Encryption at Rest (EBS, S3, RDS)
Key concepts
EBS encryption uses KMS
S3 SSE-S3, SSE-KMS, SSE-C options
RDS encryption at creation time
Snapshot encryption
Default encryption settings
Overview
Encryption at rest protects data stored on disk from unauthorized access, even if the storage media is compromised. AWS provides native encryption capabilities for virtually all storage services, making it straightforward to meet compliance requirements and security best practices.
Understanding encryption at rest is critical for the SAA-C03 exam because it appears in questions about data protection, compliance, and cost optimization. You must know the differences between encryption options, when to use each, and how they integrate with AWS KMS.
Default S3 Encryption
As of January 5, 2023, all new objects uploaded to Amazon S3 are automatically encrypted at rest by default using SSE-S3. This is a significant change from previous behavior where encryption was optional.
Focus on the differences between SSE-S3, SSE-KMS, SSE-C, and DSSE-KMS. Know when to use customer managed keys vs AWS managed keys, and understand the process for encrypting existing unencrypted resources (snapshot → copy encrypted → restore).
Architecture Diagram

Key Concepts
Encryption Types Overview
S3 Encryption Types Comparison
| Encryption Type | Key Management | Control Level | Use Case |
|---|---|---|---|
| SSE-S3 | AWS managed | Lowest | Default, simple encryption |
| SSE-KMS | AWS KMS | Medium-High | Audit trail, key policies |
| SSE-C | Customer provided | Highest | Customer maintains keys externally |
| DSSE-KMS | AWS KMS (dual-layer) | High | Compliance requiring two encryption layers |
| Client-side | Customer managed | Highest | Encrypt before upload |
Server-Side Encryption (SSE) Options
SSE-S3 (S3 Managed Keys)
The default and simplest encryption option for S3.
Characteristics:
- Key Management: Fully managed by AWS
- Encryption Algorithm: AES-256
- Key Rotation: Automatic (managed by AWS)
- Audit Trail: Limited (no CloudTrail for key usage)
- Cost: FREE (included with S3)
Best For:
- Default encryption for all buckets
- Simple compliance requirements
- Cost-conscious workloads
SSE-KMS (KMS Managed Keys)
Provides additional control and audit capabilities over SSE-S3.
Characteristics:
- Key Management: AWS KMS (AWS managed or customer managed keys)
- Encryption Algorithm: AES-256
- Key Rotation: Automatic (annual) or on-demand
- Audit Trail: Full CloudTrail logging of key usage
- Cost: $1/month per key + $0.03 per 10,000 requests
Best For:
- Compliance requiring audit trails
- Fine-grained access control
- Cross-account access requirements
SSE-C (Customer Provided Keys)
Customer manages keys entirely outside AWS.
Characteristics:
- Key Management: Customer provides key with each request
- Encryption Algorithm: AES-256
- Key Rotation: Customer responsibility
- Audit Trail: Limited (AWS never stores the key)
- Cost: FREE (no KMS charges)
Requirements:
- HTTPS required (key sent in headers)
- Customer must track which key encrypts which object
- No AWS console access to encrypted objects
Best For:
- Regulatory requirements for external key management
- Organizations with existing key management infrastructure
DSSE-KMS (Dual-Layer Encryption)
Two independent layers of AES-256 encryption.
Characteristics:
- Key Management: AWS KMS
- Encryption: Two separate AES-256 encryption layers
- Compliance: CNSSP 15, NIST standards
- Cost: Higher due to dual encryption operations
Best For:
- Government and defense workloads
- Compliance requiring multi-layer encryption
S3 Bucket Keys

S3 Bucket Keys Cost Savings
S3 Bucket Keys can reduce KMS costs by up to 99% by generating a bucket-level key from KMS, then using that key to encrypt object data keys locally.
Without Bucket Keys:
Each object upload → GenerateDataKey API call to KMS
Each object download → Decrypt API call to KMS
High-volume bucket = High KMS costs
With Bucket Keys:
S3 generates bucket-level key from KMS
Bucket key encrypts object data keys
Reduces KMS API calls by up to 99%
Significant cost savings for high-volume bucketsHow It Works
Amazon S3 Encryption
Default Encryption
All S3 buckets have encryption configured by default since January 2023:
{
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
},
"BucketKeyEnabled": true
}
]
}
}Configuring SSE-KMS
# Set bucket default encryption to SSE-KMS
aws s3api put-bucket-encryption \
--bucket my-bucket \
--server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/key-id"
},
"BucketKeyEnabled": true
}
]
}'Enforcing Encryption with Bucket Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyUnencryptedUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": ["AES256", "aws:kms"]
}
}
},
{
"Sid": "DenyUnencryptedTransport",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}Amazon EBS Encryption

