AWS Encrypting Data at Rest – Whitepaper – Certification

Encrypting Data at Rest

🔄 Major Updates (2023-2026)

  • Amazon S3 now automatically encrypts ALL new objects with SSE-S3 by default (Jan 2023). SSE-C disabled by default on new buckets (April 2026).
  • Amazon S3 DSSE-KMS — new dual-layer server-side encryption option (June 2023).
  • AWS KMS — now FIPS 140-3 Level 3 validated. Supports flexible automatic key rotation (90 days to 7 years) and on-demand rotation (April 2024). Post-quantum cryptography support with ML-KEM and ML-DSA (2025-2026).
  • AWS CloudHSM — new hsm2m.medium instance type (Aug 2024) with FIPS 140-3 Level 3 certification and non-FIPS mode.
  • Amazon Aurora — encryption at rest enabled by default for all new clusters (Feb 2026).
  • Amazon EBS — supports encryption by default for all new volumes (opt-in per region), including boot volumes.
  • Amazon Glacier (standalone vault-based service) — stopped accepting new customers Dec 15, 2025. Use S3 Glacier storage classes instead.
  • AWS delivers a secure, scalable cloud computing platform with high availability, offering the flexibility for you to build a wide range of applications
  • AWS allows several options for encrypting data at rest, for additional layer of security, ranging from completely automated AWS encryption solution to manual client-side options
  • Encryption requires 3 things
    • Data to encrypt
    • Encryption keys
    • Cryptographic algorithm method to encrypt the data
  • AWS provides different models for Securing data at rest on the following parameters
    • Encryption method
      • Encryption algorithm selection involves evaluating security, performance, and compliance requirements specific to your application
    • Key Management Infrastructure (KMI)
      • KMI enables managing & protecting the encryption keys from unauthorized access
      • KMI provides
        • Storage layer that protects plain text keys
        • Management layer that authorize key usage
  • Hardware Security Module (HSM)
    • Common way to protect keys in a KMI is using HSM
    • An HSM is a dedicated storage and data processing device that performs cryptographic operations using keys on the device.
    • An HSM typically provides tamper evidence, or resistance, to protect keys from unauthorized use.
    • A software-based authorization layer controls who can administer the HSM and which users or applications can use which keys in the HSM
  • AWS CloudHSM
    • AWS CloudHSM appliance has both physical and logical tamper detection and response mechanisms that trigger zeroization of the appliance.
    • Zeroization erases the HSM’s volatile memory where any keys in the process of being decrypted were stored and destroys the key that encrypts stored objects, effectively causing all keys on the HSM to be inaccessible and unrecoverable.
    • AWS CloudHSM can be used to generate and store key material and can perform encryption and decryption operations.
    • AWS CloudHSM, however, does not perform any key lifecycle management functions (e.g., access control policy, key rotation) and needs a compatible KMI.
    • KMI can be deployed either on-premises or within Amazon EC2 and can communicate to the AWS CloudHSM instance securely over SSL to help protect data and encryption keys.
    • Update (Aug 2024): AWS CloudHSM launched a new hsm2m.medium instance type with FIPS 140-3 Level 3 certification, non-FIPS mode option, increased key storage (16,666 keys), and mTLS support. The previous hsm1.medium type should be migrated to the new instance type.
    • AWS CloudHSM clusters are backed by HSMs certified at FIPS 140-3 Level 3 (previously FIPS 140-2 Level 2/3).
  • AWS Key Management Service (KMS)
    • AWS KMS is a managed encryption service that allows you to provision and use keys to encrypt data in AWS services and your applications.
    • Master keys (now called KMS keys), after creation, are designed to never be exported from the service.
    • AWS KMS gives you centralized control over who can access your KMS keys to encrypt and decrypt data, and it gives you the ability to audit this access.
    • Data can be sent into the KMS to be encrypted or decrypted under a specific KMS key under your account.
    • AWS KMS is natively integrated with other AWS services (for e.g. Amazon EBS, Amazon S3, Amazon RDS, and Amazon Redshift) and AWS SDKs to simplify encryption of your data within those services or custom applications.
    • AWS KMS provides global availability, low latency, and a high level of durability for your keys.
    • AWS KMS HSMs are now validated at FIPS 140-3 Security Level 3 (upgraded from FIPS 140-2 Level 2 in 2023).
    • Key Rotation (2024 Update):
      • Customizable automatic rotation period from 90 days to 7 years (2560 days), previously fixed at 1 year.
      • On-demand key rotation available for immediate rotation of customer managed symmetric encryption keys.
      • Key rotation history tracking available via console and API.
    • External Key Store (XKS): Allows you to store and use encryption keys in an HSM or key manager outside AWS, while still using KMS APIs. Useful for regulatory requirements mandating key storage outside cloud provider infrastructure.
    • Post-Quantum Cryptography (2025-2026):
      • ML-KEM (Module-Lattice Key-Encapsulation Mechanism) support for post-quantum TLS connections to KMS.
      • ML-DSA (Module-Lattice Digital Signature Algorithm) support for quantum-resistant digital signatures (June 2025).
      • CRYSTALS-Kyber support will be removed in 2026 in favor of ML-KEM.
    • Key Store Options:
      • Default KMS key store (FIPS 140-3 Level 3 HSMs managed by AWS)
      • CloudHSM key store (custom key store backed by your CloudHSM cluster)
      • External key store (XKS — keys stored outside AWS)

