5.3.1. Encryption at Rest and in Transit with KMS
š” First Principle: "At rest" protects data stored on disk; "in transit" protects data moving between services. AWS KMS (Key Management Service) is the central key management hub ā it generates, stores, rotates, and audits encryption keys used by S3, Redshift, Glue, EMR, and virtually every AWS service. Understanding KMS key types and encryption methods is essential for the exam.
Encryption at rest options for S3:
| Method | Key Management | Audit | Cost | Use When |
|---|---|---|---|---|
| SSE-S3 | AWS manages keys | No per-key audit | Free | Default encryption, no special requirements |
| SSE-KMS | Customer manages keys in KMS | CloudTrail logs every key use | Per-request KMS cost | Need audit trail, cross-account control, or key rotation control |
| SSE-C | Customer provides keys per request | Customer manages | Free (but complex) | Regulatory requirement for customer-managed keys |
| CSE | Client-side encryption before upload | Customer manages | Free (but most complex) | Need end-to-end encryption, data encrypted before reaching AWS |
KMS key types: AWS managed keys (aws/s3, aws/redshift ā AWS creates and manages), Customer managed keys (CMK ā you create, control policies, enable rotation), and AWS owned keys (internal to AWS, invisible to you).
Encryption in transit uses TLS (Transport Layer Security). AWS services enforce HTTPS by default for API communication. For data flowing between VPC resources, VPC endpoints ensure traffic stays on the AWS network. The v1.1 syllabus adds "encryption in transit or before transit" ā referring to encrypting data before it enters the pipeline (client-side encryption) and ensuring all data movement uses TLS.
Cross-account encryption: When sharing encrypted data across accounts, the KMS key policy must grant kms:Decrypt permission to the consuming account's principals. This is a common exam scenario ā "Account A shares encrypted S3 data with Account B."
ā ļø Exam Trap: SSE-KMS has a requests-per-second quota (5,500ā30,000 depending on Region). High-throughput S3 operations (millions of PUTs/GETs) can hit KMS throttling limits. If a question describes S3 performance degradation with SSE-KMS, the answer may involve requesting a KMS quota increase or using S3 bucket keys (which reduce KMS API calls by caching the data key at the bucket level).
Reflection Question: A company shares encrypted S3 data with a partner in a different AWS account. The partner can access the S3 objects but gets "AccessDenied" when trying to read them. What's likely missing?
