Encryption in AWS
Learn the essentials of encryption in AWS.
Introduction
Encryption is the process of converting plain text data to an unreadable form (ciphertext) to prevent unauthorized access to sensitive information. The process of converting the ciphertext back into its original form is called decryption.
Encryption is primarily used in two ways:
- At rest
- In flight
Encryption at rest
Encryption at rest refers to the practice of encrypting data when it’s stored in devices (like EBS volumes, S3 buckets, etc.), as opposed to encrypting data in transit (such as over a network or the internet). This means that the data is protected by encryption even when it isn’t being actively used or transmitted, which provides an additional layer of security against unauthorized access. In AWS there are two types of encryption at rest: server-side and client-side.
Server-side encryption at rest
This refers to the practice of encrypting data on the server before it’s stored. In AWS, services can use data keys to encrypt data once it’s received. The following illustration shows an example of server-side encryption at rest. We can see that when data reaches the AWS service, it’s unencrypted. It’s then encrypted using a data key before storage in its final destination.
Get hands-on with 1200+ tech skills courses.