Encryption Models in AWS

Encryption models in AWS depends on how you/AWS provides the encryption method and the KMI

  • You control the encryption method and the entire KMI
  • You control the encryption method, AWS provides the storage component of the KMI, and you provide the management layer of the KMI.
  • AWS controls the encryption method and the entire KMI.

Model A: You control the encryption method and the entire KMI

  • You use your own KMI to generate, store, and manage access to keys as well as control all encryption methods in your applications
  • Proper storage, management, and use of keys to ensure the confidentiality, integrity, and availability of your data is your responsibility
  • AWS has no access to your keys and cannot perform encryption or decryption on your behalf.
  • Amazon S3
    • Encryption of the data is done before the object is sent to AWS S3
    • Encryption of the data can be done using any encryption method and the encrypted data can be uploaded using the PUT request in the Amazon S3 API
    • Key used to encrypt the data needs to be stored securely in your KMI
    • To decrypt this data, the encrypted object can be downloaded from Amazon S3 using the GET request in the Amazon S3 API and then decrypted using the key in your KMI
    • AWS provides Client-side encryption handling, where you can provide your key to the AWS S3 encryption client which will encrypt and decrypt the data on your behalf. However, AWS never has access to the keys or the unencrypted data
  • Amazon EBS
    • Amazon Elastic Block Store (Amazon EBS) provides block-level storage volumes for use with Amazon EC2 instances. Amazon EBS volumes are network-attached, and persist independently from the life of an instance.
    • Because Amazon EBS volumes are presented to an instance as a block device, you can leverage most standard encryption tools for file system-level or block-level encryption
    • Block level encryption
      • Block level encryption tools usually operate below the file system layer using kernel space device drivers to perform encryption and decryption of data.
      • These tools are useful when you want all data written to a volume to be encrypted regardless of what directory the data is stored in
    • File System level encryption
      • File system level encryption usually works by stacking an encrypted file system on top of an existing file system.
      • This method is typically used to encrypt a specific directory
    • These solutions require you to provide keys, either manually or from your KMI.
    • Both block-level and file system-level encryption tools can only be used to encrypt data volumes that are not Amazon EBS boot volumes
    • Update: Amazon EBS now supports native encryption for both boot and data volumes through its built-in encryption feature integrated with AWS KMS. The limitation of third-party tools not supporting boot volume encryption is less relevant as EBS native encryption is the recommended approach.
  • AWS Storage Gateway
    • AWS Storage Gateway is a service connecting an on-premises software appliance with Amazon S3. Data on disk volumes attached to the AWS Storage Gateway will be automatically uploaded to Amazon S3 based on policy
    • Encryption of the source data on the disk volumes can be either done before writing to the disk or using block level encryption on the iSCSI endpoint that AWS Storage Gateway exposes to encrypt all data on the disk volume.
  • Amazon RDS
    • Amazon RDS doesn’t expose the attached disk it uses for data storage, transparent disk encryption using techniques for EBS section cannot be applied.
    • However, individual fields data can be encrypted before the data is written to RDS and decrypted after reading it.
    • Update: Amazon RDS now supports native KMS-based encryption at rest for all database engines. All new Amazon Aurora clusters are encrypted by default (Feb 2026).

