Encryption best practices and features for AWS services

Kurt Kumar, Amazon Web Services (AWS)

December 2022 (document history)

Modern cybersecurity threats include the risk of a data breach, which is when an authorized person gains access to your network and steals your enterprise data. Data is a business asset unique to each organization. It can include customer information, business plans, design documents, or code. Protecting the business means protecting its data.

Measures such as firewalls can help prevent a data breach from occurring. However, data encryption can help protect your business data even after a breach occurs. It provides another layer of defense against unintended disclosure. To access encrypted data in the AWS Cloud, users need permissions to use the key to decrypt and need permissions to use the service where the data resides. Without both of these permissions, users are unable to decrypt and view the data.

Generally, there are two types of data that you can encrypt. Data in transit is data that is actively moving through your network, such as between network resources. Data at rest is data that is stationary and dormant, such as data that is in storage. Examples include block storage, object storage, databases, archives, and Internet of Things (IoT) devices. This guide discusses considerations and best practices for encrypting both types of data. It also reviews the encryption features and controls available in many AWS services so that you can implement these encryption recommendations at the service-level in your AWS Cloud environments.

Intended audience

This guide can be used by small, medium, and large organizations in both public and private sectors. Whether your organization is in the initial stages of assessing and implementing a data protection strategy or aiming to enhance existing security controls, the recommendations outlined in this guide are best suited for the following audiences:

Executive officers who formulate policies for their enterprise, such as chief executive officers (CEOs), chief technology officers (CTOs), chief information officers (CIOs), and chief information security officers (CISOs)
Technology officers who are responsible for setting up technical standards, such as technical vice presidents and directors
Business stakeholders and application owners who are responsible for:
- Assessing risk posture, data classification and protection requirements
- Monitoring compliance with established organizational standards
Compliance, internal audit, and governance officers who are in charge of monitoring adherence to compliance policies, including statutory and voluntary compliance regimes

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

About AWS cryptography services