Data encryption at rest

One of the most important parts of any architecture is data protection and encryption, when used correctly, can provide an additional layer of protection. Following recommendations from security pillar of Well Architected Framework, we have to encrypt storage types by way of rendering it unintelligible to unauthorized access

For this, AWS KMS helps you to manage encryption keys and integrates with many AWS services, like S3 or EBS. For this cases, you can apply server-side encryption in two ways

By console:

Go to EC2 console -» EBS Encryption

And go to Manage

On S3, select the bucket and go to Properties

Select Edit to modify encryption configuration and enable Server-Side Encryption

At this point, you can choose to use an AWS managed key or create another KMS key. Also you can enable bucket key to reduce calls to KMS as well as to reduce KMS costs

If you want to apply it with IaC (with terraform in this case):

resource “aws_s3_bucket” “MyBucket” {

bucket = “my-bucket-name”

server_side_encryption_configuration {

rule {

apply_server_side_encryption_by_default {

sse_algorithm = “aws:kms”

kms_master_key_id = aws_kms_key.MyKMSKey.arn





resource “aws_ebs_encryption_by_default” “MyVolume” {

enabled = true


If you find it interesting and want to go deeper into the subject, you can read Ken Beer (General Manager AWS KMS) about the importance of encryption in this blog.

This article was originally published on

Teracloud is an AWS Advanced Consulting Partner specialized in Cloud Computing (AWS, Azure, GCP) best practices. We help SaaS of different industries around the world scale their business safely.

Contact our team at for an assessment. Let us handle migration, automation, deployment, performance, cost optimization and machine learning to make your business grow.

We make the cloud easy for you!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store