Model B: You control the encryption method, AWS provides the KMI storage component, and you provide the KMI management layer

  • Model B is similar to Model A where the encryption method is managed by you
  • Model B differs in the approach to Model A where the keys are maintained in AWS CloudHSM rather than the on-premise key storage system
  • Only you have access to the cryptographic partitions within the dedicated HSM to use the keys
  • Update: With the new hsm2m.medium instance type (Aug 2024), CloudHSM provides FIPS 140-3 Level 3 certification, non-FIPS mode option, and increased key storage capacity (16,666 keys).

Model C: AWS controls the encryption method and the entire KMI

  • AWS provides and manages the server-side encryption of your data, transparently managing the encryption method and the keys.
  • AWS KMS and other services that encrypt your data directly use a method called envelope encryption to provide a balance between performance and security.
  • Envelope Encryption method
    • A master key (KMS key) is defined either by you or AWS
    • A data key (data encryption key) is generated by the AWS service at the time when data encryption is requested
    • Data key is used to encrypt your data.
    • Data key is then encrypted with a key-encrypting key (KMS key) unique to the service storing your data.
    • Encrypted data key and the encrypted data are then stored by the AWS storage service on your behalf.
  • KMS keys used to encrypt data keys are stored and managed separately from the data and the data keys
  • For decryption of the data, the process is reversed. Encrypted data key is decrypted using the KMS key; the data key is then used to decrypt your data
  • Authorized use of encryption keys is done automatically and is securely managed by AWS.
  • Because unauthorized access to those keys could lead to the disclosure of your data, AWS has built systems and processes with strong access controls that minimize the chance of unauthorized access and had these systems verified by third-party audits to achieve security certifications including SOC 1, 2, and 3, PCI-DSS, and FedRAMP.
  • Amazon S3
    • Important (Jan 2023): Amazon S3 now automatically encrypts ALL new objects with SSE-S3 as the base level of encryption. No action required — encryption is applied by default at no additional cost.
    • SSE-S3
      • AWS encrypts each object using a unique data key
      • Data key is encrypted with a periodically rotated master key managed by S3
      • Amazon S3 server-side encryption uses 256-bit Advanced Encryption Standard (AES) keys for both object and master keys
      • This is now the default encryption for all S3 objects
    • SSE-KMS
      • KMS keys are defined and managed in KMS for your account
      • Object Encryption
        • When an object is uploaded, a request is sent to KMS to create an object key.
        • KMS generates a unique object key and encrypts it using the KMS key; KMS then returns this encrypted object key along with the plaintext object key to Amazon S3.
        • Amazon S3 web server encrypts your object using the plaintext object key and stores the now encrypted object (with the encrypted object key) and deletes the plaintext object key from memory.
      • Object Decryption
        • To retrieve the encrypted object, Amazon S3 sends the encrypted object key to AWS KMS.
        • AWS KMS decrypts the object key using the correct KMS key and returns the decrypted (plaintext) object key to S3.
        • Amazon S3 decrypts the encrypted object, with the plaintext object key, and returns it to you.
    • DSSE-KMS (Dual-Layer Server-Side Encryption — New June 2023)
      • Applies two independent layers of encryption to objects using AES-256-GCM algorithm
      • Each layer uses a different implementation of AES-256-GCM for defense-in-depth
      • Both layers use KMS keys for key management
      • Designed to meet compliance requirements (e.g., NSA CNSSP 15) that mandate dual-layer encryption
      • Can be configured as bucket default encryption or specified per-object
    • SSE-C
      • Amazon S3 is provided an encryption key, while uploading the object
      • Encryption key is used by Amazon S3 to encrypt your data using AES-256
