3.2.2. Data Encryption (At Rest, In Transit)

💡 First Principle: Data encryption, both when stored (at rest) and when moving across networks (in transit), fundamentally protects sensitive information from unauthorized access, ensuring data confidentiality and integrity.

Encryption is a key control in cloud security, ensuring that sensitive data is protected whether it's stored or being transferred.

Key Concepts of Data Encryption:

• Encryption at Rest:
  • What it is: Protects data when it is stored on physical devices, such as hard drives or SSDs. Even if unauthorized parties gain access to the underlying storage, the data remains unreadable without the encryption key.
  • AWS Services: AWS Key Management Service (KMS) (manages encryption keys), Amazon S3 encryption (e.g., SSE-S3, SSE-KMS), Amazon EBS encryption, Amazon RDS encryption.
• Encryption in Transit:
  • What it is: Safeguards data as it travels across networks (e.g., between clients and AWS, or between different AWS services). This prevents unauthorized parties from intercepting or modifying data while it is being transmitted.
  • AWS Services: TLS (Transport Layer Security) / SSL protocol (e.g., HTTPS for web traffic), AWS Certificate Manager (ACM) (manages SSL/TLS certificates), Elastic Load Balancing (ELB), Amazon CloudFront.

Scenario: You need to ensure all sensitive customer data stored in Amazon S3 buckets and accessed by your web application via HTTPS is protected.

Reflection Question: How does implementing data encryption (both at rest using services like AWS KMS and in transit using TLS/SSL) fundamentally protect sensitive information from unauthorized access, ensuring data confidentiality and integrity throughout its lifecycle?