0PricingLogin
AWS Solutions Architect · Lesson

KMS, ACM, and Encryption Patterns

Manage encryption keys with AWS KMS, provision and rotate TLS certificates with ACM, and choose between client-side, server-side, and transit encryption.

Encryption on AWS: Overview

Encryption is a fundamental security control that protects data confidentiality even if storage media is compromised or access is gained through other means. AWS provides encryption for data at rest (stored in databases, S3, EBS) and in transit (moving across networks). Key services: AWS Key Management Service (KMS) manages encryption keys for at-rest encryption. AWS Certificate Manager (ACM) provisions and manages TLS certificates for in-transit encryption. Understanding when and how to apply each is essential for the Security Architecture domain of SAA-C03.

# Encryption coverage on AWS:
# At rest (KMS):
#   S3, EBS, RDS, DynamoDB, EFS, SQS,
#   Lambda env vars, Secrets Manager, SSM Parameter Store

# In transit (ACM/TLS):
#   ALB listeners (HTTPS), API Gateway, CloudFront,
#   Direct Connect, VPN, inter-service communication

# Both:
#   S3 Server-Side Encryption + HTTPS only policy

AWS KMS: Key Management Service

AWS KMS is a fully managed service for creating and controlling encryption keys. KMS uses Hardware Security Modules (HSMs) to protect keys — the key material never leaves the HSM unencrypted. KMS integrates with most AWS services for server-side encryption. Types of keys: AWS Managed Keys (free, auto-rotated annually, you cannot control them directly), Customer Managed Keys (CMK) ($1/month each, you control rotation, key policy, and deletion). Custom Key Store uses your own CloudHSM cluster for compliance requirements that mandate dedicated HSMs.

# Create a Customer Managed Key (CMK)
aws kms create-key \
  --description 'Production database encryption key' \
  --key-usage ENCRYPT_DECRYPT \
  --origin AWS_KMS \
  --tags TagKey=Purpose,TagValue=RDS-Encryption

# Create an alias for the key
aws kms create-alias \
  --alias-name alias/prod-db-key \
  --target-key-id arn:aws:kms:us-east-1:123:key/abc-def

# CMK costs: $1/month + $0.03 per 10,000 API calls

All lessons in this course

  1. KMS, ACM, and Encryption Patterns
  2. GuardDuty, Inspector, and Macie
  3. Secrets Manager and Parameter Store
  4. WAF, Shield, and Network Firewall
← Back to AWS Solutions Architect