      • After object encryption, Amazon S3 deletes the encryption key
      • For downloading, you need to provide the same encryption key, which AWS matches, decrypts and returns the object
      • Update (April 2026): SSE-C is now disabled by default on all new S3 general purpose buckets. Existing buckets without SSE-C objects will also have SSE-C disabled. Must be explicitly enabled via bucket settings if needed.
    • S3 Bucket-Level Encryption Enforcement (Nov 2025): New setting to standardize encryption types (SSE-S3 or SSE-KMS only) for all write requests to a bucket.
  • Amazon EBS
    • When Amazon EBS volume is created, you can choose the KMS key to be used for encrypting the volume
    • Encryption by Default: You can enable EBS encryption by default per-region, so all newly created EBS volumes (including boot volumes) are automatically encrypted with the default KMS key or a specified key.
    • Volume encryption
      • Amazon EC2 server sends an authenticated request to AWS KMS to create a volume key.
      • AWS KMS generates this volume key, encrypts it using the KMS key, and returns the plaintext volume key and the encrypted volume key to the Amazon EC2 server.
      • Plaintext volume key is stored in memory to encrypt and decrypt all data going to and from your attached EBS volume.
    • Volume decryption
      • When the encrypted volume (or any encrypted snapshots derived from that volume) needs to be re-attached to an instance, a call is made to AWS KMS to decrypt the encrypted volume key.
      • AWS KMS decrypts this encrypted volume key with the correct KMS key and returns the decrypted volume key to Amazon EC2.
  • Amazon S3 Glacier
    • S3 Glacier provides encryption of the data, by default
    • Before it’s written to disk, data is always automatically encrypted using 256-bit AES keys unique to the service that are stored in separate systems under AWS control
    • S3 Glacier storage classes include: S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval (formerly S3 Glacier), and S3 Glacier Deep Archive
    • Note: The original standalone vault-based Amazon Glacier service stopped accepting new customers on December 15, 2025. Use S3 Glacier storage classes instead.
  • AWS Storage Gateway
    • AWS Storage Gateway transfers your data to AWS over SSL
    • AWS Storage Gateway stores data encrypted at rest in Amazon S3 or S3 Glacier using their respective server side encryption schemes.
  • Amazon RDS – Oracle
    • Oracle Advanced Security option for Oracle on Amazon RDS can be used to leverage the native Transparent Data Encryption (TDE) and Native Network Encryption (NNE) features
    • Oracle encryption module creates data and key-encrypting keys to encrypt the database
    • Key-encrypting keys specific to your Oracle instance on Amazon RDS are themselves encrypted by a periodically rotated 256-bit AES master key.
    • Master key is unique to the Amazon RDS service and is stored in separate systems under AWS control
    • Update: Amazon RDS also supports native KMS-based encryption at the storage layer (EBS-level encryption) as an alternative to Oracle TDE.
  • Amazon RDS – SQL Server
    • Transparent Data Encryption (TDE) can be provisioned for Microsoft SQL Server on Amazon RDS.
    • SQL Server encryption module creates data and key-encrypting keys to encrypt the database.
    • Key-encrypting keys specific to your SQL Server instance on Amazon RDS are themselves encrypted by a periodically rotated, regional 256-bit AES master key
    • Master key is unique to the Amazon RDS service and is stored in separate systems under AWS control
    • Update (Oct 2025): Amazon RDS for SQL Server now supports encrypting native backups using SSE-KMS.
  • Amazon Aurora (New – Feb 2026)
    • All new Aurora database clusters created on or after February 18, 2026 are encrypted at rest by default using AES-256 encryption
    • Uses AWS owned keys if no custom encryption is specified
    • Encryption is transparent with no performance impact
    • Existing unencrypted clusters are unaffected but can be migrated to encrypted clusters
    • Supports customer managed KMS keys for additional control