EBS Encryption
EBS encryption provides comprehensive protection:
- Encryption of data at rest inside the volume
- Encryption of data in transit between instance and volume
- Encryption of all snapshots created from the volume
- Encryption of all volumes created from encrypted snapshots
Encryption by Default
# Enable encryption by default
aws ec2 enable-ebs-encryption-by-default --region us-east-1
# Set default KMS key
aws ec2 modify-ebs-default-kms-key-id \
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/key-id \
--region us-east-1
# Verify settings
aws ec2 get-ebs-encryption-by-default --region us-east-1Encrypting Existing Unencrypted Volumes

Cannot Encrypt In-Place
You cannot directly encrypt an unencrypted EBS volume. You must create a snapshot, copy it with encryption, and create a new volume from the encrypted snapshot.
Step 1: Create snapshot of unencrypted volume
→ aws ec2 create-snapshot --volume-id vol-xxx
Step 2: Copy snapshot with encryption enabled
→ aws ec2 copy-snapshot \
--source-snapshot-id snap-xxx \
--encrypted \
--kms-key-id alias/my-key
Step 3: Create new volume from encrypted snapshot
→ aws ec2 create-volume \
--snapshot-id snap-encrypted-xxx \
--availability-zone us-east-1a
Step 4: Detach old volume, attach new encrypted volume
Step 5: Delete old unencrypted volume and snapshotAmazon RDS Encryption

RDS Encryption Scope
RDS encryption covers:
- Data stored on the underlying EBS volume
- Automated backups
- Manual snapshots
- Read replicas (in same or different region)
- Transaction logs and binlogs
Enabling RDS Encryption
aws rds create-db-instance \
--db-instance-identifier mydb \
--db-instance-class db.t3.medium \
--engine mysql \
--master-username admin \
--master-user-password MyPassword123! \
--allocated-storage 100 \
--storage-encrypted \
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/key-idEncrypting Existing Unencrypted RDS Database
Step 1: Create snapshot of unencrypted database
→ aws rds create-db-snapshot \
--db-instance-identifier mydb \
--db-snapshot-identifier mydb-unencrypted-snap
Step 2: Copy snapshot with encryption
→ aws rds copy-db-snapshot \
--source-db-snapshot-identifier mydb-unencrypted-snap \
--target-db-snapshot-identifier mydb-encrypted-snap \
--kms-key-id alias/my-key
Step 3: Restore database from encrypted snapshot
→ aws rds restore-db-instance-from-db-snapshot \
--db-instance-identifier mydb-encrypted \
--db-snapshot-identifier mydb-encrypted-snap
Step 4: Update application connection string to new instance
Step 5: Delete old unencrypted instance and snapshotsRDS Encryption Limitations
RDS Encryption Limitations
| Limitation | Details |
|---|---|
| Cannot change key after creation | Must create new instance to use different key |
| Cannot disable encryption | Once encrypted, always encrypted |
| Read replicas inherit encryption | Must use same or compatible key |
| Cross-region replicas | Require re-encryption in target region |
| Storage engine requirement | InnoDB required for MySQL/MariaDB |
Use Cases
Use Case 1: Default S3 Encryption for Compliance
Scenario: Company needs to ensure all S3 data is encrypted for compliance audit.

