Reading30 min read·Module 1High exam weight

Encryption at Rest (EBS, S3, RDS)

Key concepts

  • EBS encryption uses KMS

  • S3 SSE-S3, SSE-KMS, SSE-C options

  • RDS encryption at creation time

  • Snapshot encryption

  • Default encryption settings

Overview

Encryption at rest protects data stored on disk from unauthorized access, even if the storage media is compromised. AWS provides native encryption capabilities for virtually all storage services, making it straightforward to meet compliance requirements and security best practices.

Understanding encryption at rest is critical for the SAA-C03 exam because it appears in questions about data protection, compliance, and cost optimization. You must know the differences between encryption options, when to use each, and how they integrate with AWS KMS.

Default S3 Encryption

As of January 5, 2023, all new objects uploaded to Amazon S3 are automatically encrypted at rest by default using SSE-S3. This is a significant change from previous behavior where encryption was optional.

Exam Tip

Focus on the differences between SSE-S3, SSE-KMS, SSE-C, and DSSE-KMS. Know when to use customer managed keys vs AWS managed keys, and understand the process for encrypting existing unencrypted resources (snapshot → copy encrypted → restore).


Architecture Diagram

Encryption Types Overview
Figure 1: AWS encryption options from AWS managed to customer managed keys

Key Concepts

Encryption Types Overview

S3 Encryption Types Comparison

Encryption TypeKey ManagementControl LevelUse Case
SSE-S3AWS managedLowestDefault, simple encryption
SSE-KMSAWS KMSMedium-HighAudit trail, key policies
SSE-CCustomer providedHighestCustomer maintains keys externally
DSSE-KMSAWS KMS (dual-layer)HighCompliance requiring two encryption layers
Client-sideCustomer managedHighestEncrypt before upload

Server-Side Encryption (SSE) Options

SSE-S3 (S3 Managed Keys)

The default and simplest encryption option for S3.

Characteristics:

  • Key Management: Fully managed by AWS
  • Encryption Algorithm: AES-256
  • Key Rotation: Automatic (managed by AWS)
  • Audit Trail: Limited (no CloudTrail for key usage)
  • Cost: FREE (included with S3)

Best For:

  • Default encryption for all buckets
  • Simple compliance requirements
  • Cost-conscious workloads

SSE-KMS (KMS Managed Keys)

Provides additional control and audit capabilities over SSE-S3.

Characteristics:

  • Key Management: AWS KMS (AWS managed or customer managed keys)
  • Encryption Algorithm: AES-256
  • Key Rotation: Automatic (annual) or on-demand
  • Audit Trail: Full CloudTrail logging of key usage
  • Cost: $1/month per key + $0.03 per 10,000 requests

Best For:

  • Compliance requiring audit trails
  • Fine-grained access control
  • Cross-account access requirements

SSE-C (Customer Provided Keys)

Customer manages keys entirely outside AWS.

Characteristics:

  • Key Management: Customer provides key with each request
  • Encryption Algorithm: AES-256
  • Key Rotation: Customer responsibility
  • Audit Trail: Limited (AWS never stores the key)
  • Cost: FREE (no KMS charges)

Requirements:

  • HTTPS required (key sent in headers)
  • Customer must track which key encrypts which object
  • No AWS console access to encrypted objects

Best For:

  • Regulatory requirements for external key management
  • Organizations with existing key management infrastructure

DSSE-KMS (Dual-Layer Encryption)

Two independent layers of AES-256 encryption.

Characteristics:

  • Key Management: AWS KMS
  • Encryption: Two separate AES-256 encryption layers
  • Compliance: CNSSP 15, NIST standards
  • Cost: Higher due to dual encryption operations

Best For:

  • Government and defense workloads
  • Compliance requiring multi-layer encryption

S3 Bucket Keys

S3 Bucket Keys
Figure 2: S3 Bucket Keys reduce KMS API calls by 99%
S3 Bucket Keys Cost Savings

S3 Bucket Keys can reduce KMS costs by up to 99% by generating a bucket-level key from KMS, then using that key to encrypt object data keys locally.

TEXTS3 Bucket Keys Comparison
Without Bucket Keys:
  Each object upload → GenerateDataKey API call to KMS
  Each object download → Decrypt API call to KMS
  High-volume bucket = High KMS costs

With Bucket Keys:
  S3 generates bucket-level key from KMS
  Bucket key encrypts object data keys
  Reduces KMS API calls by up to 99%
  Significant cost savings for high-volume buckets

How It Works

Amazon S3 Encryption

Default Encryption

All S3 buckets have encryption configured by default since January 2023:

JSONS3 Default Encryption Settings
{
  "ServerSideEncryptionConfiguration": {
    "Rules": [
      {
        "ApplyServerSideEncryptionByDefault": {
          "SSEAlgorithm": "AES256"
        },
        "BucketKeyEnabled": true
      }
    ]
  }
}

