# Data Encryption & Key Management

Data encryption and key management are essential for **protecting sensitive information** in SecureCart. AWS provides various services and tools to **encrypt data at rest and in transit**, ensuring **confidentiality, integrity, and compliance** with industry standards like **PCI DSS, GDPR, and HIPAA**.

✔ **Why does SecureCart prioritize encryption & key management?**

* **Prevents unauthorized data access.**
* **Protects customer payment and personal data.**
* **Ensures compliance with industry regulations.**
* **Secures API and service-to-service communications.**

***

### **🔹 Step 1: Understanding Data Encryption in AWS**

AWS provides **encryption for data at rest and in transit** using **AWS Key Management Service (AWS KMS), TLS encryption, and various AWS storage services**.

| **Encryption Type**        | **Description**                                | **Use Case in SecureCart**                                                       |
| -------------------------- | ---------------------------------------------- | -------------------------------------------------------------------------------- |
| **Encryption at Rest**     | Protects stored data from unauthorized access. | Encrypts customer order history in **RDS, DynamoDB, and S3**.                    |
| **Encryption in Transit**  | Protects data as it moves across networks.     | SecureCart **encrypts API traffic and customer transactions using TLS (HTTPS)**. |
| **Client-Side Encryption** | Encrypts data before sending it to AWS.        | Encrypts highly sensitive logs before **storing in S3**.                         |

✅ **Best Practices:**\
✔ Encrypt all **sensitive customer and transaction data**.\
✔ Use **AWS KMS for centralized encryption key management**.\
✔ Ensure **TLS 1.2 or later** is enforced for all communication.

***

### **🔹 Step 2: Implementing Encryption at Rest**

✔ **Why encrypt data at rest?** – Prevents **unauthorized access** if storage media is compromised.\
✔ **How SecureCart Encrypts Data at Rest:**

| **Service**         | **Encryption Method**           | **Use Case in SecureCart**                                           |
| ------------------- | ------------------------------- | -------------------------------------------------------------------- |
| **Amazon RDS**      | AWS KMS Encryption              | Protects **customer order and payment data** in MySQL/PostgreSQL.    |
| **Amazon DynamoDB** | AES-256 Encryption              | Encrypts **order transactions & user session data**.                 |
| **Amazon S3**       | S3 Default Encryption (AES-256) | Ensures **stored product images, invoices, and logs are encrypted**. |
| **Amazon EBS**      | Volume Encryption               | Encrypts **attached storage for EC2 instances**.                     |

✅ **Best Practices:**\
✔ **Enable default encryption for all storage services** (RDS, S3, DynamoDB, EBS).\
✔ Use **KMS key rotation** for enhanced security.\
✔ Implement **S3 bucket policies** to enforce encryption on all uploads.

***

### **🔹 Step 3: Implementing Encryption in Transit**

✔ **Why encrypt data in transit?** – Prevents **eavesdropping and man-in-the-middle (MitM) attacks**.\
✔ **How SecureCart Ensures Secure Data Transfers:**

| **Encryption Type**               | **Use Case in SecureCart**                                                               |
| --------------------------------- | ---------------------------------------------------------------------------------------- |
| **TLS 1.2+ (HTTPS)**              | Encrypts API calls between frontend & backend services.                                  |
| **AWS Certificate Manager (ACM)** | Manages **SSL/TLS certificates** for ALB & API Gateway.                                  |
| **AWS PrivateLink**               | Securely connects third-party APIs **without exposing services to the public internet**. |
| **IPsec VPN**                     | Encrypts traffic between SecureCart’s **on-premises environment and AWS**.               |

✅ **Best Practices:**\
✔ **Enforce TLS 1.2 or later** for all internal and external communications.\
✔ Use **AWS Certificate Manager (ACM) for automatic certificate management**.\
✔ **Avoid hardcoding encryption keys** in application code.

***

### **🔹 Step 4: AWS Key Management Service (AWS KMS)**

✔ **What is AWS KMS?** – A **managed key service** that allows **secure creation, rotation, and auditing of encryption keys**.\
✔ **How SecureCart Uses AWS KMS:**

* **Encrypts database storage (RDS, DynamoDB, EBS).**
* **Manages API keys & signing certificates for transactions.**
* **Enforces automatic key rotation for long-term security.**

| **AWS KMS Feature**              | **Use Case in SecureCart**                                                             |
| -------------------------------- | -------------------------------------------------------------------------------------- |
| **Customer Managed Keys (CMKs)** | SecureCart generates **specific KMS keys per environment (Dev, Staging, Production)**. |
| **Automatic Key Rotation**       | Enables **automatic yearly key rotation** for all encryption keys.                     |
| **AWS CloudTrail Integration**   | Logs **all KMS API calls** to detect unauthorized access attempts.                     |

