AWS Data Encryption with KMS
February 13, 2026
|
AWS
Encryption
Security
Encryption options for every service.
AWS Data Encryption with KMS
Data encryption is a foundational security control and a compliance requirement for virtually every standard (SOC 2, HIPAA, PCI-DSS, ISO 27001). AWS Key Management Service (KMS) provides centralized key management with seamless integration across 100+ AWS services.
KMS Key Types
| Key Type | Cost | Use Case |
|---|---|---|
| AWS Managed | Free | Default encryption, no key management needed |
| Customer Managed (CMK) | $1/month + API calls | Custom rotation, key policies, cross-account sharing |
| Custom Key Store (CloudHSM) | $1,500/month+ | FIPS 140-2 Level 3, regulatory requirements |
Creating a Customer Managed Key
aws kms create-key \
--description "Production data encryption key" \
--key-usage ENCRYPT_DECRYPT \
--origin AWS_KMS \
--tags TagKey=Environment,TagValue=Production
# Create an alias for easier reference
aws kms create-alias \
--alias-name alias/prod-data \
--target-key-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxEncryption by Service
S3
# Enable default encryption on bucket
aws s3api put-bucket-encryption \
--bucket my-bucket \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "alias/prod-data"
},
"BucketKeyEnabled": true
}]
}'BucketKeyEnabled reduces KMS API calls (and costs) by 99% for S3 encryption.
RDS
aws rds create-db-instance \
--db-instance-identifier prod-db \
--storage-encrypted \
--kms-key-id alias/prod-data \
--engine postgres \
--db-instance-class db.r6g.largeEBS
# Enable default encryption for all new EBS volumes in the account
aws ec2 enable-ebs-encryption-by-default
aws ec2 modify-ebs-default-kms-key-id --kms-key-id alias/prod-dataKey Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use for encryption",
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::123456789012:role/AppRole",
"arn:aws:iam::123456789012:role/RDSRole"
]},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow key administration",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:role/SecurityAdmin"},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion"
],
"Resource": "*"
}
]
}Automatic Key Rotation
# Enable automatic rotation (rotates annually)
aws kms enable-key-rotation --key-id alias/prod-data
# Verify rotation is enabled
aws kms get-key-rotation-status --key-id alias/prod-dataEncryption Checklist
- S3: Default bucket encryption with KMS + Bucket Keys
- EBS: Account-level default encryption enabled
- RDS: Encryption enabled at creation (cannot be added later)
- DynamoDB: AWS managed key (free) or CMK
- ElastiCache: At-rest and in-transit encryption enabled
- SQS: Server-side encryption with CMK
- CloudWatch Logs: Log group encryption with CMK
- Secrets Manager: Encrypted by default with CMK option
Eazy SaaS Tip: We enable default EBS encryption and S3 bucket encryption (with Bucket Keys) as part of our account baseline setup. This ensures encryption is applied automatically to every new resource — developers don't need to remember to enable it.