Get startedGet started for free

Encryption and certificate management on AWS

1. Encryption and certificate management on AWS

Welcome back. We have controlled who can call the application; now we protect the data itself. In this video, you'll learn how encryption and certificates work on AWS. We'll separate encryption at rest from in transit, compare client-side and server-side encryption, manage public and private certificates with ACM and Private CA, and configure KMS key rotation. Let's get started.

2. The missing backup disk

A backup drive goes missing from a courier. Whoever has it holds every customer record, unless the data was encrypted at rest, in which case it's useless noise. The same goes for data crossing the network without TLS, the encryption that secures data in transit. Encryption is the difference between a headline and a non-event.

3. Encryption at rest vs in transit

Data needs protection at two moments. Encryption at rest protects data on disk, in a database, bucket, or snapshot, so a stolen disk reveals nothing; on AWS it's usually backed by keys in KMS, AWS Key Management Service. Encryption in transit protects data crossing the network, using TLS. The two are independent: at-rest does nothing for data on the wire, and TLS does nothing for data at rest. Think of at-rest as a locked safe and in-transit as an armored truck. You need both to keep valuables protected. A secure application uses both, and most AWS services make each a checkbox.

4. Client-side vs server-side encryption

Encryption at rest comes in two styles, defined by who encrypts and when. With server-side encryption, the service encrypts data on arrival before writing to disk, the simplest option, usually with a KMS key. With client-side encryption, your application encrypts before the data leaves your code, so the service only stores ciphertext and never sees plaintext. Client-side is more work but gives the strongest control, for when even AWS shouldn't read the data. Pick by your threat model, meaning what you're defending against.

5. Public vs private certificates

Certificates prove identity for TLS, and AWS has two services for them. AWS Certificate Manager, ACM, issues free public certificates for domains you own and integrates with load balancers, CloudFront, and API Gateway, renewing them automatically. AWS Private Certificate Authority is for inside your network: it issues private certificates only your own systems trust, which you need for internal service-to-service TLS and mutual TLS, or mTLS, where both sides present a certificate. Public ACM for anything the internet talks to, Private CA for trust inside your own walls.

6. KMS keys and rotation

KMS is where encryption keys live. AWS-managed keys are rotated for you automatically. Customer-managed keys give you control: you set the key policy, decide who can use it, and choose rotation. With automatic rotation on, KMS generates new key material yearly while keeping the same key ID, so applications reference the same key with no code change. Rotation improves security without breaking anything, which is why compliance teams ask for it. You enable it once and forget it.

7. Cross-account key access

Sometimes resources in one account must use a key owned by another, like a shared encrypted S3 bucket. KMS handles this through the key policy, the document attached to the key that says who may use it. You grant a principal in another account permission to use the key, without ever exposing the key material, which never leaves KMS. This centralizes key management while letting trusted workloads elsewhere encrypt and decrypt. The key stays put; only permission to use it crosses the boundary.

8. Putting encryption and certificates together

Here is how the pieces fit. A client connects over TLS, and an ACM certificate at the load balancer or API Gateway terminates encryption in transit at the edge. Inside, a KMS key encrypts stored data at rest. ACM renews the certificate and KMS rotates the key each year, both without code changes. The result is layered protection from the wire to the disk, with renewal and rotation handled by AWS, the baseline every deployed app should meet.

9. Let's practice!

Now is your turn to encrypt and protect. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.