✅ **Best Practices:**\
✔ **Use separate KMS keys for different environments (Dev, Staging, Prod).**\
✔ **Enable key rotation to minimize risks from long-lived keys.**\
✔ **Apply IAM policies to restrict key access based on roles.**

***

### **🔹 Step 5: Implementing Customer-Managed Encryption Keys**

✔ **Why use Customer-Managed Keys (CMKs)?** – Provides **full control over key policies and auditing**.

| **KMS Key Type**                 | **Use Case**                                                                                   |
| -------------------------------- | ---------------------------------------------------------------------------------------------- |
| **AWS-Managed Keys**             | Default encryption for services like S3, RDS, and DynamoDB.                                    |
| **Customer-Managed Keys (CMKs)** | Used when SecureCart **needs full control over access policies and key lifecycle management**. |

✅ **Best Practices:**\
✔ Restrict **IAM policies on encryption keys** to only authorized services.\
✔ **Use separate keys for different data classifications (e.g., PII vs. logs).**\
✔ Enable **KMS key deletion protection** to prevent accidental key deletions.

***

### **🔹 Step 6: Data Masking & Tokenization**

✔ **Why?** – Prevents **exposure of sensitive data in logs, databases, and API responses**.\
✔ **How SecureCart Implements Data Masking & Tokenization:**

| **Method**                    | **Use Case**                                                                                |
| ----------------------------- | ------------------------------------------------------------------------------------------- |
| **DynamoDB Tokenization**     | Customer payment details **stored as unique tokens instead of actual credit card numbers**. |
| **Amazon Macie**              | Scans S3 buckets **for exposed sensitive data**.                                            |
| **AWS Lambda Data Redaction** | Redacts sensitive **PII data before logging transactions**.                                 |

✅ **Best Practices:**\
✔ Implement **tokenization for highly sensitive data**.\
✔ Use **data masking in logs and API responses** to avoid exposing PII.\
✔ Enable **Amazon Macie to scan S3 for sensitive data leaks**.

***

### **🔹 Step 7: Auditing & Monitoring Encryption Activities**

✔ **Why?** – Ensures **ongoing security compliance and detects unauthorized access**.\
✔ **How SecureCart Monitors Encryption & Key Usage:**

| **AWS Security Tool**     | **Purpose**                        | **Use Case in SecureCart**                                  |
| ------------------------- | ---------------------------------- | ----------------------------------------------------------- |
| **AWS CloudTrail**        | Logs all KMS API calls             | Detects unauthorized key access attempts.                   |
| **AWS Security Hub**      | Centralized security monitoring    | Aggregates key-related security alerts.                     |
| **Amazon Macie**          | Identifies sensitive data exposure | Finds **unencrypted customer data in S3**.                  |
| **AWS Key Usage Metrics** | Tracks encryption key operations   | Detects **excessive key usage that could indicate misuse**. |

✅ **Best Practices:**\
✔ **Enable CloudTrail logs for KMS activity tracking.**\
✔ **Use AWS Security Hub to centralize encryption alerts.**\
✔ **Set up CloudWatch alarms for suspicious key access patterns.**

***

## **🚀 Summary**

✔ **Encrypt all data at rest using AWS KMS, S3 default encryption, and database encryption.**\
✔ **Secure data in transit using TLS, ACM, and AWS PrivateLink.**\
✔ **Manage encryption keys with AWS KMS and enforce IAM-based access controls.**\
✔ **Monitor encryption activities with CloudTrail, Macie, and Security Hub.**\
✔ **Apply data masking and tokenization for extra protection of PII.**

#### **Scenario:**

SecureCart must **encrypt sensitive customer data** at **rest and in transit** to meet **compliance and security standards**.

#### **Key Learning Objectives:**

✅ Use **AWS Key Management Service (AWS KMS) for encryption**\
✅ Implement **AWS Certificate Manager (ACM) for TLS encryption**\
✅ Apply **IAM policies to restrict access to encryption keys**\
✅ Rotate **encryption keys and renew certificates**

#### **Hands-on Labs:**

1️⃣ **Encrypt an S3 Bucket Using AWS KMS**\
2️⃣ **Configure TLS/SSL Certificates Using AWS ACM**\
3️⃣ **Apply IAM Policies to Restrict Key Usage**

🔹 **Outcome:** SecureCart **secures customer data using AWS encryption services**.