Encryption at Rest in Amazon Keyspaces - Amazon Keyspaces (for Apache Cassandra)

Encryption at Rest in Amazon Keyspaces

Amazon Keyspaces (for Apache Cassandra) encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in AWS Key Management Service (AWS KMS). This functionality helps reduce the operational burden and complexity involved in protecting sensitive data. With encryption at rest, you can build security-sensitive applications that meet strict compliance and regulatory requirements for data protection.

Amazon Keyspaces encryption at rest encrypts your data using 256-bit Advanced Encryption Standard (AES-256). This helps secure your data from unauthorized access to the underlying storage.

Amazon Keyspaces encrypts and decrypts the table data transparently. Amazon Keyspaces uses envelope encryption and a key hierarchy to protect data encryption keys. It integrates with AWS KMS for storing and managing the root encryption key. For more information about the encryption key hierarchy, see Encryption at Rest: How It Works in Amazon Keyspaces. For more information about AWS KMS concepts like envelope encryption, see AWS KMS Management Service Concepts in the AWS Key Management Service Developer Guide.

When creating a new table, you can choose one of the following customer master keys (CMKs):

  • AWS owned key – This is the default encryption type. The key is owned by Amazon Keyspaces (no additional charge).

  • Customer managed key – This key is stored in your account and is created, owned, and managed by you. You have full control over the customer managed key (AWS KMS charges apply).

You can switch between the AWS owned key and the customer managed key at any given time. You can specify a customer managed key when you create a new table or change the CMK of an existing table by using the AWS Management Console or programmatically using CQL statements. To learn how, see Encryption at Rest: How to Use Customer Managed Keys to Encrypt Tables in Amazon Keyspaces.

Encryption at rest using the default option of AWS owned keys is offered at no additional charge. However, AWS KMS charges apply for customer managed keys. For more information about pricing, see AWS KMS pricing.

Amazon Keyspaces encryption at rest is available in all AWS Regions, including the AWS China (Beijing) and AWS China (Ningxia) Regions. For more information, see Encryption at Rest: How It Works in Amazon Keyspaces.