Tutorials References Exercises Videos Menu
Create Website Get Certified Upgrade

AWS Serverless Protect Your Data in Transit and at Rest


Protect Your Data in Transit and at Rest

The first step in protecting your data is by encrypting it.

The reason for that is URL parameters like request path and query strings are not always encrypted.

Encryption is the process of converting data from plain text to unreadable format.

If you use the standard output to write logs, you risk exposing unencrypted sensitive data.

Sensitive data should be encrypted before processing to maintain end-to-end encryption.

Also, avoid sending or storing unencrypted sensitive data in an HTTP request path/query string.

Remember that you are in charge of the inputs and outputs.

To secure your Lambda functions, use IAM permissions and roles with limited scope.

Create smaller functions that accomplish specific tasks and don't share IAM roles.

Use IAM roles to give permissions between services.


Protect Your Data in Transit and at Rest Video

W3schools.com collaborates with Amazon Web Services to deliver digital training content to our students.


Data Protection Best Practices

To encrypt the data, you can use AWS Key Management Service (KMS).

Alongside that, you can rely on serverless data protection best practices:

  • Learn how to use AWS managed services to lessen your security load
  • Think about security at every point of integration in your distributed system
  • Limit access to your Lambda functions and other AWS services using IAM permissions and roles
  • Create smaller Lambda functions that perform scoped activities
  • Don’t share IAM roles between functions
  • Use environment variables or AWS Secrets Manager to deliver data to a Lambda function.

Avoid sending or storing unencrypted sensitive data in an HTTP request.

Also, avoid sending or storing unencrypted sensitive data in the Lambda function's standard output.


Summary of data encryption options

The table below shows encryption options for AWS data stores.

Data store Encryption at Rest
Amazon S3
Configure server-side encryption with:
1. Amazon S3 managed keys
2. Customer master keys (CMKs) stored in AWS Key Management Service (KMS)
3. Customer provided keys
Amazon DynamoDB
At rest, secure data using encryption keys stored in AWS KMS
When creating a table, you may use AWS service keys or customer-controlled keys
Amazon ElastiCache for Redis Optional encryption through AWS KMS utilizing either AWS managed or client given master keys

Related reads:

Protecting Amazon SQS Data Using Server-Side Encryption (SSE) and AWS KMS
Amazon SNS Adds Server-Side Encryption (SSE)

AWS Serverless Exercises

Test Yourself With Exercises

Exercise:

Which AWS service can you use to encrypt data?

AWS   Service

Start the Exercise