AWS Encryption Explained: At Rest, In Transit, KMS, S3, EBS & RDS

AWS encryption protects your data in two ways: at rest (stored on disk) and in transit (moving over networks). Some AWS services encrypt automatically, others require you to opt in, and the level of control you get over encryption keys varies by service.

This page walks through how encryption works across AWS, what the different key ownership models mean, and how to choose the right encryption option for services like S3, EBS, and RDS. You will also learn what is automatic versus what needs explicit configuration, and how to verify that encryption is actually enabled.

Simple explanation

Analogy

Think of encryption at rest like a locked safe. Your files sit inside and nobody can read them without the combination. Encryption in transit is like an armored truck. While the data is moving between two places, no one can reach in and grab it. AWS gives you both the safe and the truck, but for some services you have to ask for them.

Encryption at rest means data stored on disk is scrambled so that it cannot be read without the correct key. Even if someone gains physical access to the storage hardware, encrypted data is useless to them.

Encryption in transit means data moving over a network (between your browser and AWS, between two AWS services, or between an application and a database) is protected using protocols like TLS. Anyone intercepting the traffic sees meaningless data.

AWS offers multiple layers of encryption depending on the service and how you configure it. Some services encrypt everything by default. Others need you to turn encryption on. Some let you bring your own keys for tighter control and audit logging.

Note

Encryption is one layer of defense, not a replacement for other controls. It does not replace IAM policies, network security, or secrets management. A user with the right IAM permissions can still read encrypted data because AWS decrypts it transparently on their behalf.

Why encryption matters in AWS

Encryption is a foundational control in every major compliance framework. SOC 2, PCI-DSS, HIPAA, GDPR, and FedRAMP all require encryption of sensitive data at rest and in transit. Even without compliance requirements, encryption limits the damage from storage-level breaches. If an attacker accesses raw EBS volume data or S3 storage, encrypted data is useless without the keys.

AWS makes encryption straightforward for most services, but misconfiguration is common. Knowing which services require explicit opt-in, and what the default behavior actually is, helps you build a security posture you can verify and defend.

Under the shared responsibility model, AWS encrypts data in transit between its own infrastructure components (hypervisor to storage, inter-region replication traffic). But you are responsible for enabling encryption on services like EBS and RDS, enforcing HTTPS where needed, and choosing appropriate key management strategies.

How AWS encryption works

Most AWS encryption uses AWS Key Management Service (KMS) and a technique called envelope encryption. A data encryption key (DEK) encrypts your actual data. A KMS key encrypts the DEK. Only the encrypted DEK is stored alongside your data. To decrypt, AWS calls KMS to unwrap the DEK, then uses it to decrypt the data.

Analogy

Envelope encryption works like a lockbox inside a safe. Your data goes in the lockbox (encrypted by the DEK). The lockbox key goes in the safe (encrypted by the KMS key). To read the data, you first open the safe to get the lockbox key, then use that key to open the lockbox. Even if someone steals the lockbox, they cannot open it without the safe.

The critical difference between encryption options comes down to who owns and controls the key. AWS offers three key types, each with different levels of customer control.

Key ownership models

AWS-owned keys are created, managed, and rotated entirely by AWS. You cannot view, manage, or audit them. Multiple AWS customers may share the same underlying key. This is what S3 uses for default SSE-S3 encryption and what DynamoDB uses by default.

AWS-managed KMS keys are KMS keys that AWS creates in your account on your behalf (e.g., aws/s3, aws/ebs). You can view them in the KMS console and see usage in CloudTrail, but you cannot change their key policy, disable them, or control rotation beyond the automatic yearly rotation AWS performs.

Customer managed KMS keys (CMKs) are keys you create and fully control. You set the key policy, decide who can use the key, configure rotation schedules, and can disable or delete the key. CloudTrail logs every use. This is the option that gives you the most control and auditability.

Tip

”Encrypted by default” does not mean “auditable and controlled.” S3 encrypts every object by default, but with an AWS-owned key you have zero visibility into key usage and no ability to restrict decryption beyond standard IAM permissions. Switching to a customer managed key gives you audit trails and key-level access control.

Key type comparison

Key typeWho manages itCustomer controlBest use case
AWS-owned keyAWS (fully)None. Cannot view, audit, or manageLow-sensitivity data, default encryption where no audit trail is needed
AWS-managed KMS keyAWS (in your account)Limited. Can view and see CloudTrail logs, cannot change key policyStandard workloads needing basic key visibility
Customer managed KMS keyYouFull. Key policy, rotation, disable, delete, cross-account accessSensitive data, compliance, audit requirements, cross-account sharing

Encryption at rest

Encryption at rest protects data stored on physical media. Most AWS services that support at-rest encryption use KMS and envelope encryption under the hood.