Configuring SSE-KMS

SHEnable SSE-KMS with Customer Managed Key
# Set bucket default encryption to SSE-KMS
aws s3api put-bucket-encryption \
  --bucket my-bucket \
  --server-side-encryption-configuration '{
    "Rules": [
      {
        "ApplyServerSideEncryptionByDefault": {
          "SSEAlgorithm": "aws:kms",
          "KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/key-id"
        },
        "BucketKeyEnabled": true
      }
    ]
  }'

Enforcing Encryption with Bucket Policy

JSONBucket Policy Requiring Encryption
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUnencryptedUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": ["AES256", "aws:kms"]
        }
      }
    },
    {
      "Sid": "DenyUnencryptedTransport",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

Amazon EBS Encryption

EBS Encryption Flow
Figure 3: EBS encryption uses KMS data keys for volume encryption

EBS Encryption

EBS encryption provides comprehensive protection:

  • Encryption of data at rest inside the volume
  • Encryption of data in transit between instance and volume
  • Encryption of all snapshots created from the volume
  • Encryption of all volumes created from encrypted snapshots

Encryption by Default

SHEnable EBS Encryption by Default
# Enable encryption by default
aws ec2 enable-ebs-encryption-by-default --region us-east-1

# Set default KMS key
aws ec2 modify-ebs-default-kms-key-id \
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/key-id \
  --region us-east-1

# Verify settings
aws ec2 get-ebs-encryption-by-default --region us-east-1

Encrypting Existing Unencrypted Volumes

Encrypt Existing EBS Volume
Figure 4: Process to encrypt an existing unencrypted EBS volume
Cannot Encrypt In-Place

You cannot directly encrypt an unencrypted EBS volume. You must create a snapshot, copy it with encryption, and create a new volume from the encrypted snapshot.

TEXTEncrypt Existing EBS Volume Process
Step 1: Create snapshot of unencrypted volume
  → aws ec2 create-snapshot --volume-id vol-xxx

Step 2: Copy snapshot with encryption enabled
  → aws ec2 copy-snapshot \
      --source-snapshot-id snap-xxx \
      --encrypted \
      --kms-key-id alias/my-key

Step 3: Create new volume from encrypted snapshot
  → aws ec2 create-volume \
      --snapshot-id snap-encrypted-xxx \
      --availability-zone us-east-1a

Step 4: Detach old volume, attach new encrypted volume

Step 5: Delete old unencrypted volume and snapshot

Amazon RDS Encryption

RDS Encryption Scope
Figure 5: RDS encryption covers all data, snapshots, backups, and replicas

RDS Encryption Scope

RDS encryption covers:

  • Data stored on the underlying EBS volume
  • Automated backups
  • Manual snapshots
  • Read replicas (in same or different region)
  • Transaction logs and binlogs

Enabling RDS Encryption

SHCreate Encrypted RDS Instance
aws rds create-db-instance \
  --db-instance-identifier mydb \
  --db-instance-class db.t3.medium \
  --engine mysql \
  --master-username admin \
  --master-user-password MyPassword123! \
  --allocated-storage 100 \
  --storage-encrypted \
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/key-id

Encrypting Existing Unencrypted RDS Database

TEXTEncrypt Existing RDS Instance Process
Step 1: Create snapshot of unencrypted database
  → aws rds create-db-snapshot \
      --db-instance-identifier mydb \
      --db-snapshot-identifier mydb-unencrypted-snap

Step 2: Copy snapshot with encryption
  → aws rds copy-db-snapshot \
      --source-db-snapshot-identifier mydb-unencrypted-snap \
      --target-db-snapshot-identifier mydb-encrypted-snap \
      --kms-key-id alias/my-key

Step 3: Restore database from encrypted snapshot
  → aws rds restore-db-instance-from-db-snapshot \
      --db-instance-identifier mydb-encrypted \
      --db-snapshot-identifier mydb-encrypted-snap

Step 4: Update application connection string to new instance

Step 5: Delete old unencrypted instance and snapshots

RDS Encryption Limitations

RDS Encryption Limitations

LimitationDetails
Cannot change key after creationMust create new instance to use different key
Cannot disable encryptionOnce encrypted, always encrypted
Read replicas inherit encryptionMust use same or compatible key
Cross-region replicasRequire re-encryption in target region
Storage engine requirementInnoDB required for MySQL/MariaDB

Use Cases

Use Case 1: Default S3 Encryption for Compliance

Scenario: Company needs to ensure all S3 data is encrypted for compliance audit.

S3 Compliance Encryption
Figure 6: Layered encryption enforcement with default encryption and bucket policy

Solution:

  • Enable SSE-KMS as bucket default encryption
  • Enable S3 Bucket Keys to reduce costs
  • Add bucket policy denying unencrypted uploads
  • Use AWS Config rule s3-bucket-server-side-encryption-enabled

Use Case 2: Encrypting Legacy EBS Volumes

Scenario: Organization mandates encryption for all EBS volumes, including existing ones.

Solution:

  • Enable EBS encryption by default for new volumes
  • For existing volumes: snapshot → copy with encryption → create new volume
  • Use AWS Config rule encrypted-volumes to detect non-compliant volumes
  • Automate with Lambda and CloudWatch Events

Use Case 3: Cross-Account RDS Access

Scenario: Central security team manages KMS keys, application teams need encrypted RDS.

