All data storage options at AWS provide the ability of encryption. In this video, take a look at the encryption options available for data protection at AWS.
- [Instructor] When we're working with data in the cloud, the one concern that you will have is the protection of the data records as they're being delivered to the cloud and the protection of the records when they're actually at rest at storage level. Encryption concepts that are used by the industry are public/private keys, a public/private key combination. Those keys are generated at exactly the same time and the keys work together to lock and unlock data records. While they can also encrypt other keys, such as a symmetric key. A symmetric key is pretty powerful, it can both lock and unlock on its own, so typically it's protected by locking the symmetric key with a private key and then only the public key can open the contents. When we look at AWS, what they do with encryption, well, they use the same bits that the industry uses. They use public and private keys. For example, if you're authenticating to an EC2 instance, you'll be using the public/private key to perform the authentication process. They also use symmetric keys and the symmetric keys are protected by locking them with a private key. They also use envelope encryption, the key management service which is used by AWS to procure data keys and master keys and customer master keys to actually help you encrypt and decrypt your data. At Amazon, envelope encryption is used, data is encrypted using a data key supplied by KMS, that is in turn encrypted using a master key, the customer master key, that's you, the customer, and then at the top of the food chain, the ultimate master, Amazon controlling all the keys. So obviously we have to trust Amazon before we use that service. If you're thinking why would I encrypt at AWS, don't they encrypt everything automatically? The answer is no, they don't. The only storage array that encrypts automatically is S3 Glacier. So you want to encrypt to maintain compliance. This follows the best practices for security and probably if you're following a compliance level or a decree, they'll want the data encrypted. This also gives you protection from Amazon and from other customers, and it also prevents any unauthorized access to your data if it's left in plaintext format. If I'm protecting data that is going across the public internet in transit, typically we're going to use HTTP endpoints, SSL endpoints, to connect. Every service at Amazon offers HTTPS endpoints. This allows you to securely upload and download data across the internet. Optionally, you could also use client-side encryption before you upload your data. We'll talk about client-side encryption at the end of this clip. If I want to protect private data in transit, well I'm already on the private network, so there's probably no need to encrypt it, but if I want to connect to an Amazon service from my VPC, best practice is to connect using a VPC endpoint using private connections from source to destination. Then I can also use identity and access management policies to control the access, who actually gets to access that service. Server-side encryption is a process of performing encryption of data records at the destination by either the application or, in our case, Amazon, the managed service provider. Amazon offers server-side encryption where they're going to carry out the encryption process on behalf of us, the customer, for S3 Buckets, S3 Glacier, EBS, which is virtual hard drives, the elastic file system, which allows us to use mount points to share data contents amongst multiple servers on multiple subnets, and the companion product, FSx for Windows file servers for sharing with Windows shares for multiple Windows file servers at AWS. All of these data arrays, all of these data products, support encryption. So for server-side encryption, Amazon does the work, the encryption and the decryption. The keys that are generated for you the customer are stored separately from your data, they're stored redundantly in multiple locations. The standard acceptable level of encryption is AES 256-bit encryption. And server-side encryption means that these data storage services are integrated with Amazon's key management service. For server-side encryption, data is encrypted during the writing to disk process and data is decrypted during the reading of the data process. The encryption is performed either at the object level for an S3 Bucket or Glacier, or at the file level for EBS or FSx. If you're storing records in S3, server-side encryption will encrypt the object data but not the associated metadata. That's additional descriptive data about the records you're storing. That doesn't get encrypted. For client-side encryption well, it depends, are you using a Windows or Linux box? What type of storage are you using? You're going to supply the actual keys for encryption, you're going to supply the 256-bit data key, which is the common length these days. You also have to supply the encrypting key, either the symmetric or asymmetric keys. These keys are going to be working in your operating system in the background but you need your keys to perform your encryption, and you also want copies of your keys in case you want to decrypt your contents. Once you encrypt your data, it's then sent as an encrypted object and you can send it up to the Amazon cloud.