AWS Encryption Explained: At Rest, In Transit, KMS, S3, EBS & RDS
AWS encryption protects your data in two ways: at rest (stored on disk) and in transit (moving over networks). Some AWS services encrypt automatically, others require you to opt in, and the level of control you get over encryption keys varies by service.
This page walks through how encryption works across AWS, what the different key ownership models mean, and how to choose the right encryption option for services like S3, EBS, and RDS. You will also learn what is automatic versus what needs explicit configuration, and how to verify that encryption is actually enabled.
Simple explanation
Think of encryption at rest like a locked safe. Your files sit inside and nobody can read them without the combination. Encryption in transit is like an armored truck. While the data is moving between two places, no one can reach in and grab it. AWS gives you both the safe and the truck, but for some services you have to ask for them.
Encryption at rest means data stored on disk is scrambled so that it cannot be read without the correct key. Even if someone gains physical access to the storage hardware, encrypted data is useless to them.
Encryption in transit means data moving over a network (between your browser and AWS, between two AWS services, or between an application and a database) is protected using protocols like TLS. Anyone intercepting the traffic sees meaningless data.
AWS offers multiple layers of encryption depending on the service and how you configure it. Some services encrypt everything by default. Others need you to turn encryption on. Some let you bring your own keys for tighter control and audit logging.
Encryption is one layer of defense, not a replacement for other controls. It does not replace IAM policies, network security, or secrets management. A user with the right IAM permissions can still read encrypted data because AWS decrypts it transparently on their behalf.
Why encryption matters in AWS
Encryption is a foundational control in every major compliance framework. SOC 2, PCI-DSS, HIPAA, GDPR, and FedRAMP all require encryption of sensitive data at rest and in transit. Even without compliance requirements, encryption limits the damage from storage-level breaches. If an attacker accesses raw EBS volume data or S3 storage, encrypted data is useless without the keys.
AWS makes encryption straightforward for most services, but misconfiguration is common. Knowing which services require explicit opt-in, and what the default behavior actually is, helps you build a security posture you can verify and defend.
Under the shared responsibility model, AWS encrypts data in transit between its own infrastructure components (hypervisor to storage, inter-region replication traffic). But you are responsible for enabling encryption on services like EBS and RDS, enforcing HTTPS where needed, and choosing appropriate key management strategies.
How AWS encryption works
Most AWS encryption uses AWS Key Management Service (KMS) and a technique called envelope encryption. A data encryption key (DEK) encrypts your actual data. A KMS key encrypts the DEK. Only the encrypted DEK is stored alongside your data. To decrypt, AWS calls KMS to unwrap the DEK, then uses it to decrypt the data.
Envelope encryption works like a lockbox inside a safe. Your data goes in the lockbox (encrypted by the DEK). The lockbox key goes in the safe (encrypted by the KMS key). To read the data, you first open the safe to get the lockbox key, then use that key to open the lockbox. Even if someone steals the lockbox, they cannot open it without the safe.
The critical difference between encryption options comes down to who owns and controls the key. AWS offers three key types, each with different levels of customer control.
Key ownership models
AWS-owned keys are created, managed, and rotated entirely by AWS. You cannot view, manage, or audit them. Multiple AWS customers may share the same underlying key. This is what S3 uses for default SSE-S3 encryption and what DynamoDB uses by default.
AWS-managed KMS keys are KMS keys that AWS creates in your account on your behalf (e.g., aws/s3, aws/ebs). You can view them in the KMS console and see usage in CloudTrail, but you cannot change their key policy, disable them, or control rotation beyond the automatic yearly rotation AWS performs.
Customer managed KMS keys (CMKs) are keys you create and fully control. You set the key policy, decide who can use the key, configure rotation schedules, and can disable or delete the key. CloudTrail logs every use. This is the option that gives you the most control and auditability.
”Encrypted by default” does not mean “auditable and controlled.” S3 encrypts every object by default, but with an AWS-owned key you have zero visibility into key usage and no ability to restrict decryption beyond standard IAM permissions. Switching to a customer managed key gives you audit trails and key-level access control.
Key type comparison
| Key type | Who manages it | Customer control | Best use case |
|---|---|---|---|
| AWS-owned key | AWS (fully) | None. Cannot view, audit, or manage | Low-sensitivity data, default encryption where no audit trail is needed |
| AWS-managed KMS key | AWS (in your account) | Limited. Can view and see CloudTrail logs, cannot change key policy | Standard workloads needing basic key visibility |
| Customer managed KMS key | You | Full. Key policy, rotation, disable, delete, cross-account access | Sensitive data, compliance, audit requirements, cross-account sharing |
Encryption at rest
Encryption at rest protects data stored on physical media. Most AWS services that support at-rest encryption use KMS and envelope encryption under the hood.
