Amazon Web Services Data Security
AWS provides many options to encrypt data that you put it in the cloud.
Some of the options include:
- Client Side Encryption
- Server Side Encryption
Client Side Encryption
Client Side Encryption refers to encrypting the data before you put it in the AWS Cloud. In this case, you can either manage your own key or use AWS Key Management System (KMS) key.
Server Side Encryption
Server Side Encryption refers to AWS encrypting data as it is written into the cloud. Here you have the choice of providing your own key or AWS KMS managed key or AWS S3 managed key.
If you require high levels of confidentiality for your data, I suggest the following:
- Create a Customer Master Key (CMK) in a region.
- Provide the CMK to AWS API and it will create a data key server side
The CMK can only encrypt up to 4kb of data. Hence it is perfect to encrypt the data key. The data key has no size restrictions.
Using CMK with Server Side Encryption is a good solution to confidentiality needs in AWS.