As described in AWS’s security blog, data encryption should be at the heart of your organization’s security plans. AWS provides ways to protect your data using various encryption techniques that allow you to encrypt your data during at rest and during transit.
In AWS, you will be using services like RDS (Relational Database Services), DynamoDB, RedShift, EFS, and S3 to persist data. You will also need SNS, SQS, and Kinesis to exchange messages. In addition, you will be exposing web sites, micro-services, and APIs using HTTPS protocols. Protecting your data in AWS can be confusing and complicated. If not done correctly, it can leave your data exposed to hackers.
AWS’s Key Management Service (KMS) provides a way for organizations to create and manage keys to encrypt/decrypt data. KMS is based on a fleet of Hardware Security Modules (HSM) that are managed by AWS for it’s clients. Clients that want to use their own hardware can use Cloud HSM.