Data security in the AWS platform can be classified into two broad categories:
- Protecting data at rest
- Protecting data in transit
Furthermore, data security has the following components that help in securing data in multiple ways:
- Data encryption
- Key Management Services (KMS)
- Access control
- AWS service security features
AWS provides you with various tools and services to secure your data in AWS when your data is in transit or when your data is at rest. These tools and services include resource access control using AWS Identity and Access Management (IAM), data encryption, and managed KMS, such as AWS KMS for creating and controlling keys used for data encryption. The AWS KMS provides multiple options for managing your entire Key Management Infrastructure (KMI). Alternatively, you also have the option to go with the fully managed AWS CloudHSM service, a cloud-based hardware security module (HSM) that helps you generate and use your own keys for encryption purpose.
AWS recently launched a new security service to protect your sensitive data by using machine learning algorithms; this service is called Amazon Macie. As of now, it offers security for all data stored in your Amazon Simple Storage Service (S3).
If you want to protect your data further due to business or regulatory compliance purposes, you can enable additional features for accidental deletion of data such as the versioning feature in AWS S3, MFA for accessing and deleting data, enable cross-region replication for more than one copy of your data in AWS S3, and so on.
All data storage and data processing AWS services provide multiple features to secure your data. Such features include data encryption at rest, data encryption in transit, MFA for access control and for deletion of data, versioning for accidental data deletion, granular access control and authorization policies, cross-region replication, and so on.
In this lesson, we will learn about protecting data in the AWS platform for various AWS services. To begin with, we will go over the fundamentals of encryption and decryption and how encryption and decryption of data work in AWS. Post that, we will start with security features for securing data in transit and at rest for each of the following AWS services:
- Amazon Simple Storage Service (S3)
- Amazon Elastic Block Storage (EBS)
- Amazon Relational Database Service (RDS)
- Amazon Glacier
- Amazon DynamoDB
- Amazon Elastic Map Reduce (EMR)
We will look at data encryption in AWS and we will learn about three models that are available for managing keys for encryption and how we can use these models for encrypting data in various AWS services such as, AWS S3, Amazon EBS, AWS Storage Gateway, Amazon RDS, and so on.
Next, we will deep dive on AWS KMS and go through KMS features and major KMS components.
Furthermore, we will go through the AWS CloudHSM service with its benefits and popular use cases.
Lastly, we will take a look at Amazon Macie, the newest security service launched by AWS to protect sensitive data using machine learning at the backend.