5.3. Data Encryption and Masking

💡 First Principle: Encryption transforms readable data into unreadable ciphertext, protecting it from unauthorized access even if the storage medium is compromised. Think of it like a safe: even if a thief breaks into the building (gains access to S3), they can't read the documents inside the safe (encrypted data) without the combination (encryption key). Data masking goes further — it replaces sensitive values with fictitious ones, ensuring that even authorized users only see the minimum data they need.

Consider this scenario: an S3 bucket is accidentally made public. Without encryption at rest, every record is exposed. With SSE-KMS, the data is unreadable even if accessed — but who has the decryption key? That question drives your entire key management strategy.

Without encryption, a misconfigured S3 bucket policy could expose every record to the internet. Without masking, every analyst with data lake access can see raw PII. The exam tests your understanding of encryption options (which service encrypts with which method), key management (who controls the keys), and masking/anonymization techniques (how to protect PII while maintaining data utility).