Nerd For Tech
Published in

Nerd For Tech

AWS Series #2: Security Layer — Data

Data: Encryption at Rest (for EBS/EFS volume, Encryption, S3 SSE), Encryption at Transit, TDE, KMS (CMK)

Encryption of Data at Rest

You can create an encrypted file system so all your data and metadata is encrypted at rest in an industry-standard AES-256 encryption algorithm. Encryption and decryption are handled automatically and transparently. Encryption and decryption are handled automatically and transparently, so you don’t have to modify your application.

Reference: AWS

1. Managing Keys

1. Amazon EFS is interested in AWS KMS, which manages the encryption keys for the encrypted file systems.

2. Amazon EFS uses the Advanced Encryption Standard algorithm with XTS mode and a 256-bit key (XTS-AES-256).

3. AWS KMS stores your master keys in highly durable storage in encrypted format

4. Using an encrypted Amazon EFS file system is transparent to clients mounting the file system.

5. AWS. KMS key policies control access to encryption keys

2. Creating an Encrypted File System

1. AWS Management Console, AWS CLI, Amazon EFS API, or AWS SDKs.

3. Using an Encrypted File system

1. Encryption has minimal effect on I/O latency and throughput. Encryption and decryption. Are transparent to users, applications, and services.

4. Enforcing Encryption of Data At Rest

1. Your organization might require the encryption of all data that meets a specific classification or is associated with a particular application, workload, or environment.

5. Detecting Unencrypted File systems

1. Create an Amazon CloudWatch Alarm to monitor CloudTrail logs for the CreateFileSystem.

  • Vital for Regulatory Compliance to ensure that sensitive data saved on the disk is not readable by any user/application without a valid key
  • Some compliance regulations such as PCI DSS and HIPAA (mostly personal information) require that data at rest be encrypted throughout its life cycle.
  • To this end, AWS provides, provides data-at-rest options and Key Management to support the encryption process.
    • E.g., Encrypt EBS volume
  • Configure S3 buckets for server-side encryption (SSE) using AES-256 encryption
  • RDS Supports Transparent Data Encryption (TDE)
  • Instance storage (temporary storage) by default are not encrypted
  • AWS Glue, RDS, and multiple other services support Encryption at Rest.
  • Linux based encryptions
  • Disk and file system encryptions
  • Linux dm-crypt infrastructure
  • Managing Keys — Amazon EFS integrated with KMS, manages the encrypted file systems.
  • AWS KMS also supports encryption by other AWS services such as
  • Amazon Simple Storage (AWS S3)
  • Amazon Elastic Block Storage (EBS)
  • Amazon RDS
  • Amazon Aurora
  • Amazon Redshift
  • Amazon Workmail
  • Amazon Workspaces etc.,
  • Uses amazon advanced encryption standard algorithm with XTS mode, 256-bit key (XTS-AES-256)
  • 3 important questions
  • Where are the keys stored?
  • Where are the keys used
  • Who can use the keys
  • You can create an encrypted file system using — AWS management console, CLI, EFS API, or SDK
  • Encryption has minimal effect on I/O latency and throughput
  • Monitor via Amazon cloudwatch alarm to monitor CloudTrial logs for the CreateFileSystem

Encryption at Transit

You can mount a file system so all NFS traffic is encrypted in transit using Transport Layer Security 1.2 (TLS, formerly called Secure Sockets Layer [SSL]) with an industry-standard AES-256 cipher. TLS is a set of industry-standard cryptographic protocols used for encrypting information that is exchanged over the wire.

  • AWS provides Secure Sockets Layer (SSL) for data in motion
  • You can mount a file system so that all the NFS traffic encrypted in transit using TLS with an industry standard of AES-256 cipher.
  • You can configure encryption settings for crawlers, ETL jobs, and development endpoints using security configurations in AWS Glue.
  • You can enable AWS Glue catalog encryption via the settings in Glue Catalog.
  • If your organization is subject to corporate or regulatory policies that require encryption of data and metadata in transit, recommend setting up encryption on transit on every client accessing the file system.


Reference: AWS

• SSL Stands for Secure Socket Layer (SSL) — keeping the internet connection secure and safe

• Avoiding man in the middle attacks

• Encrypts the data between the client and the server making it impossible
to read TLS

• Transport Layer Security (TLS) is an updated and more advanced version of SSL certificate

SSL & TLS are protocols for establishing authenticated
And encrypted connections between networked computers.
• One key pair — consists of Private and Public key

  • Private key — kept secure

• Public key — widely distributed via a certificate

Any Data in Transit is preserved by SSL. It is not a specific but an embedded service with HTTPS.

Transparent Data Encryption

  • Amazon RDS supports using TDE to encrypt stored data on your DB instances running MS SQL / Oracle
  • TDE automatically encrypts data before it is written to storage, and automatically decrypts data when the data is read from storage.
  • Specify TDE in RDS option group
  • TDE is used in scenarios where you need to use encrypt sensitive data
    and is a persistent option.
  • Performance will be impacted by TDE. Performance of unencrypted DB will also be pulled down even if one DB is encrypted.

Key Management Service (KMS)

The main functionality of Key Managed Service (KMS) is to make it easy to create “Cryptographic Keys” and control their use across a wide range of AWS Services in your application. Do remember this is one of the important “Data Encryption” strategies.

Reference: AWS


  • AWS Key Management Service makes it easy for you to create cryptographic keys and control their use across a wide range of AWS services in your application.
  • It is a secure and resilient service that uses a hardware security module that has been validated under FIPS 140–2, or in the process of being validated, to protect your keys
  • Integrated with AWS CloudTrial to provide you with logs of all key usage to help meet your regulatory and compliance needs.

Data Loss Prevention (DLP): Amazon Macie

Amazon Macie is a data privacy and security service. It uses AI / ML Algorithms and pattern matching to discover and protect sensitive data. lt is simple to use and can be easily enabled. The payment is based on the number of S3 buckets and amount of data your organization processes. It helps you identify / detect sensitive data types including PII (personally identifiable information such as name, Credit card number etc.) from the massive volume of data. The challenge of identifying new partterns and information with the growing list of PII is achieved by efficient Machine Learning Algorithms deployed in Macie. Since it is fully managed, organizations just needs to use this to identify and protect sensitive huge volumes of data. Macie can send alerts and / or findings which can be searched and filtered directly via the aWS Management Console and sent to Amazon EventBridge / CloudWatch events.


  1. Detect sensitive data from huge volume of data
  2. Visibility of your data security posture
  3. Easy to set up and manage as it is self-managed.

Parent Article: AWS Multi-part series,



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



All the views expressed here are my own views and does not represent views of my firm that I work for. Data | Big Data | Cloud | ML