Data classification, encryption, and AWS KMS

1. Data classification, encryption, and AWS KMS

Welcome back! In this video, you'll learn how to classify sensitive data like PII and PHI, understand the AWS shared responsibility model, and implement encryption at rest using AWS KMS and encryption in transit using Transport Layer Security (TLS). Let's get started.

2. The data breach that could have been prevented

In 2023, a healthcare company suffered a massive breach exposing 2 million patient records. They used DynamoDB's default encryption but didn't implement proper access controls or data classification. HIPAA: the US Health Insurance Portability and Accountability Act - imposed a $50 million fine for the violation. Encryption alone isn't enough - you need proper data classification, access controls, and monitoring. Let's learn how to protect sensitive data properly.

3. Understanding data classification

Data classification determines what security controls to apply. Public data needs minimal protection. Internal data requires access controls. Confidential data like customer information needs encryption. Restricted data like national ID numbers and medical records requires the strongest protection - encryption, strict access controls, and audit logging. Misclassifying data leads to breaches and regulatory fines.

4. PII: Personally Identifiable Information

PII or Personally Identifiable Information, comes in two types: Direct identifiers like names, national ID numbers, and email addresses directly identify someone. Indirect identifiers like birth dates and ZIP codes can identify someone when combined. GDPR, the European Union's General Data Protection Regulation, requires explicit consent to collect PII, gives users the right to delete their data, and mandates collecting only minimum necessary information.

5. PHI: Protected Health Information

PHI, or Protected Health Information, includes any health-related information that can identify a patient - diagnoses, treatments, prescriptions, lab results. It also includes health identifiers like medical record numbers and insurance IDs. HIPAA requires encrypting PHI at rest and in transit, implementing role-based access controls, and maintaining detailed audit logs of who accessed what data and when.

6. AWS Shared Responsibility Model

AWS handles security OF the cloud - physical datacenters, hardware, and infrastructure. You handle security IN the cloud - encrypting data, configuring IAM policies, and securing application code. Some controls are shared: AWS patches infrastructure, you patch your EC2 instances. Understanding this model is critical for exam success and real-world security.

7. Encryption at rest with AWS KMS

Encryption at rest protects stored data. If someone steals a hard drive, they can't read encrypted data. AWS KMS manages encryption keys centrally and rotates them automatically. DynamoDB and S3 are encrypted by default using AWS managed keys. For additional control, you can use customer managed KMS keys when creating resources. RDS and EBS also support encryption - select it during creation.

8. Encryption in transit with TLS

Encryption in transit protects data moving between services or to users. TLS (Transport Layer Security) and HTTPS (Hypertext Transfer Protocol Secure) encrypt network traffic so attackers can't intercept it. AWS enables this by default for most services. AWS Certificate Manager provisions and manages SSL/TLS certificates automatically: no manual renewal needed. Always use HTTPS endpoints for API calls and database connections.

9. Encrypting Lambda environment variables

Lambda environment variables store configuration like database endpoints and feature flags. For sensitive data like API keys, enable encryption at rest by selecting a KMS key. Encryption helpers add another layer - they encrypt values in transit from the console to Lambda using TLS. However, best practice is using Secrets Manager for credentials instead of environment variables.

10. Let's practice!

Now it's time to practice what you've learned. Complete the exercises to reinforce your understanding of data classification, encryption, and AWS KMS.

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.