Which of the following are ways to secure data at rest and in transit in AWS.
Choose 3 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A,B and C.
The AWS documentation mentions the following.
Amazon EBS encryption offers you a simple encryption solution for your EBS volumes without the need for you to build, maintain, and secure your own key management infrastructure.
When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:
Data at rest inside the volume.
All data moving between the volume and the instance.
All snapshots created from the volume.
Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers)
You can protect data in transit by using SSL or by using client-side encryption.
You have the following options of protecting data at rest in Amazon S3.
Use Server-Side Encryption - You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.
Use Client-Side Encryption - You can encrypt data client-side and upload the encrypted data to Amazon S3
In this case, you manage the encryption process, the encryption keys, and related tools.
You can create a load balancer that uses the SSL/TLS protocol for encrypted connections (also known as SSL offload)
This feature enables traffic encryption between your load balancer and the clients that initiate HTTPS sessions, and for connections between your load balancer and your EC2 instances.
For more information on securing data at rest , please refer to the below link:
https://d0.awsstatic.com/whitepapers/aws-securing-data-at-rest-with-encryption.pdfThe three ways to secure data at rest and in transit in AWS are:
A. Encrypt all EBS volumes attached to EC2 Instances:
Encrypting all EBS volumes attached to EC2 instances provides an additional layer of security for data at rest. Amazon Elastic Block Store (EBS) provides the ability to encrypt EBS volumes at rest using AWS Key Management Service (KMS). Encryption can be enabled during the creation of the EBS volume or for an existing EBS volume. By encrypting the EBS volumes, the data on the EBS volume is protected from unauthorized access and can only be accessed by authorized users who have the necessary permissions.
B. Use server-side encryption for S3:
Amazon Simple Storage Service (S3) provides the ability to encrypt data at rest using server-side encryption. Server-side encryption helps protect data from unauthorized access by encrypting data at rest. When server-side encryption is used, Amazon S3 encrypts objects before saving them to disk and decrypts them when they are retrieved. S3 server-side encryption uses either Amazon S3-managed keys (SSE-S3) or customer-provided keys (SSE-C).
C. Use SSL/HTTPS when using the Elastic Load Balancer:
Elastic Load Balancer (ELB) provides a scalable and highly available load balancing solution that allows users to distribute incoming traffic across EC2 instances in multiple Availability Zones. To ensure that data is transmitted securely between the client and the ELB, SSL/HTTPS should be used. SSL/HTTPS provides encryption of data in transit, ensuring that sensitive data is not intercepted or tampered with during transmission.
D. Use IOPS volumes when working with EBS volumes on EC2 Instances:
IOPS (input/output operations per second) volumes are optimized for high-performance workloads, such as database workloads. IOPS volumes provide predictable performance and consistent low-latency I/O operations. Using IOPS volumes helps ensure that data is accessible quickly and efficiently, reducing the risk of data being compromised due to slow performance.
However, option D is not one of the correct answers for the question.