1.4 Encryption, KMS, and Secrets Management

Quick Answer: Use KMS for encryption keys (data at rest), ACM for free TLS certificates (data in transit), Secrets Manager for rotating credentials, and Parameter Store for configuration. Encrypting your data is always the customer's job under the Shared Responsibility Model.

At Rest vs. In Transit

AWS Key Management Service (KMS)

AWS KMS creates and controls symmetric and asymmetric keys used by nearly every AWS service. Keys never leave KMS in plaintext, and KMS hardware is FIPS 140-2 validated.

Choose a customer managed key when you need a custom key policy, cross-account key sharing, an explicit rotation schedule, or fine-grained CloudTrail audit of key usage.

Key Policies

Every KMS key has a key policy — a resource-based policy. The default policy gives the account root the ability to delegate via IAM. Effective access requires the key policy AND (for IAM principals) an IAM policy permitting kms:Decrypt/kms:GenerateDataKey.

Envelope Encryption (high-yield)

KMS can directly encrypt only data up to 4 KB. For anything larger it uses envelope encryption:

1. Call GenerateDataKey → KMS returns a plaintext data encryption key (DEK) plus an encrypted copy.
2. Encrypt the data locally with the plaintext DEK.
3. Discard the plaintext DEK; store the encrypted DEK beside the ciphertext.
4. To read, KMS decrypts the DEK, which then decrypts the data.

Multi-Region keys replicate a key (same key material/ID) across Regions so you can decrypt in a disaster-recovery Region.

S3, EBS, and RDS Encryption

• EBS: AES-256; encrypts volume, snapshots, and instance-to-volume traffic. You cannot encrypt an existing volume in place — snapshot it, copy the snapshot with encryption, then restore.
• RDS: encryption is set at creation only; read replicas inherit encryption; force TLS in transit with the rds.force_ssl parameter.

ACM, Secrets Manager, and Parameter Store

AWS Certificate Manager (ACM) issues free public TLS certificates and auto-renews them, integrating with ALB, CloudFront, API Gateway, and Elastic Beanstalk. Public ACM certs cannot be exported to EC2 — terminate TLS on an ALB or CloudFront instead. Private CAs cost about $400/month.

On the Exam: "Automatically rotate RDS credentials" → Secrets Manager. "Store cheap configuration values" → Parameter Store. "Audit who used the encryption key" → SSE-KMS.

KMS Access Control: Two Gates

A frequent source of confusion is that using a customer managed key requires two approvals to line up. The KMS key policy (resource-based) must permit the principal, AND for IAM principals their IAM policy must permit the KMS action. If either gate is missing, decryption fails with an access-denied error even though the data is otherwise fine. This is why "the application can read the S3 object metadata but gets AccessDenied on the encrypted body" usually means the execution role lacks kms:Decrypt on the key, or the key policy never delegated to IAM.

The fix is to grant the role kms:Decrypt/kms:GenerateDataKey and ensure the key policy allows it.

Choosing an S3 Encryption Mode (decision guide)

Watch for the SSE-KMS throttling trap: high-volume S3 reads each trigger a KMS call and can hit account KMS request limits. The fix is S3 Bucket Keys, which reduce KMS calls by deriving short-lived bucket-level keys, cutting cost and avoiding throttling — a known SAA-C03 wrinkle.

Encryption in Transit Beyond ACM

While ACM handles public TLS termination at ALB/CloudFront, architects must also remember service-specific in-transit controls: RDS uses rds.force_ssl; Amazon Redshift uses require_ssl; S3 can deny non-HTTPS access with a bucket policy condition on aws:SecureTransport; and a VPN or Direct Connect with MACsec protects on-premises-to-AWS links. The exam may pair "all data in transit must be encrypted" with "reject plain HTTP requests to the bucket" — the answer is an S3 bucket policy denying requests where aws:SecureTransport is false.

Common Trap: ACM public certificates cannot be installed on EC2 — you must terminate TLS on a CloudFront distribution or load balancer. Only ACM private CA certificates (or imported third-party certs) can live on EC2.