Step-by-Step Guide to Securing Data at Rest with AWS KMS

Oshaba SamsonOshaba Samson
2 min read

Have you ever considered how secure your data truly is especially the data stored in your Amazon RDS instances, S3 buckets, EBS volumes, and other AWS resources? Imagine this: if an attacker were to gain access to your network or infrastructure, would they be able to view your sensitive data in plain text?

If the answer is yes or even "I'm not sure" then it's time to rethink your data protection strategy.

Data at rest refers to any data that is stored on disk or persistent storage, and it can be just as vulnerable as data in transit if not properly protected. Leaving data unencrypted means it’s exposed to anyone who can bypass access controls, whether through a misconfiguration, compromised credentials, or a security breach.

Thankfully, AWS offers robust, built-in solutions to safeguard data at rest. These mechanisms are designed to ensure that even if unauthorized access occurs, the data remains unreadable and useless without the proper decryption keys.

In AWS, there are two primary methods for encrypting data at rest:

  1. Server-Side Encryption (SSE) – where AWS handles the encryption and key management for you.

  2. Client-Side Encryption (CSE) – where you encrypt the data before uploading it to AWS, giving you full control over keys and encryption logic.

In this guide, we’ll walk through how to implement aws encryption method using server side encryption with KMS.

  • Login in to AWS Management Console

  • Go to search and type kms

  • Click on KMS

  • Click on Create Key

  • Select the key type and key usage

  • Click on Next

We have 2 Key types

  • Symmetric - One key is used to encrypt and decrypt the data

  • Asymmetric - One key is used to encrypt while another key is used to decrypt the data

  • Type the key name and the description

  • Select the user You want to full access to this key

  • Click on Next

  • Click on Next

  • Review

  • Click on finish

  • You can see our key

To use the key

We will use the key to encrypt data that we will store in s3 bucket

  • Go to search and type s3

  • Click on s3 bucket

  • Click on Create bucket

  • Type the name of the bucket

  • Select General Purpose

  • Leave these on default

  • Select Server side encryption

  • Select the key we created on kms

  • Click on Create Bucket

0
Subscribe to my newsletter

Read articles from Oshaba Samson directly inside your inbox. Subscribe to the newsletter, and don't miss out.

KMSkms in AWSSecurityAWSDevopsCloudCloud Computingcloud nativecloud securityencryptionasymmetric key encryptionsymmetric-encryptionDevops articlesdata

Written by

Oshaba Samson
Oshaba Samson

I am a software developer with 5 years + experience. I have working on web apps ecommerce, e-learning, hrm web applications and many others