Sample Exam Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. How can you secure data at rest on an EBS volume?
    1. Encrypt the volume using the S3 server-side encryption service
    2. Attach the volume to an instance using EC2’s SSL interface.
    3. Create an IAM policy that restricts read and write access to the volume.
    4. Write the data randomly instead of sequentially.
    5. Use an encrypted file system on top of the EBS volume
  2. Your company policies require encryption of sensitive data at rest. You are considering the possible options for protecting data while storing it at rest on an EBS data volume, attached to an EC2 instance. Which of these options would allow you to encrypt your data at rest? (Choose 3 answers)
    1. Implement third party volume encryption tools
    2. Do nothing as EBS volumes are encrypted by default
    3. Encrypt data inside your applications before storing it on EBS
    4. Encrypt data using native data encryption drivers at the file system level
    5. Implement SSL/TLS for all services running on the server
  3. A company is storing data on Amazon Simple Storage Service (S3). The company’s security policy mandates that data is encrypted at rest. Which of the following methods can achieve this? Choose 3 answers
    1. Use Amazon S3 server-side encryption with AWS Key Management Service managed keys
    2. Use Amazon S3 server-side encryption with customer-provided keys
    3. Use Amazon S3 server-side encryption with EC2 key pair.
    4. Use Amazon S3 bucket policies to restrict access to the data at rest.
    5. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key
    6. Use SSL to encrypt the data while in transit to Amazon S3.
  4. Which 2 services provide native encryption
    1. Amazon EBS
    2. Amazon S3 Glacier
    3. Amazon Redshift (is optional)
    4. Amazon RDS (is optional)
    5. Amazon Storage Gateway
  5. With which AWS services CloudHSM can be used (select 2)
    1. S3
    2. DynamoDb
    3. RDS
    4. ElastiCache
    5. Amazon Redshift
  6. A company needs to ensure all new objects uploaded to Amazon S3 are encrypted. What is the MOST operationally efficient approach? [Updated 2023+]
    1. Create a bucket policy denying unencrypted uploads
    2. No action needed — S3 automatically encrypts all new objects with SSE-S3 by default since January 2023
    3. Enable default encryption on each bucket manually
    4. Use AWS Config rules to detect unencrypted objects
  7. A company requires FIPS 140-3 Level 3 validated key management. Which options meet this requirement? (Choose 2) [Updated 2024+]
    1. AWS KMS default key store
    2. AWS Secrets Manager
    3. AWS CloudHSM with hsm2m.medium instance type
    4. Amazon S3 SSE-S3 managed keys
    5. AWS Certificate Manager
  8. An organization needs to rotate KMS keys every 90 days for compliance. How can this be achieved? [New 2024]
    1. Create a Lambda function to create new keys quarterly
    2. This is not possible as KMS only supports annual rotation
    3. Configure automatic key rotation with a custom period of 90 days using the rotation period setting
    4. Use AWS Config to trigger manual key rotation
  9. A regulated financial institution requires encryption keys to remain outside AWS infrastructure at all times. Which AWS KMS feature addresses this requirement? [New 2024]
    1. AWS KMS custom key store with CloudHSM
    2. AWS KMS imported key material (BYOK)
    3. AWS KMS External Key Store (XKS)
    4. AWS CloudHSM with on-premises HSM replication
  10. Which Amazon S3 encryption option applies two independent layers of server-side encryption to objects? [New 2023]
    1. SSE-S3 with bucket key
    2. SSE-KMS with automatic key rotation
    3. DSSE-KMS (Dual-Layer Server-Side Encryption with KMS)
    4. SSE-C with two different customer keys

References

11 thoughts on “AWS Encrypting Data at Rest – Whitepaper – Certification

  1. I believe Question(4) You meant Amazon EBS and Amazon Storage Gateway , please correct it or clarify.

    Thanks

    1. Its Glacier and Storage Gateway as they provide native encryption for the rest of the services they do provide the feature but is not enabled by default

  2. Question #5. Why S3 is not the correct answer? The encryption keys for S3 can be stored and managed by cloudHSM.

    1. Thats changed now as per the FAQs ..
      AWS services do not integrate with CloudHSM directly today. If you want to use the server-side cryptography offered by many AWS services (such as EBS, S3, or RDS), you should consider the AWS Key Management Service. Over time we may integrate CloudHSM with other AWS services.

  3. How sqs SSE encrypt message body using awssdk.sqs for .net ? Is KMS encryption works with rest only ?

  4. Hi Jeyandra
    Can you assist with this please?

    decurity p0licy of an organization equires applic@tion to ncrypt data before writing to the disk
    Which olution should organization use to meet requirement

    AWS KMS API
    AWS certificate manager
    API gateway with sts
    IAM access key

Comments are closed.