S3 encryption options
S3 supports multiple server-side encryption (SSE) modes:
- SSE-S3 uses an AWS-owned key that AWS manages entirely. You have no visibility or control over the key. This is the default for all S3 objects since January 2023.
- SSE-KMS uses a KMS key (the AWS-managed
aws/s3key or your own CMK). You get CloudTrail logging of every encrypt and decrypt call and can control key access via key policies. - SSE-C lets you provide your own encryption key with every request. AWS never stores the key. You manage key storage and rotation entirely outside AWS.
- DSSE-KMS applies two independent layers of server-side encryption using KMS keys. Each layer uses a separate data encryption key derived from the KMS key. Required by specific compliance frameworks such as CNSSP-15 and recommended for certain FedRAMP High workloads.
For most workloads handling sensitive data, SSE-KMS with a customer managed key is the right choice. It gives you encryption with audit logging and key-level access control.
EBS encryption
EBS volumes are not encrypted by default. You must either encrypt each volume at creation time or enable the account-level default:
# Enable EBS encryption by default for the account in a region
aws ec2 enable-ebs-encryption-by-default --region us-east-1
# Verify the setting
aws ec2 get-ebs-encryption-by-default --region us-east-1Once enabled, all new EBS volumes created in that region are encrypted automatically. Existing unencrypted volumes are not affected. You must create a snapshot, copy it with encryption enabled, and create a new volume from the encrypted snapshot.
RDS encryption
RDS encryption at rest must be enabled when you create the database instance. It cannot be turned on later.
If you need to encrypt an existing unencrypted RDS instance, you must take a snapshot, copy the snapshot with encryption enabled, and restore a new instance from the encrypted snapshot. This means downtime and a new endpoint. Plan encryption from day one.
Encryption in transit
Encryption in transit protects data as it moves between clients and services, between services, and between AWS regions. AWS uses TLS (Transport Layer Security) as the standard protocol.
AWS API endpoints
All AWS service API endpoints require HTTPS with TLS 1.2 or higher. When you make an API call using the CLI, SDK, or console, the traffic is encrypted. AWS does not offer unencrypted HTTP endpoints for service APIs.
S3 HTTPS enforcement
While S3 API calls always use HTTPS, bucket policies can allow or deny based on the transport protocol. To enforce HTTPS for all access to a bucket, apply this bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyHTTP",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}Application Load Balancer TLS
For web applications, terminate TLS at the ALB and use AWS Certificate Manager (ACM) for certificate management:
- ACM certificates are free for use with ALB and CloudFront.
- ACM auto-renews certificates, so no manual renewal is needed.
- Configure the ALB listener to redirect HTTP to HTTPS.
- For end-to-end encryption, configure HTTPS between the ALB and your backend instances as well.
RDS encryption in transit
RDS supports TLS for client connections, but enforcement depends on the database engine:
- MySQL / MariaDB: set the
require_secure_transportparameter toONin the parameter group. - PostgreSQL: set
rds.force_sslto1in the parameter group. - SQL Server: set
rds.force_sslto1. You can also enforce encryption at the application connection string level. - Oracle: configure the
SSLoption in the option group and use the Oracle native network encryption settings. - Aurora MySQL / Aurora PostgreSQL: follows the same parameter approach as the underlying engine.
By default, most RDS engines support TLS but do not require it. Clients can connect without encryption unless you explicitly enforce it through parameter or option groups.
AWS encrypts traffic between its own infrastructure components, such as between EC2 instances on Nitro-based hardware within the same VPC, and between data centers during cross-region replication. However, not all service-to-service or instance-to-instance traffic is automatically encrypted in every scenario. If your workload needs guaranteed in-transit encryption, configure TLS explicitly rather than assuming it happens automatically.
AWS encryption options compared
This comparison focuses on S3 server-side encryption options, which are the most common encryption decision teams face.
