Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
3.4.2.7. Encrypting Data in Transit & At Rest (KMS, CloudHSM, ACM)
3.4.2.7. Encrypting Data in Transit & At Rest (KMS, CloudHSM, ACM)
Encryption is non-negotiable for compliance frameworks (SOC 2, HIPAA, PCI DSS). AWS provides encryption at every layer.
At-rest encryption across services:
| Service | Default Encryption | Customer-Managed KMS |
|---|---|---|
| S3 | SSE-S3 (default since Jan 2023) | SSE-KMS with CMK |
| EBS | AES-256 (account-level default) | KMS CMK per volume |
| RDS | AES-256 with KMS | CMK at creation (can't enable later) |
| DynamoDB | AWS owned key (free) | CMK for audit trail |
| Lambda env vars | AWS managed key | CMK for custom encryption |
KMS vs. CloudHSM:
- KMS: Multi-tenant, managed. Best for most use cases. FIPS 140-2 Level 2.
- CloudHSM: Single-tenant hardware. Required for FIPS 140-2 Level 3 compliance. You manage the HSM cluster.
In-transit encryption:
- ALB/NLB → TLS termination with ACM certificates
- Service-to-service → TLS (SDK default), VPC endpoints (private network)
- Database connections → RDS/Aurora support TLS; enforce with
require_sslparameter
# Enforce TLS on RDS connections
aws rds modify-db-parameter-group \
--db-parameter-group-name prod-params \
--parameters "ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=pending-reboot"
Exam Trap: RDS encryption must be enabled at creation time — you cannot encrypt an existing unencrypted RDS instance. To encrypt an existing instance: create a snapshot → copy the snapshot with encryption enabled → restore from the encrypted snapshot. If the exam describes migrating an unencrypted database to encrypted, this is the required workflow.
Written byAlvin Varughese•Founder•15 professional certifications