Skip to main content
emnode / learn
Learning path

Encrypt everything

Encrypt at rest and in transit across EBS, S3, RDS and load balancers.

10 lessons·~135 min total

Lessons in this path

  1. 1
    Compliance AWS

    Enforce TLS on database and cache connections

    One capability across RDS, Aurora, Redshift, DocumentDB, ElastiCache, DAX, MSK, EMR and DMS: every connection to a data store must be encrypted on the wire, not merely allowed to be.

    15 min
  2. 2
    Compliance AWS

    Encrypt other services at rest (queues, streams, logs, ML)

    One capability across the long tail of stateful services, SQS, Kinesis, EMR, OpenSearch, AWS Backup, API Gateway caches, Glue ML, CodeBuild reports and load-balancer backends, where data lands on disk or crosses a backend hop and needs to be encrypted rather than left in the clear.

    14 min
  3. 3
    Compliance AWS

    Manage KMS encryption keys

    One capability across rotation, deletion protection, key-policy scope and decrypt permissions: keep the KMS keys that protect everything you encrypt rotating, recoverable, private and reachable only by the principals that genuinely need them.

    15 min
  4. 4
    Compliance AWS

    Encrypt EBS and EFS storage at rest

    One capability across EBS volumes, the account-level EBS default, EFS file systems and WorkSpaces virtual desktops: make sure the block and file storage your compute reads and writes is encrypted on disk rather than left in the clear.

    14 min
  5. 5
    Compliance AWS

    Enforce TLS on load balancer listeners

    One capability across Classic, Application and Network Load Balancers: every public listener terminates TLS, plain HTTP redirects to HTTPS, and weak ciphers are off.

    13 min
  6. 6
    Compliance AWS

    Require TLS for storage and remaining services

    One capability across S3, ECS-mounted EFS file systems and load balancer cipher policies: close the leftover in-transit gaps that do not fit the database, API or listener buckets.

    12 min
  7. 7
    Compliance AWS

    Encrypt AWS databases at rest

    One capability across RDS, Aurora, DocumentDB, Neptune, Redshift, DynamoDB, ElastiCache and OpenSearch: make sure the data on disk, and in every snapshot it produces, is encrypted with a KMS key rather than stored in the clear.

    14 min
  8. 8
    Compliance AWS

    Enforce TLS on APIs and search domains

    One capability across API Gateway and OpenSearch and Elasticsearch: every public endpoint uses a strong, current TLS policy, and the hop to the backend behind the gateway is encrypted too.

    13 min
  9. 9
    Compliance AWS

    Manage and renew TLS certificates

    One capability across ACM and the legacy IAM certificate store: keep the certificates that front your HTTPS endpoints strong enough, renewed before they expire, and clear of expired leftovers that can be deployed by mistake.

    13 min
  10. 10
    Compliance AWS

    Encrypt S3 object storage at rest

    One capability across S3 buckets and the CodeBuild logs that land in them: every object is already encrypted, so the work is upgrading sensitive data from an opaque default key to a KMS key you can govern and audit.

    12 min