Data classification Encryption of data in transit Encryption of data at rest

General encryption best practices

This section provides recommendations that apply when encrypting data in the AWS Cloud. These general encryption best practices are not specific to AWS services. This section includes the following topics:

Data classification
Encryption of data in transit
Encryption of data at rest

Data classification

Data classification is a process for identifying and categorizing the data in your network based on its criticality and sensitivity. It is a critical component of any cybersecurity risk management strategy because it helps you determine the appropriate protection and retention controls for the data. Data classification is a component of the security pillar in the AWS Well-Architected Framework. Categories might include highly confidential, confidential, non-confidential, and public, but the classification tiers and their names can vary from organization to organization. For more information about the data classification process, considerations, and models, see Data classification (AWS Whitepaper).

After you have classified your data, you can create an encryption strategy for your organization based on the level of protection required for each category. For example, your organization might decide that highly confidential data should use asymmetric encryption and that public data doesn't require encryption. For more information about designing an encryption strategy, see Creating an enterprise encryption strategy for data at rest. Although the technical considerations and recommendations in that guide are specific to data at rest, you can use the phased approach to create an encryption strategy for data in transit as well.

Encryption of data in transit

All data transmitted between AWS Regions over the AWS global network is automatically encrypted at the physical layer before it leaves AWS secured facilities. All traffic between Availability Zones is encrypted.

The following are general best practices when encrypting data in transit in the AWS Cloud:

Define an organizational encryption policy for data in transit, based on your data classification, organizational requirements, and any applicable regulatory or compliance standards. We strongly recommend that you encrypt data in transit that is classified as highly confidential or confidential. Your policy might also specify encryption for other categories, such as non-confidential or public data, on an as-needed basis.
When encrypting data in transit, we recommend using approved cryptography algorithms, block cipher modes, and key lengths, as defined in your encryption policy.
Encrypt traffic between information assets and systems within the corporate network and AWS Cloud infrastructure by using one of the following:
- AWS Site-to-Site VPN connections
- A combination of AWS Site-to-Site VPN and AWS Direct Connect connections, which provides an IPsec-encrypted private connection
- AWS Direct Connect connections that support MAC Security (MACsec) to encrypt data from corporate networks to the AWS Direct Connect location
Identify access control policies for your encryption keys based on the principle of least privilege. Least privilege is the security best practice of granting users the minimum access they need to perform their job functions. For more information about applying least-privilege permissions, see Security best practices in IAM and Best practices for IAM policies.

Encryption of data at rest

All AWS data storage services, such as Amazon Simple Storage Service (Amazon S3) and Amazon Elastic File System (Amazon EFS), provide options to encrypt data at rest. Encryption is performed by using the 256-bit Advanced Encryption Standard (AES-256) block cipher and AWS cryptography services, such as AWS Key Management Service (AWS KMS) or AWS CloudHSM.

You can encrypt data using client-side encryption or server-side encryption, based on factors such as data classification, the need for end-to-end encryption, or technical limitations that prevent you from using end-to-end encryption:

Client-side encryption is the act of encrypting data locally before the target application or service receives it. The AWS service receives encrypted data; it does not play a role in encrypting or decrypting it. For client-side encryption, you might use AWS KMS, the AWS Encryption SDK, or other third-party encryption tools or services.
Server-side encryption is the act of encrypting data at its destination, by the application or service that receives it. For server-side encryption, you might use AWS KMS for encryption of the entire storage block. You can also use other third-party encryption tools or services, such as LUKS for encrypting a Linux file system at the operating system (OS) level.

The following are general best practices when encrypting data at rest in the AWS Cloud:

Define an organizational encryption policy for data at rest, based on your data classification, organizational requirements, and any applicable regulatory or compliance standards. For more information, see Creating an enterprise encryption strategy for data at rest. We strongly recommend that you encrypt data at rest that is classified as highly confidential or confidential. Your policy might also specify encryption for other categories, such as non-confidential or public data, on an as-needed basis.
When encrypting data at rest, we recommend using approved cryptography algorithms, block cipher modes, and key lengths.
Identify access control policies for your encryption keys based on the principle of least privilege.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

About AWS cryptography services

Encryption best practices for AWS services