Data at Rest
💡 Definition
Data at Rest refers to data that is physically stored on persistent storage media, such as hard drives, solid-state drives, or backup tapes. Protecting data at rest usually involves encryption.
🔑 Key Concepts
- Encryption: The process of encoding data so that it remains hidden from or inaccessible to unauthorized users.
- Server-Side Encryption (SSE): AWS encrypts your data after it receives it and before storing it on disk. AWS handles the encryption/decryption process transparently.
- Client-Side Encryption: You encrypt the data on your side before sending it to AWS.
⚙️ How it Works
When you enable encryption at rest for a service (e.g., an EBS volume), AWS uses a key (often from KMS) to encrypt the data blocks as they are written to the physical disk. When you read the data, AWS decrypts it using the same key before sending it back to you.
🎯 Use Cases
- Compliance: Meeting regulatory requirements (e.g., HIPAA, PCI DSS) that mandate data encryption.
- Data Protection: Preventing unauthorized access to data even if the physical storage media is compromised.
💰 Pricing Model
- Encryption features are generally free, but you may pay for the KMS keys and API requests used to perform the encryption.
📝 Exam Tips (CLF-C02)
- KMS is the primary service for managing keys for data at rest encryption.
- Most AWS services (S3, EBS, RDS, DynamoDB) support encryption at rest.
- Often a simple checkbox to enable during resource creation.
See Also: * KMS * Data in Transit