top of page

Data Encryption at Rest


One of the most important parts of any architecture is data protection and encryption, when used correctly, can provide an additional layer of protection. Following recommendations of the security pillar of Well-Architected Framework, we have to encrypt storage types by way of rendering them unintelligible to unauthorized access

For this, AWS KMS helps you to manage encryption keys and integrates with many AWS services, like S3 or EBS. For these cases, you can apply server-side encryption in two ways

By console:

Go to EC2 console -» EBS Encryption


And go to Manage


On S3, select the bucket and go to Properties


Select Edit to modify encryption configuration and enable Server-Side Encryption


At this point, you can choose to use an AWS-managed key or create another KMS key. Also, you can enable the bucket key to reduce calls to KMS as well as to reduce KMS costs

If you want to apply it with IaC (with Terraform in this case):

resource "aws_s3_bucket" "MyBucket" {

bucket = "my-bucket-name"

server_side_encryption_configuration {

rule {

apply_server_side_encryption_by_default {

sse_algorithm = "aws:kms"

kms_master_key_id = aws_kms_key.MyKMSKey.arn





resource "aws_ebs_encryption_by_default" "MyVolume" {

enabled = true

} If you find it interesting and want to go deeper into the subject, you can read Ken Beer (General Manager AWS KMS) about the importance of encryption in this blog. And if you are interested in learning more about our #TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs.


Ezequiel Domenech DevOps Engineer Teracloud


Entradas recientes
Buscar por tags
  • Twitter Basic Square
bottom of page