Whether you’re using Amazon RDS, EC2, or S3, encryption is the best way to keep data safe. It renders your data unreadable to any potential attacker, and is necessary to comply with many local laws. However, at first glance, encryption on Amazon Web Services (AWS) can feel daunting, especially for non-technical users.
That’s why we’ve compiled this simple guide to encrypting Amazon RDS, EC2, and S3, as well as some information about encryption in AWS more generally, so let’s start our journey together.
Why Should I Encrypt My AWS Data?
Before we go into AWS specifics, we need to answer a basic question: What is encryption?
Well, encryption is a way to secure information so that it looks like random data. Once the data is scrambled, it can’t be viewed again without a special key, known as a cipher. A cipher contains the information necessary to decrypt the data, and make it readable. This makes it possible to send sensitive data online without risking a malicious party getting hold of it.
So why is encryption so important? Well, by scrambling data with encryption, it becomes difficult for an unauthorized third party to make use of it. This is used to protect sensitive information, and make it difficult for an attacker to use any information they do manage to gain access to. However, it’s simple for any authorized users to access it with the correct key. This approach underpins almost everything we do online, and makes things like banking services possible.
Encrypting Amazon RDS, EC2 and S3
In an AWS context, encryption is the best way to keep your data secured. It’s part of Amazon’s shared responsibility model. Amazon will do everything in their power to protect the security of the cloud, meaning the infrastructure that keeps the cloud running. While you, the user, are responsible for security in the cloud, meaning the data you store and control using AWS services.
In practice, this means that everyone who handles sensitive data should be using encryption in their AWS implementation. This helps to protect user privacy, the integrity of your data, and ensures that businesses are in compliance with any applicable regulations regarding the protection of user data, such as the General Data Protection Regulation (GDPR).
A good rule to follow is this: If you think you might need to encrypt any data, you probably should be doing so. In fact, AWS recommends that you encrypt as much data as possible, and provides numerous tools to make it as easy and flexible as possible.
How Does Encryption In AWS Work?
Generally, AWS uses the industry standard AES-256 encryption algorithm. Encryption is handled by the AWS Key Management Service (KMS), which makes it possible for users to create and manage cryptographic keys across a wide range of AWS services, and any applications that rely upon them.
For example, when an instance is running, anyone accessing it will need to provide a data key from KMS, which will be used to encrypt and decrypt the data. AWS KMS is integrated with AWS CloudTrail, which provides logs of key usage, so you can ensure you’re compliant with any relevant regulations.
Encryption in AWS targets both data in transit, or information being sent/received, and data at rest, or data that persists in non-volatile storage for any duration in your workload. This includes any storage medium where data is kept.
Encrypting data at rest is important because it can help to prevent unauthorized access to your data. Typically, this is user data, or proprietary code, that while not being sent, could still do severe damage to your business if exposed. It would be a little like leaving your filing cabinet unlocked.
Recommended Solutions for Encrypting AWS Data and Services
Given the importance of encryption, it’s unsurprising that AWS offers a number of tools to make it easier for businesses to implement robust encryption into their AWS solutions, without compromising flexibility or the ability to scale operations.
We will take a quick look at three ways that encryption can be used to make your AWS implementation more secure.
Encrypting Amazon RDS and Aurora
Amazon Relational Database Service (RDS) enables you to encrypt your Amazon RDS database instance data store. Once your data is encrypted, KMS and RDS services handle the access and decryption of your data, with minimal impact on performance. KMS can work on a variety of AWS services, there’s a full list here, however it works best with Amazon Aurora, which is tailored to make managing your AWS databases simple, efficient, and fast.
Encrypting a new RDS is pretty straightforward. New databases can be setup to be encrypted simply by checking the appropriate box when making the new instance. However, if you want to encrypt an existing database, or you forgot to encrypt your new one, then you’ll need to plan for some downtime, although not too much. You simply take a snapshot of your existing database, encrypt that snapshot, and then restore it to a new instance.