| Option | Key controller | Auditability | Cost / operational impact | When to use | When not to use |
|---|---|---|---|---|---|
| SSE-S3 | AWS (AWS-owned key) | None. No CloudTrail logging of key usage | Free, zero configuration | Low-sensitivity data, internal logs, non-regulated workloads | Anything needing audit trails or key-level access control |
| SSE-KMS (AWS-managed key) | AWS (in your account) | CloudTrail logs every encrypt/decrypt call | KMS API costs ($0.03 per 10K requests), no key management overhead | Standard workloads needing basic audit logging without key management | Workloads needing custom key policies or cross-account key sharing |
| SSE-KMS (customer managed key) | You | Full CloudTrail logging plus custom key policies | $1/month per key + KMS API costs, requires key policy management | Sensitive data, compliance requirements, cross-account access, fine-grained control | Simple internal buckets where audit trails are not required |
| DSSE-KMS | You (via KMS) | Full CloudTrail logging | Higher KMS API costs (two encryption layers), same key management overhead as SSE-KMS | Workloads under CNSSP-15 or specific FedRAMP High requirements mandating dual-layer encryption | Most workloads. Adds cost and complexity without benefit unless mandated by compliance |
| SSE-C | You (entirely outside AWS) | None from AWS. You track key usage yourself | Free from AWS, but you manage key storage, rotation, and availability | Scenarios where keys must never be stored in AWS (regulatory or policy requirement) | Most workloads. High operational burden with no AWS-side audit trail |
Not sure which option to pick? Start with SSE-KMS using the AWS-managed aws/s3 key. You get audit logging with zero key management. If you later need key policies, cross-account access, or custom rotation, upgrade to a customer managed key.
When to use each option
Basic internal bucket with low sensitivity
Use SSE-S3 (the default). No configuration needed. Suitable for application logs, build artifacts, and non-sensitive internal data where you do not need to track who decrypted what.
Sensitive production data needing audit trails
Use SSE-KMS with a customer managed key. This gives you CloudTrail logging of every key usage, the ability to restrict decryption through key policies, and a clear ownership boundary. This is the right default for PII, financial records, and health data.
Strict compliance requirements (CNSSP-15, FedRAMP High)
Use DSSE-KMS if your compliance framework explicitly requires dual-layer encryption. Otherwise, SSE-KMS with a customer managed key is sufficient for most regulated workloads including HIPAA, PCI-DSS, and SOC 2.
EBS volumes for workloads that should never launch unencrypted
Enable EBS encryption by default at the account level. This ensures every new volume in the region is encrypted without relying on individual developers to remember. For sensitive workloads, specify a customer managed key instead of the default aws/ebs key.
RDS databases where encryption must be planned at creation
Always enable encryption when creating an RDS instance. There is no way to encrypt an existing unencrypted database in place. If your organization runs both dev and production databases, enforce encryption even in dev environments to avoid the risk of promoting an unencrypted database to production.
RDS encryption is like pouring a building’s foundation. You decide whether to reinforce it before the concrete sets. Once the building is up, you cannot go back and pour a new foundation underneath it. You would have to demolish and rebuild. That is exactly what the snapshot-copy-restore process feels like in production.
Service-by-service quick reference
| Service | Encrypted by default? | Can choose key type? | Needs opt-in? | Important gotcha |
|---|---|---|---|---|
| Amazon S3 | Yes (SSE-S3 since Jan 2023) | Yes: SSE-S3, SSE-KMS, SSE-C, DSSE-KMS | No (default encryption active) | Default SSE-S3 uses AWS-owned keys with no audit trail. Upgrade to SSE-KMS for sensitive data |
| Amazon EBS | No | Yes: AWS-managed or CMK | Yes, per volume or via account default | Existing unencrypted volumes cannot be encrypted in place; must snapshot and copy |
| Amazon RDS | No | Yes: AWS-managed or CMK | Yes, at instance creation only | Cannot enable encryption after creation; must snapshot, copy encrypted, and restore |
| Amazon DynamoDB | Yes (always) | Yes: AWS-owned (free) or CMK | No | Switching to a CMK incurs KMS costs; AWS-owned key encryption has no per-request charge |
| Amazon EFS | No | Yes: AWS-managed or CMK | Yes, at file system creation | Like RDS, encryption must be enabled at creation time and cannot be added later |
| Amazon SQS | No | Yes: AWS-managed or CMK | Yes, per queue | Enabling SSE-KMS adds latency from KMS API calls; consider throughput impact for high-volume queues |
| Amazon SNS | No | Yes: AWS-managed or CMK | Yes, per topic | Encrypted topics require subscribers to have KMS decrypt permissions |
| AWS Secrets Manager | Yes (always) | Yes: AWS-managed or CMK | No | Default uses the aws/secretsmanager key; use a CMK if you need cross-account access to secrets |
| SSM Parameter Store | SecureString parameters only | Yes: AWS-managed or CMK | Yes, must use SecureString type | Standard String and StringList parameters are not encrypted; only SecureString uses KMS |
How to verify encryption is enabled
Use AWS Config rules
AWS Config provides managed rules that continuously evaluate your resources against encryption requirements:
# Check if all EBS volumes are encrypted
aws configservice get-compliance-details-by-config-rule \
--config-rule-name encrypted-volumes
# Check if RDS instances have storage encryption
aws configservice get-compliance-details-by-config-rule \
--config-rule-name rds-storage-encrypted
# Check if S3 buckets enforce HTTPS
aws configservice get-compliance-details-by-config-rule \
--config-rule-name s3-bucket-ssl-requests-onlyUse Security Hub
AWS Security Hub includes the Foundational Security Best Practices standard, which runs automated checks for encryption configuration across services. Enabling Security Hub is the fastest way to get a comprehensive view of encryption gaps across your entire account.
