AWS KMS & Encryption — DVA-C02 Bare Essentials
| Topic |
Remember |
| SSE-S3 |
AWS manages everything. Simplest encryption. |
| SSE-KMS |
Uses AWS KMS. Supports Customer Managed Keys (CMKs), IAM control, CloudTrail auditing. |
| SSE-C |
Customer supplies encryption key with every request. AWS never stores the key. |
| Client-side Encryption |
Application encrypts data before sending to AWS. AWS never sees plaintext. |
| AWS KMS |
Managed key management service. |
| AWS CloudHSM |
Dedicated hardware security module with customer control. |
1. SSE-S3 (Server-Side Encryption with S3 Managed Keys)
What it is
- S3 encrypts objects automatically.
- Uses AES-256.
- AWS manages the keys.
- No KMS involved.
Use when
- You simply need encryption at rest.
- No audit requirements.
- No key management.
Remember
- ✅ Simplest option
- ✅ No application changes
- ✅ Automatic encryption/decryption
- ❌ No KMS audit logs
- ❌ Cannot use your own CMK
2. SSE-KMS (Server-Side Encryption with AWS KMS)
What it is
S3 encrypts objects using a KMS key.
Can use:
- AWS Managed Key
- Customer Managed Key (CMK)
Benefits
- IAM permissions
- Key policies
- CloudTrail logging
- Audit trail
- Disable/Delete keys
- Automatic key rotation
Use when
Questions mention:
- Customer Managed Key (CMK)
- Audit trail
- Compliance
- CloudTrail
- IAM control
Upload Example
Specify:
- Server-Side Encryption = aws:kms
- KMS Key ARN or Key ID
This is the standard exam answer.
3. Customer Managed Key (CMK)
Why use it?
You control:
- IAM permissions
- Key policy
- Rotation
- Enable/Disable
- Schedule deletion
Exam keywords
If question says:
- customer-managed key
- CMK
- compliance
- audit
- IAM control
→ Answer is usually SSE-KMS with CMK
4. CloudTrail + KMS
Every Encrypt/Decrypt operation is logged.
Logs include:
- IAM user/role
- Timestamp
- Key used
- API call
Exam shortcut
Need audit trail?
→ SSE-KMS
NOT SSE-S3
5. Client-side Encryption
Application encrypts data BEFORE uploading.
AWS receives only ciphertext.
AWS never sees:
Usually implemented using:
Use when
Questions say:
- application encrypts
- encrypt before upload
- AWS must never see plaintext
- customer controls encryption
6. AWS Encryption SDK
Provides client-side envelope encryption.
Flow:
Application
↓
Generate Data Key
↓
Encrypt File
↓
Upload encrypted file to S3
Useful when AWS must never access plaintext.
7. SSE-C (Customer Provided Keys)
Customer sends encryption key with EVERY upload.
S3:
- encrypts object
- immediately discards the key
AWS never stores it.
Use when
Questions mention:
- on-prem HSM
- external key management
- AWS must not store keys
- different key for every object
8. SSE-C vs Client-side Encryption
SSE-C
Application sends plaintext to S3.
S3 performs encryption.
AWS briefly sees plaintext.
AWS does NOT keep the key.
Client-side Encryption
Application encrypts first.
AWS never sees plaintext.
AWS never sees key.
This is the strongest customer control.
9. AWS CloudHSM
Dedicated Hardware Security Module.
Provides:
- Dedicated HSM
- Single tenant
- Customer control
- Custom crypto logic
FIPS 140-2 Level 3
Use when
Question says:
- Dedicated HSM
- Hardware backed
- FIPS Level 3
- Customer controls HSM
Answer:
AWS CloudHSM
10. KMS vs CloudHSM
AWS KMS
- Managed service
- Multi-tenant
- Easier
- Most AWS services integrate directly
CloudHSM
- Dedicated hardware
- Customer controls HSM
- More expensive
- Used for strict compliance
11. Automatic Key Rotation
Customer Managed Keys can be rotated automatically.
AWS:
- Creates new key material every year
- Keeps same Key ID
- Keeps same ARN
Applications continue working.
Old key versions remain available to decrypt old data.
Exam trick
Rotation DOES NOT change:
12. Schedule Key Deletion
CMKs can be scheduled for deletion.
Waiting period:
7–30 days
During this period:
Deletion can be cancelled.
13. Cancel Key Deletion
Before deletion date:
Use:
- Console
- CancelKeyDeletion API
After cancelling:
Key becomes:
Disabled
You must:
Enable it again
Then applications work normally.
14. Which Encryption Should I Choose?
SSE-S3
Choose when:
- simplest
- no key management
- encryption at rest only
SSE-KMS
Choose when:
- CMK
- audit
- CloudTrail
- IAM permissions
- compliance
SSE-C
Choose when:
- customer provides key
- on-prem HSM
- AWS must never store keys
- unique key per upload
Client-side Encryption
Choose when:
- application encrypts
- AWS never sees plaintext
- full customer control
- AWS Encryption SDK
CloudHSM
Choose when:
- dedicated hardware
- FIPS 140-2 Level 3
- custom cryptography
- customer-owned HSM
Exam Memory Tricks
"Simplest encryption"
→ SSE-S3
"Customer Managed Key"
→ SSE-KMS
"Audit trail"
→ SSE-KMS + CloudTrail
"CloudTrail key usage"
→ SSE-KMS
"Application encrypts before upload"
→ Client-side Encryption
"AWS Encryption SDK"
→ Client-side Encryption
"AWS must never store key"
→ SSE-C
"On-prem HSM"
→ SSE-C
"Unique key for every upload"
→ SSE-C
"Dedicated HSM"
→ CloudHSM
"FIPS Level 3"
→ CloudHSM
"Automatic yearly rotation"
→ Enable KMS automatic key rotation
"Cancel key deletion"
→ CancelKeyDeletion API
30-Second Revision
- SSE-S3 → Simplest, AWS manages keys.
- SSE-KMS → CMK, IAM control, CloudTrail auditing.
- SSE-C → Customer supplies key every request; AWS never stores it.
- Client-side Encryption → Encrypt before upload; AWS never sees plaintext.
- AWS Encryption SDK → Client-side encryption library.
- CloudHSM → Dedicated FIPS Level 3 hardware.
- Automatic Rotation → Same ARN, new key material yearly.
- Scheduled Deletion → 7–30 day waiting period.
- CancelKeyDeletion → Restores key (disabled), then re-enable.