Solution:

  • Create customer managed key in security account
  • Share key with application accounts via key policy
  • Application teams create encrypted RDS using shared key
  • Security team maintains key policies and rotation

Use Case 4: High-Volume S3 with Cost Optimization

Scenario: Data lake with billions of objects needs encryption without excessive KMS costs.

Solution:

  • Use SSE-KMS with S3 Bucket Keys enabled
  • Reduces KMS API calls by up to 99%
  • Monitor KMS costs with Cost Explorer
  • Consider SSE-S3 for non-sensitive data

Best Practices

Encryption Best Practices
  1. Enable default encryption on all S3 buckets, EBS volumes, and RDS instances
  2. Use customer managed keys when you need cross-account access or custom key policies
  3. Enable S3 Bucket Keys with SSE-KMS to reduce costs by up to 99%
  4. Use AWS Config rules to continuously monitor encryption compliance
  5. Plan for key access before creating encrypted resources (harder to change later)

Common Exam Scenarios

Exam Scenarios and Solutions

ScenarioSolutionWhy
Default S3 encryptionSSE-S3 (automatic since Jan 2023)Free, no configuration needed
S3 encryption with audit trailSSE-KMSCloudTrail logs key usage
Encrypt existing EBS volumeSnapshot → copy encrypted → new volumeCannot encrypt in place
Encrypt existing RDS databaseSnapshot → copy encrypted → restoreCannot encrypt in place
Cross-account encrypted RDSCustomer managed key with key policyShare key across accounts
Reduce SSE-KMS costs for S3Enable S3 Bucket KeysReduces KMS API calls 99%
Compliance requiring dual encryptionDSSE-KMSTwo AES-256 layers
Customer must manage keys externallySSE-CCustomer provides key per request

Common Pitfalls

Pitfall 1: Trying to Encrypt Existing Resources In-Place

Mistake: Attempting to enable encryption on existing unencrypted EBS or RDS.

Why it fails: Encryption is a property set at creation; cannot be added later.

Correct Approach: Create encrypted copy/snapshot and migrate to new resource.

Pitfall 2: Not Planning for Key Access

Mistake: Using default AWS managed key then needing cross-account access.

Why it fails: AWS managed keys can only be used within the same account.

Correct Approach: Use customer managed keys from the start if cross-account access will be needed.

Pitfall 3: Ignoring KMS Costs with SSE-KMS

Mistake: Using SSE-KMS on high-volume S3 bucket without S3 Bucket Keys.

Why it fails: Each object operation = KMS API call = charges.

Correct Approach: Enable S3 Bucket Keys to reduce costs by up to 99%.

Pitfall 4: Losing Access to KMS Key

Mistake: Deleting or disabling KMS key used for encrypted resources.

Why it fails: Data becomes permanently inaccessible.

Correct Approach: Use key policies carefully; schedule deletion has 7-30 day waiting period.

Pitfall 5: Assuming SSE-S3 Provides Audit Trail

Mistake: Using SSE-S3 when compliance requires encryption audit logs.

Why it fails: SSE-S3 key usage is not logged in CloudTrail.

Correct Approach: Use SSE-KMS for audit trail requirements.


Test Your Knowledge

Q

A company has an unencrypted RDS MySQL database that must be encrypted for compliance. What is the correct approach?

AEnable encryption in the RDS console settings
BCreate an encrypted snapshot and restore to a new instance
CUse AWS CLI to enable encryption on the running instance
DModify the DB instance to enable storage encryption
Q

Which S3 encryption option provides CloudTrail logging of encryption key usage?

ASSE-S3
BSSE-KMS
CSSE-C
DClient-side encryption
Q

A company uses SSE-KMS for a high-volume S3 bucket and is experiencing high KMS costs. What should they enable?

ASSE-S3 instead
BS3 Bucket Keys
CS3 Intelligent-Tiering
DS3 Object Lock
Q

Which encryption option requires the customer to send the encryption key with every S3 request?

ASSE-S3
BSSE-KMS
CSSE-C
DDSSE-KMS


Quick Reference

Encryption Comparison

Service Encryption Comparison

ServiceDefault EncryptionOptionsCan Encrypt Existing?
S3SSE-S3 (auto)SSE-S3, SSE-KMS, SSE-C, DSSE-KMSYes (new objects)
EBSOff (enable by default)AES-256 with KMSNo (snapshot/copy)
RDSOffAES-256 with KMSNo (snapshot/restore)
EFSOffKMS encryptionNo (create new)
DynamoDBOn (AWS owned)AWS owned, AWS managed, CMKYes (can change)

AWS Config Rules for Encryption

Config Rules for Encryption Compliance

RuleDescription
s3-bucket-server-side-encryption-enabledS3 buckets have encryption
s3-bucket-ssl-requests-onlyS3 requires HTTPS
encrypted-volumesEBS volumes are encrypted
rds-storage-encryptedRDS instances are encrypted
rds-snapshots-encryptedRDS snapshots are encrypted

Further Reading

Related services

EBSS3RDSKMS