manager
13. Cross-Account Key Access
You can allow other AWS accounts to use your KMS key.
Must:
- Modify key policy
- Allow external account
Common in:
- Multi-account architectures
14. Best Practices for Exam
Always remember:
✔ Encrypt data at rest
✔ Encrypt data in transit
✔ Use least privilege for key access
✔ Enable key rotation
✔ Use customer-managed keys for control
✔ Use Secrets Manager for credentials
✔ Use CloudHSM only when hardware isolation required
15. Common Exam Scenarios
Scenario 1:
Requirement: Encrypt S3 with full key control
Answer: SSE-KMS with Customer Managed Key
Scenario 2:
Requirement: Automatically rotate DB credentials
Answer: Secrets Manager
Scenario 3:
Requirement: Regulatory hardware requirement
Answer: CloudHSM
Scenario 4:
Requirement: Encrypt EC2 root volume
Answer: Enable EBS encryption
16. Final Summary for SAA-C03
For the exam, you must clearly understand:
| Topic | Key Point |
|---|---|
| Encryption at Rest | Protect stored data |
| Encryption in Transit | Use TLS/HTTPS |
| AWS KMS | Manage encryption keys |
| Customer Managed Keys | Full control |
| Envelope Encryption | Data key + KMS key |
| Key Rotation | Improve security |
| CloudHSM | Dedicated hardware |
| Secrets Manager | Store & rotate secrets |
Final Advice for Exam
If the question mentions:
- Compliance
- Sensitive data
- Protect storage
- Key control
- Rotation
- Secure communication
Think:
- Encryption type?
- Who manages the key?
- Do we need rotation?
- Is hardware isolation required?
