6.4. Phase 6 Reflection Checkpoint

Key Takeaways:

1. Data protection covers confidentiality (encryption), integrity (Object Lock, code signing), availability (backups, replication), and lifecycle (retention, deletion)
2. KMS key type selection depends on audit requirements: SSE-S3 (no audit), SSE-KMS (CloudTrail audit), CloudHSM (FIPS 140-2 Level 3)
3. Inter-resource encryption (EMR, EKS, SageMaker, Nitro) is new in C03 — encrypts traffic between nodes within clusters
4. Data masking (CloudWatch Logs, SNS) prevents sensitive data from appearing in operational data streams
5. Multi-Region KMS keys and Private CA enable cross-Region encryption and certificate management

Connecting Forward: In Phase 7, you'll learn Security Foundations and Governance — centralized account management, organizational policies (including new RCPs and declarative policies), secure deployment, and compliance evaluation.

Self-Check Questions:

• Can you explain when to use KMS vs. CloudHSM vs. external key stores?
• Can you distinguish between imported key material and AWS-generated key material, including rotation implications?
• Can you describe how CloudWatch Logs data protection policies prevent sensitive data exposure in logs?