1.4 Encryption, KMS, and Secrets Management
Key Takeaways
- AWS KMS manages encryption keys for data at rest; it integrates with most AWS services for server-side encryption.
- KMS supports two types of keys: AWS managed keys (automatic, per-service) and customer managed keys (CMKs) with custom rotation and policies.
- Data at rest encryption options include SSE-S3, SSE-KMS, and SSE-C for S3; EBS encryption; and RDS encryption.
- Data in transit is encrypted using TLS/SSL — AWS Certificate Manager (ACM) provides free public TLS certificates.
- Use AWS Secrets Manager for rotating database credentials and API keys; use Systems Manager Parameter Store for simpler configuration values.
Encryption, KMS, and Secrets Management
Quick Answer: Use KMS for encryption keys (data at rest), ACM for TLS certificates (data in transit), Secrets Manager for rotating credentials, and Parameter Store for configuration values. Encryption of data is ALWAYS the customer's responsibility under the Shared Responsibility Model.
Encryption at Rest vs. In Transit
| Type | What It Protects | How | AWS Services |
|---|---|---|---|
| At Rest | Data stored on disk/storage | Encryption keys (KMS, SSE) | S3, EBS, RDS, DynamoDB, EFS |
| In Transit | Data moving between endpoints | TLS/SSL protocols | ALB, CloudFront, API Gateway, ACM |
AWS Key Management Service (KMS)
AWS KMS is the primary service for creating and managing encryption keys in AWS. It integrates with most AWS services.
Key Types
| Key Type | Who Manages | Rotation | Cost | Use Case |
|---|---|---|---|---|
| AWS Owned Keys | AWS (fully managed) | Varies by service | Free | Default encryption on some services |
| AWS Managed Keys | AWS (per-service, visible in KMS) | Automatic (yearly) | Free (no monthly fee; per-use charges apply) | Default KMS encryption (e.g., aws/s3, aws/ebs) |
| Customer Managed Keys (CMKs) | You | Optional (configurable) | $1/month + per-use | Custom key policies, cross-account, audit |
KMS Key Policies
Every KMS key has a key policy — a resource-based policy that controls access to the key.
Default key policy: Allows the root user of the account to manage the key, and delegates permission management to IAM.
Custom key policy: Define exactly who can use and manage the key, enable cross-account access, or require MFA for decryption.
Envelope Encryption
For encrypting data larger than 4 KB, KMS uses envelope encryption:
- KMS generates a data encryption key (DEK) — a plaintext key + encrypted copy
- The DEK encrypts your data locally
- The plaintext DEK is discarded; the encrypted DEK is stored alongside the encrypted data
- To decrypt, KMS decrypts the encrypted DEK, which then decrypts your data
On the Exam: KMS can directly encrypt data up to 4 KB. For larger data, use envelope encryption with GenerateDataKey API.
KMS Multi-Region Keys
KMS supports multi-Region keys — identical keys replicated across Regions. Use cases:
- Encrypt in one Region, decrypt in another
- Disaster recovery (decrypt data in backup Region)
- Global applications needing consistent encryption
S3 Encryption Options
| Option | Key Management | How It Works |
|---|---|---|
| SSE-S3 | AWS manages keys | Amazon manages all key creation, rotation, and storage. Default for new buckets. |
| SSE-KMS | AWS KMS manages keys | You choose a KMS key; provides audit trail via CloudTrail |
| SSE-C | Customer provides keys | You send the key with each request; AWS does NOT store the key |
| Client-side | Customer encrypts before upload | Data encrypted before sending to S3 |
Default: As of 2023, all new S3 objects are encrypted with SSE-S3 by default. You can override to use SSE-KMS or SSE-C.
EBS Encryption
| Feature | Detail |
|---|---|
| Algorithm | AES-256 |
| Key | AWS managed or customer managed KMS key |
| What is encrypted | Data at rest, snapshots, data in transit between instance and volume |
| Performance impact | Minimal (uses hardware-accelerated encryption) |
| Unencrypted to encrypted | Cannot encrypt existing volume — create encrypted snapshot and restore |
RDS Encryption
| Feature | Detail |
|---|---|
| At rest | AES-256 using KMS (enabled at creation time) |
| Read replicas | Encrypted with the same key (same Region) or different key (cross-Region) |
| Snapshots | Encrypted snapshots from encrypted instances; can copy-and-encrypt unencrypted snapshots |
| In transit | SSL/TLS — force with rds.force_ssl parameter |
AWS Certificate Manager (ACM)
ACM provides, manages, and deploys TLS/SSL certificates for encrypting data in transit.
| Feature | Detail |
|---|---|
| Public certificates | Free (for use with ACM-integrated services) |
| Automatic renewal | ACM auto-renews certificates before expiration |
| Integrated services | ALB, CloudFront, API Gateway, Elastic Beanstalk |
| Private certificates | $400/month per CA (for internal services) |
| Cannot export | Public certificates cannot be used on EC2 directly — use with ALB or CloudFront |
AWS Secrets Manager
Secrets Manager stores and automatically rotates secrets (database credentials, API keys, tokens).
| Feature | Detail |
|---|---|
| Automatic rotation | Built-in Lambda function rotates RDS, Redshift, DocumentDB credentials |
| Encryption | Secrets encrypted with KMS |
| Cross-account | Share secrets via resource policies |
| Cost | $0.40/secret/month + $0.05 per 10,000 API calls |
| Versioning | Maintains previous secret versions during rotation |
Systems Manager Parameter Store
Parameter Store is a simpler (and cheaper) alternative for storing configuration data and secrets.
| Feature | Parameter Store | Secrets Manager |
|---|---|---|
| Cost | Free (Standard tier, up to 10,000 params) | $0.40/secret/month |
| Rotation | No built-in rotation | Automatic rotation |
| Encryption | Optional (KMS) | Always (KMS) |
| Size limit | 4 KB (Standard) / 8 KB (Advanced) | 64 KB |
| Best for | Config values, non-sensitive data | Database passwords, API keys |
On the Exam: "Automatically rotate database credentials" → Secrets Manager. "Store application configuration values" → Parameter Store.
A company needs to encrypt S3 data and maintain an audit trail of who used the encryption key and when. Which encryption option should they use?
A development team needs to store and automatically rotate database credentials for an Amazon RDS instance. Which service should they use?
How does KMS handle encryption of data larger than 4 KB?