Verification checklist
- S3: confirm bucket default encryption is set to SSE-KMS for sensitive buckets. Verify the
aws:SecureTransportdeny policy is applied. - EBS: confirm account-level EBS encryption by default is enabled in every region you use. Check for any existing unencrypted volumes.
- RDS: confirm
StorageEncryptedistruefor every instance. Check parameter groups for TLS enforcement settings. - General: review AWS Config compliance dashboard for any non-compliant encryption rules. Check Security Hub findings filtered to encryption-related controls.
Common mistakes
- Assuming default encryption is enough for sensitive data. S3 default encryption (SSE-S3) uses AWS-owned keys with no audit trail and no key-level access control. Anyone with the right IAM permissions can decrypt. For sensitive data, upgrade to SSE-KMS with a customer managed key.
- Forgetting that EBS and RDS encryption must be set at creation time. Neither service lets you flip a switch to encrypt an existing resource. If you discover an unencrypted RDS database in production, the fix involves downtime: snapshot, copy with encryption, restore. Enable account-level EBS encryption defaults and enforce RDS encryption via policies from the start.
- Not enforcing HTTPS/TLS where needed. S3 API calls use HTTPS, but bucket policies can still allow HTTP access. RDS supports TLS but most engines do not require it by default. Explicitly enforce TLS through bucket policies and database parameter groups.
- Confusing encryption with access control. Encryption protects data if storage is physically compromised. It does not prevent an IAM user with
s3:GetObjectpermission from reading S3 objects because AWS decrypts transparently for authorized users. You need both encryption and proper IAM policies to protect data. - Using one KMS key for everything. If a single customer managed key is compromised, accidentally disabled, or deleted, every resource encrypted with that key is affected. Separate keys by data sensitivity, workload, or team to limit the blast radius of a key incident.
- Ignoring cross-account key access planning. If workloads in different AWS accounts need to share encrypted data, the KMS key policy must explicitly grant cross-account access. This is only possible with customer managed keys. AWS-managed keys cannot be shared across accounts.
Summary
- Encryption at rest protects stored data. Encryption in transit protects data moving over networks. You need both.
- S3, DynamoDB, and Secrets Manager encrypt by default. EBS and RDS require explicit opt-in at creation time.
- ”Encrypted by default” does not mean “auditable and controlled.” SSE-S3 uses AWS-owned keys with no CloudTrail logging.
- Use SSE-KMS with a customer managed key for sensitive data that needs audit trails and key-level access control.
- Enable EBS encryption by default at the account level. Always enable RDS encryption at instance creation.
- Enforce HTTPS on S3 buckets with the
aws:SecureTransportcondition and enforce TLS on RDS through engine-specific parameter groups. - Use AWS Config rules and Security Hub to continuously verify encryption configuration across your account.
Frequently asked questions
Is data in AWS encrypted by default?
It depends on the service. S3 encrypts all objects by default using SSE-S3 since January 2023. DynamoDB and Secrets Manager also encrypt by default. EBS volumes and RDS databases are not encrypted by default, so you must opt in at creation time. Each service has its own default behavior, so check the documentation for every service you use.
What is the difference between encryption at rest and in transit?
Encryption at rest protects data stored on disk, making it unreadable without the correct key. Encryption in transit protects data as it moves over a network using TLS or similar protocols. Both are needed. A file encrypted at rest but sent over an unencrypted connection can still be intercepted in transit.
When should I use SSE-KMS instead of SSE-S3?
Use SSE-KMS when you need audit logging of key usage via CloudTrail, fine-grained access control through key policies, or compliance requirements that demand customer-controlled keys. SSE-S3 is fine for low-sensitivity data where you do not need to track who decrypted what.
Does encryption stop IAM users from reading my data?
No. Encryption at rest protects against physical media theft or storage-level compromise. An IAM user with the right permissions (like s3:GetObject) can still read the data because AWS handles decryption transparently. You need both encryption and proper IAM policies to protect data fully.
Can I enable encryption on existing EBS volumes or RDS databases?
Not directly. For EBS, you must snapshot the unencrypted volume, copy the snapshot with encryption enabled, then create a new volume from the encrypted snapshot. For RDS, the process is similar: snapshot the database, copy it with encryption, and restore a new instance. Neither service supports enabling encryption in place after creation.