S3 encryption options

S3 supports multiple server-side encryption (SSE) modes:

  • SSE-S3 uses an AWS-owned key that AWS manages entirely. You have no visibility or control over the key. This is the default for all S3 objects since January 2023.
  • SSE-KMS uses a KMS key (the AWS-managed aws/s3 key or your own CMK). You get CloudTrail logging of every encrypt and decrypt call and can control key access via key policies.
  • SSE-C lets you provide your own encryption key with every request. AWS never stores the key. You manage key storage and rotation entirely outside AWS.
  • DSSE-KMS applies two independent layers of server-side encryption using KMS keys. Each layer uses a separate data encryption key derived from the KMS key. Required by specific compliance frameworks such as CNSSP-15 and recommended for certain FedRAMP High workloads.

For most workloads handling sensitive data, SSE-KMS with a customer managed key is the right choice. It gives you encryption with audit logging and key-level access control.

EBS encryption

EBS volumes are not encrypted by default. You must either encrypt each volume at creation time or enable the account-level default:

# Enable EBS encryption by default for the account in a region
aws ec2 enable-ebs-encryption-by-default --region us-east-1

# Verify the setting
aws ec2 get-ebs-encryption-by-default --region us-east-1

Once enabled, all new EBS volumes created in that region are encrypted automatically. Existing unencrypted volumes are not affected. You must create a snapshot, copy it with encryption enabled, and create a new volume from the encrypted snapshot.

RDS encryption

RDS encryption at rest must be enabled when you create the database instance. It cannot be turned on later.

Warning

If you need to encrypt an existing unencrypted RDS instance, you must take a snapshot, copy the snapshot with encryption enabled, and restore a new instance from the encrypted snapshot. This means downtime and a new endpoint. Plan encryption from day one.

Encryption in transit

Encryption in transit protects data as it moves between clients and services, between services, and between AWS regions. AWS uses TLS (Transport Layer Security) as the standard protocol.

AWS API endpoints

All AWS service API endpoints require HTTPS with TLS 1.2 or higher. When you make an API call using the CLI, SDK, or console, the traffic is encrypted. AWS does not offer unencrypted HTTP endpoints for service APIs.

S3 HTTPS enforcement

While S3 API calls always use HTTPS, bucket policies can allow or deny based on the transport protocol. To enforce HTTPS for all access to a bucket, apply this bucket policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyHTTP",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

Application Load Balancer TLS

For web applications, terminate TLS at the ALB and use AWS Certificate Manager (ACM) for certificate management:

  • ACM certificates are free for use with ALB and CloudFront.
  • ACM auto-renews certificates, so no manual renewal is needed.
  • Configure the ALB listener to redirect HTTP to HTTPS.
  • For end-to-end encryption, configure HTTPS between the ALB and your backend instances as well.

RDS encryption in transit

RDS supports TLS for client connections, but enforcement depends on the database engine:

  • MySQL / MariaDB: set the require_secure_transport parameter to ON in the parameter group.
  • PostgreSQL: set rds.force_ssl to 1 in the parameter group.
  • SQL Server: set rds.force_ssl to 1. You can also enforce encryption at the application connection string level.
  • Oracle: configure the SSL option in the option group and use the Oracle native network encryption settings.
  • Aurora MySQL / Aurora PostgreSQL: follows the same parameter approach as the underlying engine.

By default, most RDS engines support TLS but do not require it. Clients can connect without encryption unless you explicitly enforce it through parameter or option groups.

Note

AWS encrypts traffic between its own infrastructure components, such as between EC2 instances on Nitro-based hardware within the same VPC, and between data centers during cross-region replication. However, not all service-to-service or instance-to-instance traffic is automatically encrypted in every scenario. If your workload needs guaranteed in-transit encryption, configure TLS explicitly rather than assuming it happens automatically.

AWS encryption options compared

This comparison focuses on S3 server-side encryption options, which are the most common encryption decision teams face.

