Encryption at rest in Amazon Keyspaces
Amazon Keyspaces (for Apache Cassandra) encryption at rest provides enhanced security by
encrypting all your data at rest using encryption keys stored in AWS Key Management Service (AWS KMS)
Amazon Keyspaces encryption at rest encrypts your data using 256-bit Advanced Encryption Standard (AES-256). This helps secure your data from unauthorized access to the underlying storage.
Amazon Keyspaces encrypts and decrypts the table data transparently. Amazon Keyspaces uses envelope encryption and a key hierarchy to protect data encryption keys. It integrates with AWS KMS for storing and managing the root encryption key. For more information about the encryption key hierarchy, see Encryption at rest: How it works in Amazon Keyspaces. For more information about AWS KMS concepts like envelope encryption, see AWS KMS management service concepts in the AWS Key Management Service Developer Guide.
When creating a new table, you can choose one of the following AWS KMS keys (KMS keys):
-
AWS owned key – This is the default encryption type. The key is owned by Amazon Keyspaces (no additional charge).
-
Customer managed key – This key is stored in your account and is created, owned, and managed by you. You have full control over the customer managed key (AWS KMS charges apply).
You can switch between the AWS owned key and the customer managed key at any given time. You can specify a customer managed key when you create a new table or change the KMS key of an existing table by using the console or programmatically using CQL statements. To learn how, see Encryption at rest: How to use customer managed keys to encrypt tables in Amazon Keyspaces.
Encryption at rest using the default option of AWS owned keys is offered at no additional charge. However,
AWS KMS charges apply for customer managed keys. For more information
about pricing, see AWS KMS pricing
Amazon Keyspaces encryption at rest is available in all AWS Regions, including the AWS China (Beijing) and AWS China (Ningxia) Regions. For more information, see Encryption at rest: How it works in Amazon Keyspaces.