AWS Serverless Protect Your Data in Transit and at Rest
Protect Your Data in Transit and at Rest
The first step in protecting your data is by encrypting it.
The reason for that is URL parameters like request path and query strings are not always encrypted.
Encryption is the process of converting data from plain text to unreadable format.
If you use the standard output to write logs, you risk exposing unencrypted sensitive data.
Sensitive data should be encrypted before processing to maintain end-to-end encryption.
Also, avoid sending or storing unencrypted sensitive data in an HTTP request path/query string.
Remember that you are in charge of the inputs and outputs.
To secure your Lambda functions, use IAM permissions and roles with limited scope.
Create smaller functions that accomplish specific tasks and don't share IAM roles.
Use IAM roles to give permissions between services.
Protect Your Data in Transit and at Rest Video
W3schools.com collaborates with Amazon Web Services to deliver digital training content to our students.
Data Protection Best Practices
To encrypt the data, you can use AWS Key Management Service (KMS).
Alongside that, you can rely on serverless data protection best practices:
- Learn how to use AWS managed services to lessen your security load
- Think about security at every point of integration in your distributed system
- Limit access to your Lambda functions and other AWS services using IAM permissions and roles
- Create smaller Lambda functions that perform scoped activities
- Don’t share IAM roles between functions
- Use environment variables or AWS Secrets Manager to deliver data to a Lambda function.
Avoid sending or storing unencrypted sensitive data in an HTTP request.
Also, avoid sending or storing unencrypted sensitive data in the Lambda function's standard output.
Summary of data encryption options
The table below shows encryption options for AWS data stores.
| Data store | Encryption at Rest |
|---|---|
| Amazon S3 | |
| Configure server-side encryption with: | |
| 1. Amazon S3 managed keys | |
| 2. Customer master keys (CMKs) stored in AWS Key Management Service (KMS) | |
| 3. Customer provided keys | |
| Amazon DynamoDB | |
| At rest, secure data using encryption keys stored in AWS KMS | |
| When creating a table, you may use AWS service keys or customer-controlled keys | |
| Amazon ElastiCache for Redis | Optional encryption through AWS KMS utilizing either AWS managed or client given master keys |
Related reads:
Protecting Amazon SQS Data Using Server-Side Encryption (SSE) and AWS KMSAmazon SNS Adds Server-Side Encryption (SSE)
