Domain 2 of 4 · Chapter 2 of 3

Encryption with AWS Services

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Developer - Associate premium course — no separate purchase.

Included in this chapter:

  • One model behind every AWS encryption feature: envelope encryption
  • The envelope in motion: GenerateDataKey, encrypt locally, and the 4 KB Encrypt limit
  • Three KMS key types: who controls the policy, rotation, and audit trail
  • Controlling access: key policy is the root of trust; grants and IAM refine it
  • Symmetric vs asymmetric keys and multi-Region keys
  • Choosing the boundary: at rest, in transit, and client-side
  • Certificates with ACM, and recognizing these questions on the exam

S3 server-side encryption options compared

AspectSSE-S3SSE-KMSSSE-C
Who holds the keyAWS (S3-managed key)AWS KMS key (AWS managed or customer managed)You supply the raw key on every request
Key control / auditNone: fully transparentKey policy, grants, and CloudTrail audit of key useFull, but AWS stores nothing about the key
Default for new bucketsYes, default since January 2023No (opt-in per bucket or per object)No
Extra costNo KMS chargeKMS request and key-storage charges applyNo KMS charge
Main exam triggerEncrypt at rest with zero effortNeed control, audit, or cross-account accessRequirement that AWS never holds the key material

Decision tree

AWS must hold no key material at all? Yes SSE-C you send the raw key on every request; lost key = lost data No AWS must never see plaintext? Yes Client-side encryption AWS Encryption SDK / S3 Encryption Client; encrypt before upload No Need key-policy control, custom rotation, or cross-account sharing? Yes SSE-KMS, customer managed key you own the key policy, grants, and rotation No Want a CloudTrail trail, no key admin? Yes SSE-KMS, AWS managed key aws/s3 key; CloudTrail visible, yearly rotation, no policy edits No SSE-S3 zero effort, no KMS charge; default for new buckets since Jan 2023 Under every SSE-KMS choice: envelope encryption a data key encrypts the data; the KMS key wraps the data key (KMS key never leaves the HSM) payload over 4 KB? call GenerateDataKey and encrypt locally - KMS Encrypt itself caps at 4096 bytes

Cheat sheet

  • Envelope encryption: a data key encrypts the data, a KMS key wraps the data key
  • A KMS key is the entity older docs still call a CMK
  • KMS HSMs are FIPS 140-3 Security Level 3, not 140-2 Level 2
  • GenerateDataKey returns the data key twice: plaintext to use now, ciphertext to store
  • KMS Encrypt caps at 4 KB, so anything larger needs envelope encryption
  • Customer managed keys give full control: policy, rotation, cross-account, direct use
  • AWS managed keys (aws/) rotate yearly on a fixed schedule you can't change
  • AWS owned keys are free but invisible, unauditable, and uncontrollable
  • Customer-managed rotation is optional and configurable; managed-key rotation is fixed yearly
  • The key policy is the root of trust; IAM is inert until it delegates
  • Grants are purely additive: one key, one principal, allow-only
  • Use a grant token to exercise a brand-new grant immediately
  • Encryption context is non-secret AAD that must match exactly on decrypt
  • Symmetric KMS keys are the default; pick asymmetric only for an exportable public key or signing
  • Multi-Region keys share key material across Regions so ciphertext decrypts locally
  • SSE-S3 is the zero-effort default that encrypts every new bucket since January 2023
  • SSE-KMS adds key policy, grants, and a CloudTrail audit of key use
  • SSE-C means you supply the raw key on every request and AWS stores nothing about it
  • DSSE-KMS applies two independent layers of KMS encryption for mandated dual-layer regimes
  • EBS and DynamoDB use the same envelope model; DynamoDB at-rest is always on
  • Encryption in transit is TLS, not KMS: don't provision a key for it
  • Client-side encryption keeps data opaque to AWS itself
  • ACM issues and auto-renews public TLS certificates at no charge
  • AWS Private CA issues private certificates and carries a charge (legacy name: ACM Private CA)
  • SSE-KMS read needs kms:Decrypt and write needs kms:GenerateDataKey on the key
  • S3 Bucket Keys cut SSE-KMS request cost up to 99% by switching to a bucket-level key
  • Changing a bucket's default encryption never re-encrypts existing objects
  • ACM auto-renews DNS-validated certs only while the public CNAME stays in place and the cert is in use
  • An ACM certificate must live in the same Region as the load balancer using it
  • ALB TLS version and ciphers come from a predefined ELBSecurityPolicy, not a custom one
  • The AWS Database Encryption SDK can only SIGN_ONLY a DynamoDB primary key, never encrypt it
  • AWS Database Encryption SDK attribute actions must match on decrypt, and you can't change an attribute to/from DO_NOTHING on existing data
  • Use the AWS KMS Hierarchical keyring with a branch-key supplier for multi-tenant DynamoDB encryption that minimizes KMS calls
  • A disabled KMS key drives an encrypted RDS instance into inaccessible-encryption-credentials-recoverable for 7 days
  • GenerateDataKeyWithoutPlaintext lets a key-generating component never touch plaintext key material

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. AWS KMS concepts (envelope encryption, data keys, encryption context)
  2. AWS Key Management Service FAQs FAQ
  3. AWS KMS API Reference: Encrypt
  4. Key policies in AWS KMS
  5. Grants in AWS KMS
  6. Symmetric and asymmetric KMS keys
  7. Multi-Region keys in AWS KMS
  8. Protecting data with server-side encryption (Amazon S3)
  9. Server-side encryption with customer-provided keys (SSE-C)
  10. AWS Encryption SDK: What is the AWS Encryption SDK?
  11. What is AWS Certificate Manager?
  12. What is AWS Private CA?