AWS Encryption for Data in Storage
Encryption of data in storage is a critical component of AWS security that is often overlooked by customers, but encryption is especially vital in an environment where you have no physical control. Encryption provides protection so that in the event that data is lost, stolen, or compromised, there is a line of defense. Without the key, the data is useless.
We recommend strengthening your encryption strategy in AWS in three areas: EBS volumes, RDS, and S3 buckets. Each one of these storage points has different mechanisms for encryption, but they all tie back to AWS KMS. Read AWS documentation about how to encrypt Amazon EBS volumes, how to encrypt Amazon RDS instances, and how to encrypt Amazon S3 buckets.
Encryption is an important part of any data protection program, whether we’re talking about AWS or whether we’re talking about in the traditional data center-driven application environment. The real protection that we get from encryption is that, in the event that our data is lost, stolen, otherwise compromised, that encryption provides that last line of defense. Without the key, the data itself is actually useless. In an AWS environment where we’re talking about computing resources, storage resources, and other types of resources that we have no physical control over, it’s even more important to consider encryption as part of that strategy.
We do find that, in a number of our customers’ environments, when we start talking about a data protection program and the use of encryption within that program, that even in AWS environments, our customers have not enabled encryption. We think that there are probably a couple of different reasons for that. One is there are some operational considerations, especially around data recovery and availability of data, especially in the event that a key is lost. Unencrypted data is necessarily automatically more accessible and can be recovered more easily than encrypted data. There are these operational concerns, but then there are also some cost concerns. The key management services, AWS KMS, is an additional cost to have those keys actives. There are some other operational concerns when we do enable that, as well, around key rotation and some other things, as well, that certainly AWS can ease that, but it does create a more complicated environment and that could also drive up operational management costs.
When we’re talking about encryption, we’re really talking about encryption of data in storage. We’ll talk about encryption of data in transit at another time. Encryption of data in storage provides that last line of defense. There are three places where we’re talking about encryption of data in storage within AWS. We’re talking about that on our EBS volumes. We’re also talking about that, of course, in our RDS instances, whether that’s a MySQL or an Aurora DB instance or an Oracle instance. There are encryption options available there, as well. Finally, last but certainly not least, S3 buckets as well. Each one of those storage points has different mechanisms, different ways in which to consider encryption, but they all have the ability to tie back to KMS in order to provide that uniform point for managing encryption keys.
We wanted to provide some background around encryption and its relative importance, especially in a cloud-based deployment. We hope that this will give you an opportunity to consider your own encryption strategies. Of course, KirkpatrickPrice is always here to help if that assistance is needed in coming up with your own approach towards encryption.