Encryption in AWS: At Rest and In Transit
Understand encryption at rest with KMS and CloudHSM, S3 SSE options, EBS encryption, plus encryption in transit with TLS/SSL and AWS Certificate Manager.
Two kinds of encryption
Data needs protection in two states:
| State | Meaning | Example |
|---|---|---|
| At rest | Data stored on disk or in a service | An object in S3, a snapshot in EBS, a row in RDS |
| In transit | Data moving between two points | An HTTPS request from a browser to an ALB, data replicating between Regions |
AWS provides tools for both. The key question is: is the data sitting still, or is it moving?
Encryption at rest
AWS Key Management Service (KMS)
KMS is the central service for managing encryption keys in AWS. Most AWS services that support encryption at rest integrate with KMS.
Key concepts:
- AWS managed keys — Created and managed by AWS on your behalf. Used by default when you enable encryption on services like S3 or EBS. No cost for key management, minimal configuration.
- Customer managed keys (CMKs) — Keys you create in KMS. You control the key policy, rotation schedule, and who can use the key. You can audit every use via CloudTrail.
Tip
KMS manages encryption keys, not secrets like passwords. For passwords and API keys, use Secrets Manager.
AWS CloudHSM
AWS CloudHSM provides dedicated hardware security modules (HSMs) for cryptographic key storage and operations.
KMS vs CloudHSM
Comparing AWS-managed encryption with dedicated hardware
Note
CloudHSM is for workloads with strict compliance or contractual requirements for dedicated hardware cryptography. Most workloads use KMS.
When to choose CloudHSM over KMS:
- Your compliance requirements mandate FIPS 140-2 Level 3
- You need exclusive, single-tenant control over key storage hardware
- Your organization has contractual obligations requiring dedicated HSMs
S3 server-side encryption options
S3 offers three server-side encryption (SSE) options:
| Option | Who manages the key? | Key visibility | Audit trail |
|---|---|---|---|
| SSE-S3 | Amazon S3 | No customer access to key | Limited |
| SSE-KMS | AWS KMS | Customer can control key policy | Full CloudTrail logging of key usage |
| SSE-C | Customer provides key with each request | Customer fully manages | Customer's responsibility |
Note
As of January 2023, SSE-S3 is the default for all new S3 objects. You no longer need to explicitly enable it — every object is encrypted at rest automatically.
When to choose SSE-KMS over SSE-S3:
- You need to control who can use the encryption key
- You need CloudTrail audit logs showing every time the key is used
- Your compliance requirements mandate customer-managed keys
EBS encryption
Amazon EBS volumes can be encrypted at rest. When you enable EBS encryption:
- Data at rest on the volume is encrypted
- Data moving between the volume and the EC2 instance is encrypted
- All snapshots created from the volume are encrypted
You can set a default encryption setting so that all new EBS volumes in a Region are encrypted automatically.
Encryption in transit
TLS/SSL
Transport Layer Security (TLS) — the successor to SSL — encrypts data as it moves between two endpoints. When you see HTTPS in a URL, TLS is protecting that connection.
Where TLS is used in AWS:
- Browser → Application Load Balancer (ALB)
- ALB → EC2 instances (optional but recommended)
- API calls to AWS services (all AWS API endpoints use HTTPS)
- Data replication between Regions or Availability Zones
AWS Certificate Manager (ACM)
ACM makes it easy to provision, manage, and deploy SSL/TLS certificates for use with AWS services.
Key points:
- ACM provides free public certificates for use with AWS services like ALB, CloudFront, and API Gateway
- ACM handles automatic renewal — no manual certificate rotation
- ACM does not work with EC2 directly — you would install certificates manually on EC2 instances
Note
ACM manages certificates (for TLS/HTTPS). KMS manages encryption keys (for data at rest). They are complementary, not competing.
Shared responsibility for encryption
| Responsibility | AWS | Customer |
|---|---|---|
| Provides encryption tools | KMS, CloudHSM, SSE, ACM, TLS endpoints | — |
| Enables encryption on resources | — | Turns on encryption for S3, EBS, RDS, etc. |
| Manages customer-managed keys | — | Creates key policies, rotation schedules |
| Chooses between KMS and CloudHSM | — | Selects based on compliance requirements |
| Encrypts data in transit by default | All AWS API endpoints use HTTPS | Ensures application traffic uses TLS |
Key takeaway: AWS provides the tools. You are responsible for using them.
When encryption is automatic vs opt-in
| Service | At rest | In transit |
|---|---|---|
| S3 | Automatic (SSE-S3 default since Jan 2023) | HTTPS by default for API calls |
| EBS | Opt-in (can set Region default) | Encrypted between volume and instance when volume encryption is enabled |
| RDS | Opt-in at creation time | TLS connections available, configuration varies by engine |
| DynamoDB | Automatic (encrypted by default) | HTTPS endpoints by default |
| AWS API calls | N/A | Always HTTPS |
Summary
- At rest = data on disk → use KMS keys (AWS managed or customer managed) or CloudHSM for dedicated hardware
- In transit = data moving → use TLS/SSL, ACM for certificate management
- S3 now encrypts all objects by default with SSE-S3
- SSE-KMS gives you key control and CloudTrail audit logging
- CloudHSM provides dedicated HSMs for FIPS 140-2 Level 3 compliance requirements
- EBS encryption covers volumes, snapshots, and data in transit to the instance
- ACM provides free, auto-renewing TLS certificates for AWS services
- AWS provides the tools; you are responsible for enabling and configuring them