OptionKey controllerAuditabilityCost / operational impactWhen to useWhen not to use
SSE-S3AWS (AWS-owned key)None. No CloudTrail logging of key usageFree, zero configurationLow-sensitivity data, internal logs, non-regulated workloadsAnything needing audit trails or key-level access control
SSE-KMS (AWS-managed key)AWS (in your account)CloudTrail logs every encrypt/decrypt callKMS API costs ($0.03 per 10K requests), no key management overheadStandard workloads needing basic audit logging without key managementWorkloads needing custom key policies or cross-account key sharing
SSE-KMS (customer managed key)YouFull CloudTrail logging plus custom key policies$1/month per key + KMS API costs, requires key policy managementSensitive data, compliance requirements, cross-account access, fine-grained controlSimple internal buckets where audit trails are not required
DSSE-KMSYou (via KMS)Full CloudTrail loggingHigher KMS API costs (two encryption layers), same key management overhead as SSE-KMSWorkloads under CNSSP-15 or specific FedRAMP High requirements mandating dual-layer encryptionMost workloads. Adds cost and complexity without benefit unless mandated by compliance
SSE-CYou (entirely outside AWS)None from AWS. You track key usage yourselfFree from AWS, but you manage key storage, rotation, and availabilityScenarios where keys must never be stored in AWS (regulatory or policy requirement)Most workloads. High operational burden with no AWS-side audit trail
Tip

Not sure which option to pick? Start with SSE-KMS using the AWS-managed aws/s3 key. You get audit logging with zero key management. If you later need key policies, cross-account access, or custom rotation, upgrade to a customer managed key.

When to use each option

Basic internal bucket with low sensitivity

Use SSE-S3 (the default). No configuration needed. Suitable for application logs, build artifacts, and non-sensitive internal data where you do not need to track who decrypted what.

Sensitive production data needing audit trails

Use SSE-KMS with a customer managed key. This gives you CloudTrail logging of every key usage, the ability to restrict decryption through key policies, and a clear ownership boundary. This is the right default for PII, financial records, and health data.

Strict compliance requirements (CNSSP-15, FedRAMP High)

Use DSSE-KMS if your compliance framework explicitly requires dual-layer encryption. Otherwise, SSE-KMS with a customer managed key is sufficient for most regulated workloads including HIPAA, PCI-DSS, and SOC 2.

EBS volumes for workloads that should never launch unencrypted

Enable EBS encryption by default at the account level. This ensures every new volume in the region is encrypted without relying on individual developers to remember. For sensitive workloads, specify a customer managed key instead of the default aws/ebs key.

RDS databases where encryption must be planned at creation

Always enable encryption when creating an RDS instance. There is no way to encrypt an existing unencrypted database in place. If your organization runs both dev and production databases, enforce encryption even in dev environments to avoid the risk of promoting an unencrypted database to production.

Analogy

RDS encryption is like pouring a building’s foundation. You decide whether to reinforce it before the concrete sets. Once the building is up, you cannot go back and pour a new foundation underneath it. You would have to demolish and rebuild. That is exactly what the snapshot-copy-restore process feels like in production.

Service-by-service quick reference

ServiceEncrypted by default?Can choose key type?Needs opt-in?Important gotcha
Amazon S3Yes (SSE-S3 since Jan 2023)Yes: SSE-S3, SSE-KMS, SSE-C, DSSE-KMSNo (default encryption active)Default SSE-S3 uses AWS-owned keys with no audit trail. Upgrade to SSE-KMS for sensitive data
Amazon EBSNoYes: AWS-managed or CMKYes, per volume or via account defaultExisting unencrypted volumes cannot be encrypted in place; must snapshot and copy
Amazon RDSNoYes: AWS-managed or CMKYes, at instance creation onlyCannot enable encryption after creation; must snapshot, copy encrypted, and restore
Amazon DynamoDBYes (always)Yes: AWS-owned (free) or CMKNoSwitching to a CMK incurs KMS costs; AWS-owned key encryption has no per-request charge
Amazon EFSNoYes: AWS-managed or CMKYes, at file system creationLike RDS, encryption must be enabled at creation time and cannot be added later
Amazon SQSNoYes: AWS-managed or CMKYes, per queueEnabling SSE-KMS adds latency from KMS API calls; consider throughput impact for high-volume queues
Amazon SNSNoYes: AWS-managed or CMKYes, per topicEncrypted topics require subscribers to have KMS decrypt permissions
AWS Secrets ManagerYes (always)Yes: AWS-managed or CMKNoDefault uses the aws/secretsmanager key; use a CMK if you need cross-account access to secrets
SSM Parameter StoreSecureString parameters onlyYes: AWS-managed or CMKYes, must use SecureString typeStandard String and StringList parameters are not encrypted; only SecureString uses KMS