Solution:
- Enable SSE-KMS as bucket default encryption
- Enable S3 Bucket Keys to reduce costs
- Add bucket policy denying unencrypted uploads
- Use AWS Config rule
s3-bucket-server-side-encryption-enabled
Use Case 2: Encrypting Legacy EBS Volumes
Scenario: Organization mandates encryption for all EBS volumes, including existing ones.
Solution:
- Enable EBS encryption by default for new volumes
- For existing volumes: snapshot → copy with encryption → create new volume
- Use AWS Config rule
encrypted-volumesto detect non-compliant volumes - Automate with Lambda and CloudWatch Events
Use Case 3: Cross-Account RDS Access
Scenario: Central security team manages KMS keys, application teams need encrypted RDS.
Solution:
- Create customer managed key in security account
- Share key with application accounts via key policy
- Application teams create encrypted RDS using shared key
- Security team maintains key policies and rotation
Use Case 4: High-Volume S3 with Cost Optimization
Scenario: Data lake with billions of objects needs encryption without excessive KMS costs.
Solution:
- Use SSE-KMS with S3 Bucket Keys enabled
- Reduces KMS API calls by up to 99%
- Monitor KMS costs with Cost Explorer
- Consider SSE-S3 for non-sensitive data
Best Practices
Encryption Best Practices
- Enable default encryption on all S3 buckets, EBS volumes, and RDS instances
- Use customer managed keys when you need cross-account access or custom key policies
- Enable S3 Bucket Keys with SSE-KMS to reduce costs by up to 99%
- Use AWS Config rules to continuously monitor encryption compliance
- Plan for key access before creating encrypted resources (harder to change later)
Common Exam Scenarios
Exam Scenarios and Solutions
| Scenario | Solution | Why |
|---|---|---|
| Default S3 encryption | SSE-S3 (automatic since Jan 2023) | Free, no configuration needed |
| S3 encryption with audit trail | SSE-KMS | CloudTrail logs key usage |
| Encrypt existing EBS volume | Snapshot → copy encrypted → new volume | Cannot encrypt in place |
| Encrypt existing RDS database | Snapshot → copy encrypted → restore | Cannot encrypt in place |
| Cross-account encrypted RDS | Customer managed key with key policy | Share key across accounts |
| Reduce SSE-KMS costs for S3 | Enable S3 Bucket Keys | Reduces KMS API calls 99% |
| Compliance requiring dual encryption | DSSE-KMS | Two AES-256 layers |
| Customer must manage keys externally | SSE-C | Customer provides key per request |
Common Pitfalls
Pitfall 1: Trying to Encrypt Existing Resources In-Place
Mistake: Attempting to enable encryption on existing unencrypted EBS or RDS.
Why it fails: Encryption is a property set at creation; cannot be added later.
Correct Approach: Create encrypted copy/snapshot and migrate to new resource.
Pitfall 2: Not Planning for Key Access
Mistake: Using default AWS managed key then needing cross-account access.
Why it fails: AWS managed keys can only be used within the same account.
Correct Approach: Use customer managed keys from the start if cross-account access will be needed.
Pitfall 3: Ignoring KMS Costs with SSE-KMS
Mistake: Using SSE-KMS on high-volume S3 bucket without S3 Bucket Keys.
Why it fails: Each object operation = KMS API call = charges.
Correct Approach: Enable S3 Bucket Keys to reduce costs by up to 99%.
Pitfall 4: Losing Access to KMS Key
Mistake: Deleting or disabling KMS key used for encrypted resources.
Why it fails: Data becomes permanently inaccessible.
Correct Approach: Use key policies carefully; schedule deletion has 7-30 day waiting period.
Pitfall 5: Assuming SSE-S3 Provides Audit Trail
Mistake: Using SSE-S3 when compliance requires encryption audit logs.
Why it fails: SSE-S3 key usage is not logged in CloudTrail.
Correct Approach: Use SSE-KMS for audit trail requirements.
Test Your Knowledge
A company has an unencrypted RDS MySQL database that must be encrypted for compliance. What is the correct approach?
Which S3 encryption option provides CloudTrail logging of encryption key usage?
A company uses SSE-KMS for a high-volume S3 bucket and is experiencing high KMS costs. What should they enable?
Which encryption option requires the customer to send the encryption key with every S3 request?
Related Services
Quick Reference
Encryption Comparison
Service Encryption Comparison
| Service | Default Encryption | Options | Can Encrypt Existing? |
|---|---|---|---|
| S3 | SSE-S3 (auto) | SSE-S3, SSE-KMS, SSE-C, DSSE-KMS | Yes (new objects) |
| EBS | Off (enable by default) | AES-256 with KMS | No (snapshot/copy) |
| RDS | Off | AES-256 with KMS | No (snapshot/restore) |
| EFS | Off | KMS encryption | No (create new) |
| DynamoDB | On (AWS owned) | AWS owned, AWS managed, CMK | Yes (can change) |
AWS Config Rules for Encryption
Config Rules for Encryption Compliance
| Rule | Description |
|---|---|
| s3-bucket-server-side-encryption-enabled | S3 buckets have encryption |
| s3-bucket-ssl-requests-only | S3 requires HTTPS |
| encrypted-volumes | EBS volumes are encrypted |
| rds-storage-encrypted | RDS instances are encrypted |
| rds-snapshots-encrypted | RDS snapshots are encrypted |