Encryption in AWS: A Key Guide for Your Solutions Architect Interview
Introduction
In today’s article, we’ll be talking a bit about encryption. First, we’ll understand the basics, then the different types of encryption that exist, when each is used, and practical examples specifically related to AWS. Here you’ll find answers to several questions you might be asked in Solutions Architect interviews.
What is encryption?
Encryption is the process of converting data from a readable format to an unreadable format. Let’s understand with an example. Below we have some text, and next to it, we’ll see the same text after being encrypted:
compa compila -> $2a$12$HWc5lQx1qgi/zwxFHUfTkOB0yWzvTGURTPrXzMvMtWKm1q9oci1pq
Of course, the same text is not always encrypted in the same way. This depends on the encryption algorithm used and the key used to encrypt it. For example, below we’ll see the same text encrypted again:
compa compila -> $2a$15$/X2deTck7.Sqrlx6YHII.Ol8B7dZZwnBv7ZUXiH.FT92DzjAW.gFC
As we can see in this case, the encrypted value is different from the first one. This is either because a different encryption algorithm was used, a different key was used, or both.
Why is encryption necessary?
Simple, it comes down to security. Both when data is stored (encryption at rest) and when it is sent over the internet (encryption in flight), there is a risk that this data could be intercepted. If the data is not encrypted, it would be immediately compromised. To prevent this, both encryption software and hardware can be used. If the data is intercepted, an attacker will not be able to access it unless they can decrypt it.
Algorithm and Key
When encrypting data, there are two variables to consider: the algorithm and the encryption key.
Algorithm
Think of the algorithm as the recipe used to encrypt and decrypt data. These algorithms are public. Some examples of the most commonly used ones are:
- Advanced Encryption Standard (AES)
- File and hard drive encryption
- Rivest-Shamir-Adelman (RSA)
- Internet browsing (HTTPS and TLS)
- SSH
Key
The key is the private part of the recipe that you cannot share. In other words, millions of people use the AES algorithm daily for different purposes, but each of them has their own key. This is what makes the encrypted data different from someone else who used another key with the same algorithm for the same data.
- It’s very important to make it clear that encryption keys cannot be shared.
Types of Encryption
There are two types of encryption: symmetric and asymmetric. Below, we will understand and be able to identify the advantages and disadvantages of each.
Symmetric Encryption
Symmetric encryption uses the same key to both encrypt and decrypt data and is ideal for data at rest. For example, if you want to encrypt the data on your hard drive, the same key is used to both encrypt and decrypt it. This type of encryption is very useful for encrypting large amounts of data.
Asymmetric Encryption
Asymmetric encryption uses one key to encrypt data and another to decrypt it, and it is ideal for data being transmitted over the Internet. For example, to connect to a server via SSH, you first need to generate both the public and private keys using tools like ssh-keygen. Then, the public key is ‘installed’ on the server you want to connect to, and the private key stays on your local machine. When you connect to the server, it sends a challenge that can only be solved with the private key, and if you can solve it, you are granted access to the server. This type of encryption is very useful for encrypting small amounts of data and for generating digital signatures.
Examples in AWS
Now we will mention some examples of each type of encryption in AWS.
Symmetric Encryption in AWS
- Encryption at rest in Amazon S3 using SSE-S3.
- Encryption at rest for EBS volumes using KMS.
- Encryption at rest for RDS databases using KMS.
- Encryption at rest for parameters in AWS Systems Manager Parameter Store using KMS.
AWS manages the AES-256 keys for you, so you don’t have to worry about managing them.
Asymmetric Encryption in AWS
- Encryption in transit for data between your browser and the AWS Management Console using TLS.
- EC2 Key Pairs for accessing EC2 instances via SSH.
Until next time
That’s all for now regarding the first article in this series where we will be discussing topics you might be asked about in interviews for Solutions Architect roles. If you have any questions or suggestions, don’t hesitate to leave a comment or contact me directly.
Related Content
- From Chaos to Control: Managing Microservice Environment Variables in AWS
- Three AWS Associate Certifications in Six Months: My SysOps Admin Experience and Beyond
- S3 Bucket Policies: Utility and Practical Examples
- S3 Bucket Versioning: Advantages and Implications
- Lifecycle Policies in S3 Buckets