6.2.1. Data Encryption at Rest (KMS, CloudHSM)
First Principle: The security of encrypted data depends entirely on the security of the encryption keys. Choosing between AWS-managed keys, customer-managed keys, and CloudHSM-managed keys is a decision about who controls the keys and how they're protected.
AWS KMS (Key Management Service):
- Centralized key management for 100+ AWS services
- Three key types:
- AWS owned keys: Fully AWS-managed, shared across accounts. No cost, no visibility.
- AWS managed keys: Per-service, per-account. Free, limited control. Visible in KMS console.
- Customer managed keys (CMKs): Full control over key policy, rotation, enabling/disabling. Cost: $1/month + API charges.
- Key policies control who can use and manage each key
- Envelope encryption: KMS generates a data key, encrypts the data locally, then encrypts the data key with the CMK — maximizing performance and security
- Automatic key rotation: Annual rotation for customer managed keys (optional, recommended)
AWS CloudHSM:
- Dedicated hardware security modules (FIPS 140-2 Level 3 validated)
- YOU manage the keys — AWS manages the HSM hardware
- Required for: specific compliance frameworks, custom key stores, SSL/TLS offloading
- Runs in your VPC — accessible via ENI
Server-Side Encryption Options:
| Method | Key Management | Use Case |
|---|---|---|
| SSE-S3 | AWS-managed (default) | Basic encryption, no audit requirement |
| SSE-KMS | Customer-managed KMS key | Audit trail, key policy control, compliance |
| SSE-C | Customer-provided key | Customer retains full key control |
| Client-side | Application encrypts before upload | Maximum control, application handles encryption |
Choosing Between KMS and CloudHSM:
| Need | KMS | CloudHSM |
|---|---|---|
| Compliance level | FIPS 140-2 Level 2 | FIPS 140-2 Level 3 |
| Key control | AWS and customer (shared) | Customer only |
| Integration | 100+ AWS services | Custom application integration |
| Cost | Per-key + per-request | Per-HSM-hour (~$1.60/hr) |
| Management | AWS manages HSM infrastructure | You manage keys, users, partitions |
⚠️ Exam Trap: S3 now encrypts all new objects by default using SSE-S3. But SSE-S3 doesn't provide CloudTrail logging of key usage. If an exam question requires auditing who decrypted what, the answer is SSE-KMS with a customer-managed key.
Scenario: A compliance framework requires FIPS 140-2 Level 3 key storage and the ability to prove that only authorized personnel can access encryption keys. KMS (Level 2) doesn't meet the requirement. You deploy CloudHSM, create an external key store in KMS backed by CloudHSM, and use it for encryption — getting CloudHSM's compliance level with KMS's integration convenience.
Reflection Question: Why does the choice between SSE-S3, SSE-KMS, and CloudHSM ultimately come down to who needs to control the keys and what audit requirements exist?
