AWS Encryption: SAA-C03 Study Guide

Encryption is a cornerstone of the Security, Identity & Compliance pillar for the AWS Certified Solutions Architect – Associate exam. It ensures that data remains unreadable to unauthorized users, whether it is sitting on a disk (At-Rest) or moving across the network (In-Transit).

The Real-World Analogy

Imagine you are sending a secret letter. Encryption In-Transit is like putting the letter in an armored truck (HTTPS/TLS) to move it from your house to a friend’s. Encryption At-Rest is like putting that letter inside a high-security safe (KMS/CloudHSM) once it arrives at the destination. Even if someone breaks into the house, they can’t read the letter without the key to the safe.

1. Key Management Service (AWS KMS)

KMS is a managed service that makes it easy to create and control the keys used to encrypt your data. It uses Hardware Security Modules (HSMs) to protect your keys.

  • Symmetric KMS Keys: Same key used for encryption and decryption. Most common in AWS. AES-256.
  • Asymmetric KMS Keys: Public/Private key pair. Used for encryption/decryption or signing/verification.
  • Key Rotation: AWS Managed Keys rotate every 3 years. Customer Managed Keys can be configured to rotate every year (or on-demand).
  • Key Policies: Resource-based policies that determine who can use/manage the key. You cannot use a key without both IAM permission and Key Policy permission.

2. S3 Encryption Options

The SAA-C03 exam frequently tests your ability to choose the right S3 encryption method based on compliance and management requirements.

Method Who Manages Keys? Description
SSE-S3 AWS Managed Default encryption. AWS handles all key management. Uses AES-256.
SSE-KMS User/AWS Provides audit trails (CloudTrail) and key rotation. Extra cost per request.
SSE-C Customer You provide the key in the HTTP header. AWS does not store your key.
DSSE-KMS User/AWS Dual-layer server-side encryption for high-compliance needs.
Client-Side Customer You encrypt data before uploading it to AWS. AWS only sees ciphertext.

3. AWS CloudHSM

While KMS is a shared multi-tenant service, CloudHSM provides dedicated hardware.

  • FIPS 140-2 Level 3: Required for specific high-security compliance (KMS is Level 2).
  • Full Control: You manage the users and keys on the device; AWS has no access to your keys.
  • Integration: Operates within your VPC.

4. Encryption In-Transit

Protecting data while it moves between clients and servers or between AWS services.

  • AWS Certificate Manager (ACM): Provision and manage SSL/TLS certificates for use with ELB, CloudFront, and API Gateway.
  • HTTPS/TLS: The standard protocol for encrypted communication.
  • VPN/Direct Connect: Use IPsec for encrypted tunnels between on-premises and AWS.

Exam Tips and Gotchas

  • The “Snapshot” Rule: If an EBS volume is encrypted, all snapshots and subsequent volumes created from those snapshots are automatically encrypted.
  • RDS Encryption: You cannot encrypt an existing unencrypted RDS instance. Workaround: Take a snapshot, copy the snapshot and enable encryption during the copy, then restore from the encrypted snapshot.
  • KMS Limits: KMS has “Request Quotas” (TPS). If you hit these limits, you will receive a ThrottlingException. Use Envelope Encryption (Data Keys) to reduce KMS API calls.
  • Multi-Region Keys: KMS keys are usually regional. However, you can create Multi-Region Keys that share the same Key ID and key material for cross-region disaster recovery.

Decision Matrix: If–Then Guide

  • IF you need an audit trail of key usage THEN choose SSE-KMS.
  • IF you must comply with FIPS 140-2 Level 3 THEN choose CloudHSM.
  • IF you want the simplest, no-cost encryption for S3 THEN choose SSE-S3.
  • IF you need to encrypt data on-premises before it hits the cloud THEN use Client-Side Encryption.

Topics covered:

Summary of key subtopics covered in this guide:

  • AWS KMS (Key Management Service) Symmetric vs Asymmetric
  • S3 Server-Side Encryption Flavors (SSE-S3, SSE-KMS, SSE-C)
  • AWS CloudHSM for dedicated compliance
  • EBS and RDS Encryption workflows
  • Envelope Encryption and Data Keys
  • AWS Certificate Manager (ACM) for In-Transit security

AWS Encryption Ecosystem Infographic

Plaintext Data AWS KMS Master Key (KMS Key) 🔒 Ciphertext Data

The Envelope Encryption Flow: KMS provides a Data Key to encrypt large datasets locally.

Service Ecosystem

Integrations

  • CloudTrail: Logs every KMS key usage for compliance auditing.
  • IAM: Controls who can manage or use keys via policies.
  • VPC: Use VPC Endpoints to connect to KMS without leaving the AWS network.
Performance

Scaling & Speed

Encryption/Decryption is offloaded to AWS hardware. For high-performance throughput, use Envelope Encryption to encrypt data locally using a data key, avoiding repeated API calls to KMS.

Cost Optimization

Price Efficiency

  • SSE-S3: Free of charge.
  • KMS Keys: $1/month per key + request costs.
  • CloudHSM: High hourly cost (~$1.45/hr) + upfront setup. Use only if compliance requires it.

Production Use Case: Financial Records

Scenario: A bank must store customer statements in S3. The regulator requires that the bank rotates encryption keys every year and maintains an audit log of every time a key is used.

Solution: Store data in S3 using SSE-KMS with a Customer Managed Key. Enable Automatic Key Rotation and monitor usage via CloudTrail.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top