Encryption and certificate management on AWS

Deploying Applications on AWS

Dunieski Otano

Amazon Web Services Solutions Architect

The missing backup disk

  • A backup drive goes missing in transit
  • Encrypted at rest, it is useless to a thief
  • TLS does the same for data on the wire

A disk protected by a padlock representing encryption at rest versus an unprotected disk

Deploying Applications on AWS

Encryption at rest vs in transit

Two-panel comparison: at-rest encryption showing RDS and S3 icons each protected by a KMS key on the left, and in-transit TLS tunnel from client to Lambda on the right

  • At rest: data stored on disk is encrypted
  • At rest uses keys, often via KMS
  • In transit: data moving over the network is encrypted
  • In transit uses TLS certificates
Deploying Applications on AWS

Client-side vs server-side encryption


Server-side

  • The service encrypts data after it receives it
  • Simplest; AWS manages the step, usually with a KMS key

Client-side

  • You encrypt before the data leaves your code
  • The service only ever stores ciphertext, never plaintext
Deploying Applications on AWS

Public vs private certificates

  • ACM: free public TLS certificates for your domains
  • Used on load balancers, CloudFront, API Gateway
  • AWS Private CA: issues internal, private certificates
  • Private CA powers internal services and mTLS

ACM free public certificate on load balancer and CloudFront on the left versus Private CA certificate for internal service-to-service mTLS on the right

Deploying Applications on AWS

KMS keys and rotation

  • AWS-managed keys: created and rotated by AWS
  • Customer-managed keys: you control policy and rotation
  • Automatic rotation: new key material yearly, same key ID
  • Applications keep using the same key reference

KMS key types side by side: AWS-managed key with automatic rotation on the left, customer-managed key with configurable key policy and annual rotation timeline on the right

Deploying Applications on AWS

Cross-account key access

Cross-account KMS key access: key in Account A with a key policy granting Account B permission to use it, Account B encrypts and decrypts without the key material ever leaving KMS

  • A key policy controls who can use a KMS key
  • Grant another account use of the key via the policy
  • The key never leaves KMS
  • Enables shared encrypted resources across accounts
Deploying Applications on AWS

Putting encryption and certificates together

  • In transit: ACM certificate ends TLS at the edge
  • At rest: KMS key encrypts the stored data
  • Rotate keys automatically; renew certificates automatically
  • Layered protection from the wire to the disk

Layered encryption stack: ACM certificate terminating TLS in transit at the edge and KMS key encrypting data at rest, with automated annual renewal and rotation for both

Deploying Applications on AWS

Let's practice!

Deploying Applications on AWS

Preparing Video For Download...