Whenever you create an encrypted DB instance, users can either manage their own key (a customer managed key) or use an AWS managed key. If you don’t specify a key, Amazon RDS uses a new AWS managed key for the DB instance. Please note that once you’ve created an encrypted DB instance, you can’t change the KMS key used by that instance. So make sure you understand your key requirements before creating your encrypted DB instance.
You can confirm that your database is encrypted by navigating to your AWS management console, and checking the details of your database. It’s possible to find it by checking the encryption value in the confirmation tab, which will show as Enabled or Not enabled.
There is a detailed list and step-by-step guide to encrypting RDS here.
Encrypting EC2
Amazon Elastic Compute Cloud (EC2) provides scalable computing capacity in the AWS cloud. It eliminates the need to make big up front investments into hardware, and allows startups to develop and deploy applications faster. Encryption solutions for EC2 focus on the associated Elastic Block Store (EBS) volumes.
It’s possible to encrypt both the boot and data volumes of an EC2 instance. When a user creates an encrypted EBS volume, and attaches it to a supported instance type, it encrypts the data at rest inside the volume, all data moving between the volume and the instance, all snapshots created from the volume, and all volumes created from these snapshots.
Before starting, users should ensure that they meet all the necessary requirements, this includes making sure that volume types, instance types, and permissions are all correctly set up. Once this is done, users can encrypt EBS volumes by either using encryption by default, or by enabling encryption when users create a volume.
When users encrypt a volume, they can either use a specific encryption KMS key, or allow the key to be determined by the encryption outcomes table. It’s strongly recommended that users do not extensively reuse encryption keys.
Instead, it’s possible to create new KMS keys, and change applications or aliases to use the new key. Ideally, users should enable automatic key rotation for an existing KMS key. This generates new cryptographic material for the KMS key annually, and does not delete any rotated key material until you delete the previous KMS key. Users can use a rotated KMS key in applications and AWS services without code changes.
You can find a detailed guide to encrypting EC2 here.
Encrypting S3
Amazon Simple Storage Service (Amazon S3) is an object storage service that enables startups to store and protect any amount of data for a variety of use-cases. In an S3 context, encryption is designed to protect data both while in-transit, and at rest. There are two ways that users can encrypt data with S3: server-side encryption, and client-side encryption.
Server-side Encryption
Server-side encryption encrypts an object before saving it. This object is only decrypted when it’s accessed. A detailed step-by-step guide to enabling server-side encryption can be found here. If server-side encryption is enabled, then someone with the correct access permissions will experience no difference compared to an unencrypted file access.
Users have access to three mutually exclusive types of encryption:
- Server-side encryption with Amazon S3-Managed Keys (SSE-S3) – encrypts each object with a unique key that is managed by an S3 service itself.
- Server-Side encryption with KMS keys Stored in AWS Key Management Service (SSE-KMS) – is similar to SEE-S3, but comes with additional features such as additional permission layer and auditing, and some costs.
- Server-side encryption with Customer-Provided Keys (SEE-C) – allows the customer to manage the keys, while Amazon S3 manages the encryption.
Client-side Encryption
Client-side encryption means that you’ve encrypted your data locally, rather than through the cloud. This means that Amazon S3 receives your encrypted data, but doesn’t play a role in encrypting or decrypting it.
There are two ways you can enable client-side encryption. You can either use a key stored in the AWS KMS service, or use a key that you store within your application. If you opt to use your own key, please keep in mind that Amazon S3 only supports symmetric encryption KMS keys, and not asymmetric keys.
Encrypting AWS Is Fast, Simple, and Essential
The main takeaway here is that almost all startups should be using encryption in their AWS implementation, and that there’s really no reason not to use it. AWS provides a suite of tools to make encryption as painless as possible, and there’s not really any performance downside in doing so. This is why we at Cloudvisor encourage all of our clients to implement best encryption practices, and help them to do so.