How to verify encryption is enabled

Use AWS Config rules

AWS Config provides managed rules that continuously evaluate your resources against encryption requirements:

# Check if all EBS volumes are encrypted
aws configservice get-compliance-details-by-config-rule \
  --config-rule-name encrypted-volumes

# Check if RDS instances have storage encryption
aws configservice get-compliance-details-by-config-rule \
  --config-rule-name rds-storage-encrypted

# Check if S3 buckets enforce HTTPS
aws configservice get-compliance-details-by-config-rule \
  --config-rule-name s3-bucket-ssl-requests-only

Use Security Hub

AWS Security Hub includes the Foundational Security Best Practices standard, which runs automated checks for encryption configuration across services. Enabling Security Hub is the fastest way to get a comprehensive view of encryption gaps across your entire account.

Verification checklist

  • S3: confirm bucket default encryption is set to SSE-KMS for sensitive buckets. Verify the aws:SecureTransport deny policy is applied.
  • EBS: confirm account-level EBS encryption by default is enabled in every region you use. Check for any existing unencrypted volumes.
  • RDS: confirm StorageEncrypted is true for every instance. Check parameter groups for TLS enforcement settings.
  • General: review AWS Config compliance dashboard for any non-compliant encryption rules. Check Security Hub findings filtered to encryption-related controls.

Common mistakes

  1. Assuming default encryption is enough for sensitive data. S3 default encryption (SSE-S3) uses AWS-owned keys with no audit trail and no key-level access control. Anyone with the right IAM permissions can decrypt. For sensitive data, upgrade to SSE-KMS with a customer managed key.
  2. Forgetting that EBS and RDS encryption must be set at creation time. Neither service lets you flip a switch to encrypt an existing resource. If you discover an unencrypted RDS database in production, the fix involves downtime: snapshot, copy with encryption, restore. Enable account-level EBS encryption defaults and enforce RDS encryption via policies from the start.
  3. Not enforcing HTTPS/TLS where needed. S3 API calls use HTTPS, but bucket policies can still allow HTTP access. RDS supports TLS but most engines do not require it by default. Explicitly enforce TLS through bucket policies and database parameter groups.
  4. Confusing encryption with access control. Encryption protects data if storage is physically compromised. It does not prevent an IAM user with s3:GetObject permission from reading S3 objects because AWS decrypts transparently for authorized users. You need both encryption and proper IAM policies to protect data.
  5. Using one KMS key for everything. If a single customer managed key is compromised, accidentally disabled, or deleted, every resource encrypted with that key is affected. Separate keys by data sensitivity, workload, or team to limit the blast radius of a key incident.
  6. Ignoring cross-account key access planning. If workloads in different AWS accounts need to share encrypted data, the KMS key policy must explicitly grant cross-account access. This is only possible with customer managed keys. AWS-managed keys cannot be shared across accounts.

Frequently asked questions

Is data in AWS encrypted by default?

It depends on the service. S3 encrypts all objects by default using SSE-S3 since January 2023. DynamoDB and Secrets Manager also encrypt by default. EBS volumes and RDS databases are not encrypted by default, so you must opt in at creation time. Each service has its own default behavior, so check the documentation for every service you use.

What is the difference between encryption at rest and in transit?

Encryption at rest protects data stored on disk, making it unreadable without the correct key. Encryption in transit protects data as it moves over a network using TLS or similar protocols. Both are needed. A file encrypted at rest but sent over an unencrypted connection can still be intercepted in transit.

When should I use SSE-KMS instead of SSE-S3?

Use SSE-KMS when you need audit logging of key usage via CloudTrail, fine-grained access control through key policies, or compliance requirements that demand customer-controlled keys. SSE-S3 is fine for low-sensitivity data where you do not need to track who decrypted what.

Does encryption stop IAM users from reading my data?

No. Encryption at rest protects against physical media theft or storage-level compromise. An IAM user with the right permissions (like s3:GetObject) can still read the data because AWS handles decryption transparently. You need both encryption and proper IAM policies to protect data fully.

Can I enable encryption on existing EBS volumes or RDS databases?

Not directly. For EBS, you must snapshot the unencrypted volume, copy the snapshot with encryption enabled, then create a new volume from the encrypted snapshot. For RDS, the process is similar: snapshot the database, copy it with encryption, and restore a new instance. Neither service supports enabling encryption in place after creation.

Last verified: 30 March 2026 Cloud services change frequently. Verify details against official documentation before making infrastructure decisions.