Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest | Mob Tech

Within the first two blogs on this collection, we mentioned correctly organising IAM and avoiding direct web entry to AWS assets. On this weblog, we’ll sort out encrypting AWS in transit and at relaxation.

Typically, regardless of all efforts on the contrary, information could be compromised.  This could happen as a result of information leakage by means of defective apps or methods, by laptops or moveable storage units being misplaced, by malicious actors breaking by means of safety defenses, by social engineering assaults, or by information being intercepted in man-in-the-middle assaults.  Thankfully, with enough encryption measures in place, information exposures akin to these could be nullified.  Merely put, when information is correctly encrypted with business permitted algorithms, it might probably’t be deciphered.  The one technique to make sense of encrypted information is by decrypting it with an encryption key that solely trusted events possess.  Let’s talk about how AWS makes it simple to encrypt information wherever it might be.

Encrypting information in transit

Whenever you go to an internet site and see the small lock icon within the browser toolbar, it implies that information being despatched between your pc and the web site host is safe.  In case your information was intercepted by a malicious actor, they might not be capable to decipher it since it’s encrypted. 

Via an encryption course of that’s past the scope of this weblog collection, computer systems and web site hosts negotiate the encryption algorithm and keys which are used throughout classes.  Thus, since solely the speaking computer systems and web site hosts know the encryption keys in use, information is protected against prying eyes.  (Notice: an exception to this assertion is that if the era of encryption keys happens over a publicly obtainable Web connection (e.g., espresso store WiFi).  Cybercriminals may intercept this change of data and eavesdrop in your communication. That’s the reason it’s endorsed to provoke a digital non-public community (VPN) connection to a trusted supplier earlier than visiting web sites when utilizing a public Web connection). 

AWS supplies a handy service to encrypt information in transit referred to as Amazon Certificates Supervisor (ACM).  Per AWS, ACM “handles the complexity of making, storing, and renewing private and non-private SSL/TLS X.509 certificates and keys that shield your AWS web sites and purposes.”  What Is AWS Certificates Supervisor? – AWS Certificates Supervisor (  These X.509 certificates can be utilized with AWS ELBs, CloudFront, and Amazon API Gateway.  Consequently, all Web certain visitors to and from these assets can be safe.

Moreover, AWS can encrypt information in transit utilizing X.509 certificates to AWS managed assets like S3 buckets.  Nonetheless, to allow this characteristic insurance policies could should be up to date to limit HTTP and solely allow HTTPS connectivity.  To see an instance of how AWS S3 can implement HTTPS connections, click on right here: Implement TLS 1.2 or larger for Amazon S3 buckets. 

Now that we all know the right way to encrypt information in transit, let’s transfer on to our remaining subject of debate – encrypting information at relaxation. 

Encrypting information at relaxation

One of many best and most impactful safety measures AWS has to supply is encrypting information at relaxation.  Actually, with just a few clicks of the mouse, each main AWS service that shops information could be encrypted with default encryption keys which are owned and maintained by AWS.  The service used to carry out these actions known as AWS Key Administration Service (AWS KMS). 

Thus, if for some cause your information was uncovered to the world, it will be illegible with out the encryption key that solely AWS can entry in your behalf.  A fast Google search on the Web will reveal that the period of time used to crack a standard AES-256 encryption key would take fashionable computer systems trillions of years – even with the world’s quickest supercomputers. 

If legal guidelines, laws, or company coverage require you to handle your personal encryption keys, AWS has different choices.  Via KMS, AWS clients can import their very own key materials for AWS to make use of for encryption on their behalf.  If clients don’t want AWS to have any entry to their encryption keys, AWS additionally provides {hardware} safety modules (HSMs).  These could be provisioned and used like a utility with an hourly value. 

AWS HSMs are licensed as FIPS 140-2 compliant.  For these unfamiliar with this designation, it refers to rigorous testing to satisfy authorities permitted safety requirements.  To be taught extra about AWS KMS click on right here: Key Utilization — AWS Key Administration Service — Amazon Net Companies.  To be taught extra about AWS HSM, click on right here: Safety HSM | AWS CloudHSM | Amazon Net Companies. 

As such, contemplating the multitude of choices and ease of use to encrypt information at relaxation, there merely is just not an excuse to not encrypt information wherever it’s saved. 

Tying every little thing collectively

On this article, now we have mentioned three simple steps each enterprise or governmental entity can pursue to dramatically enhance their AWS safety posture.  As a recap, these steps are to 1) arrange and use IAM correctly, 2) keep away from direct Web entry to weak AWS assets, and three) encrypt information in transit or at relaxation.  It goes with out saying that these steps are usually not exhaustive.  They’re merely the steps that this writer believes to be essentially the most impactful. 

Many different safety mechanisms exist that AWS clients can pursue.  For extra superior AWS safety assist, you’re inspired to have interaction AT&T’s cybersecurity consulting division for assist.  We’re prepared, prepared, and ready that will help you along with your AWS cybersecurity wants.  To get extra details about AT&T cybersecurity consulting, please click on right here: Cybersecurity Consulting Companies | AT&T Enterprise ( 

Thanks for taking the time to learn this weblog collection.  I sincerely hope you discovered it informative and helpful. 



A Cloud Guru –

Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest