Encryption & KMS
Checking access...
Encryption is the foundation of data protection in the cloud. This page covers the key management services on each provider, the envelope encryption model, encryption at rest and in transit, and certificate management with ACM.
Key Management Services
AWS KMS
AWS Key Management Service (KMS) creates and manages cryptographic keys. KMS is integrated with over 50 AWS services — enabling transparent encryption for S3, EBS, RDS, Lambda environment variables, and more.
# Create a symmetric KMS keyaws kms create-key \ --description "Encryption key for production RDS" \ --key-usage ENCRYPT_DECRYPT \ --origin AWS_KMS
# Create an aliasaws kms create-alias \ --alias-name alias/prod-rds-key \ --target-key-id <key-id>
# Encrypt a secretaws kms encrypt \ --key-id alias/prod-rds-key \ --plaintext fileb://secret.txt \ --output text \ --query CiphertextBlob | base64 --decode > secret.encryptedKMS uses envelope encryption internally — your data is encrypted with a data key, which itself is encrypted with a KMS master key. This means you can encrypt large objects without sending data to KMS:
import boto3
kms = boto3.client('kms')
# Generate a data keyresponse = kms.generate_data_key( KeyId='alias/prod-rds-key', KeySpec='AES_256')data_key = response['Plaintext']encrypted_data_key = response['CiphertextBlob']
# Encrypt data locally with the plaintext data keyfrom cryptography.fernet import Fernetfernet = Fernet(data_key)encrypted_data = fernet.encrypt(b"Sensitive customer data")
# Discard the plaintext data key, store only encrypted_data + encrypted_data_keyAWS CloudHSM
CloudHSM provides dedicated hardware security modules (HSMs) for workloads that require FIPS 140-2 Level 3 compliance or direct control over the HSM appliance. Use cases include:
- PKI and digital signing
- Oracle TDE (Transparent Data Encryption)
- Custom key store in KMS (you create keys in your own HSM)
Azure Key Vault
Azure Key Vault stores keys, secrets, and certificates. It supports HSM-backed keys (Premium tier) and integrates with Azure services:
# Create a Key Vaultaz keyvault create \ --name myprodkeyvault \ --resource-group prod-rg \ --location eastus \ --sku premium
# Store a secretaz keyvault secret set \ --vault-name myprodkeyvault \ --name db-connection-string \ --value "Server=prod-db;Database=orders;..."
# Enable disk encryption on a VMaz vm encryption enable \ --resource-group prod-rg \ --name web-vm \ --disk-encryption-keyvault myprodkeyvaultGCP Cloud KMS
GCP Cloud KMS manages keys with IAM integration and supports symmetric and asymmetric keys:
# Create a key ring and keygcloud kms keyrings create prod-keyring --location globalgcloud kms keys create db-key \ --location global \ --keyring prod-keyring \ --purpose encryption
# Encrypt a filegcloud kms encrypt \ --location global \ --keyring prod-keyring \ --key db-key \ --plaintext-file secret.txt \ --ciphertext-file secret.txt.encInfo
Cloud KMS supports Automatic Key Rotation schedules — set it once and keys rotate transparently without any application changes.
Encryption at Rest vs. In Transit
| Context | At Rest | In Transit |
|---|---|---|
| Storage | S3 SSE-S3/SSE-KMS, EBS encryption, RDS encryption | S3 HTTPS endpoints, TLS for all API calls |
| Compute | Encrypted EBS volumes, Lambda env var encryption | TLS between services, mTLS for service mesh |
| Database | RDS encryption, DynamoDB at rest, ElastiCache encryption | RDS TLS connections, DynamoDB HTTPS |
| Messaging | SQS SSE, SNS SSE | SQS HTTPS, SNS HTTPS |
AWS Certificate Manager (ACM)
ACM provisions, manages, and rotates TLS certificates for use with CloudFront, ALB, and API Gateway:
# Request a public certificateaws acm request-certificate \ --domain-name api.myapp.com \ --validation-method DNS \ --subject-alternative-names api-staging.myapp.com
# List certificatesaws acm list-certificates --includes keyTypes=EC_prime256v1ACM automatically renews certificates before expiration. If you need to import your own certificate (e.g., from a third-party CA), use import-certificate — but note that ACM cannot auto-renew imported certificates.
Caution
ACM certificates in us-east-1 are required for CloudFront distributions. If you attach an ACM certificate to a CloudFront distribution, it must be in us-east-1 regardless of where your origin is.
Summary
KMS (and its equivalents on Azure and GCP) make encryption operationally straightforward while keeping keys isolated from the data they protect. Envelope encryption lets you balance security with performance. Combined with ACM for TLS, these services give you encryption at rest and in transit with minimal operational overhead.