AWS Certified Developer Associate (DVA-C02) > Domain 2: Security > Encryption > 2.2.1 Encryption at Rest and in Transit

2.2.1 Encryption at Rest and in Transit

Encryption at Rest and in Transit

At Rest

Service	Default Encryption	Options
S3	SSE-S3 (default since 2023)	SSE-S3, SSE-KMS, SSE-C, Client-side
DynamoDB	AWS owned key (default)	AWS owned, AWS managed, CMK
EBS	Optional (can enforce via SCP)	AWS managed, CMK
RDS	Optional	AWS managed, CMK
Lambda env vars	AWS managed key	CMK (encryption helpers)
EFS	Encryption at rest (KMS), in transit (TLS)	AWS managed, CMK

EBS Encryption

Encrypt volumes, snapshots, và AMIs
AES-256 encryption
Minimal impact on latency
Snapshots of encrypted volumes = encrypted
Copy unencrypted snapshot → can encrypt during copy

# Enable default encryption cho region
aws ec2 enable-ebs-encryption-by-default

# Create encrypted volume
aws ec2 create-volume --encrypted --kms-key-id alias/my-key \
  --availability-zone us-east-1a --size 100 --volume-type gp3

S3 Encryption Types

Type	Key Management	Audit Trail	Use Case
SSE-S3	AWS manages entirely	❌	Default, simple
SSE-KMS	KMS manages	✅ CloudTrail	Audit, compliance
SSE-C	Customer provides key per request	❌	Full key control
Client-side	Application encrypts before upload	❌	End-to-end encryption

In Transit

TLS/SSL cho tất cả AWS API endpoints
HTTPS enforced qua S3 bucket policy:

{
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": "arn:aws:s3:::my-bucket/*",
  "Condition": {
    "Bool": {"aws:SecureTransport": "false"}
  }
}

VPN / Direct Connect cho private connectivity
ACM (Certificate Manager) cho SSL/TLS certificates

Client-side vs Server-side

	Server-side (SSE)	Client-side
Encrypt by	AWS service	Application
Key management	AWS/KMS/Customer	Application
Data in transit	Plaintext → AWS → Encrypt	Encrypted → AWS
Use case	Most workloads	Strict compliance

Exam Tip: SSE-S3 = default, simplest. SSE-KMS = audit trail + key control. SSE-C = customer manages keys. Enforce HTTPS = aws:SecureTransport condition.