If you take all responsibility for the encryption method and the KMI, you can have granular control over how your applications encrypt data. However, that granular control comes at a cost—both in terms of deployment effort and an inability to have AWS services tightly integrate with your applications’ encryption methods. As an alternative, you can choose a managed service that enables easier deployment and tighter integration with AWS Cloud services. This option offers checkbox encryption for several services that store your data, control over your own keys, secured storage for your keys, and auditability on all data access attempts.
Know how to define key management infrastructure (KMI). A KMI consists of two infrastructure components. The first component is a storage layer that protects plaintext keys. The second component is a management layer that authorizes use of stored keys.
Understand the available options for how you and AWS provide encryption using a KMI. With the first option, you control the encryption method in addition to the entire KMI. In the second option, you control the encryption method and the management layer of the KMI, and AWS provides the storage layer. In the third option, AWS controls the encryption method and both components of the KMI.
Understand the maintenance trade-offs of each key management option. For any options that involve customers managing the components of the KMI or encryption method, maintenance increases significantly. The increased maintenance also reduces your ability to take advantage of built-in integrations between AWS KMS and other services. For options that involve using built-in AWS functionality, additional maintenance is required only when migrating legacy applications to take advantage of new features.
Understand the encryption options available in Amazon S3. Regardless of the key management tools and process, you are able to encrypt any objects before uploading them to an Amazon S3 bucket. However, any custom encryption logic adds to processing overhead for the encryption and decryption of the data. AWS provides the Amazon S3 encryption client to help streamline this process (available in the Java, Ruby, and .NET AWS SDKs). When encrypting data on-premises, AWS has no visibility into the encryption keys or mechanisms used. For server-side encryption, Amazon S3 supports AWS-managed keys, customermanaged keys, and encryption using AWS KMS.
Understand the encryption options available in Amazon EBS. Like any on-premises block storage, Amazon EBS supports both block-level and file-system encryption. However, an important caveat with block-level and file-system encryption tools, such as TrueCrypt and eCryptfs, is that you cannot use them to encrypt the boot volume of an Amazon EC2 instance. Amazon EBS supports encryption by using customer-managed keys and AWS KMS.
Understand the encryption options available in Amazon EBS. Like any on-premises block storage, Amazon EBS supports both block-level and file-system encryption. However, an important caveat with block-level and file-system encryption tools, such as TrueCrypt and eCryptfs, is that you cannot use them to encrypt the boot volume of an Amazon EC2 instance. Amazon EBS supports encryption by using customer-managed keys and AWS KMS.
Understand the encryption options available in Amazon RDS. Because Amazon RDS does not expose the underlying file system of databases, block-level and file-system encryption options are not available. However, standard libraries for encryption of database fields are fully supported. It is important to evaluate the types of queries that will be run against a database before selecting an encryption process, as this could affect the ability to run queries on encrypted data.