Data Encryption at Rest

One of the most important parts of any architecture is data protection and encryption, when used correctly, can provide an additional layer of protection. Following recommendations of the security pillar of Well-Architected Framework, we have to encrypt storage types by way of rendering them unintelligible to unauthorized access

For this, AWS KMS helps you to manage encryption keys and integrates with many AWS services, like S3 or EBS. For these cases, you can apply server-side encryption in two ways

Go to EC2 console -» EBS Encryption

And go to Manage

On S3, select the bucket and go to Properties

Select Edit to modify encryption configuration and enable Server-Side Encryption

At this point, you can choose to use an AWS-managed key or create another KMS key. Also, you can enable the bucket key to reduce calls to KMS as well as to reduce KMS costs

resource "aws_s3_bucket" "MyBucket" {

bucket = "my-bucket-name"

server_side_encryption_configuration {

rule {

apply_server_side_encryption_by_default {

sse_algorithm = "aws:kms"

kms_master_key_id = aws_kms_key.MyKMSKey.arn

}

}

}

}

resource "aws_ebs_encryption_by_default" "MyVolume" {

enabled = true

}

Ezequiel Domenech DevOps Engineer Teracloud

To learn more about cloud computing, visit our blog for first-hand insights from our team. If you need an AWS-certified team to deploy, scale, or provision your IT resources to the cloud seamlessly, send us a message here.