AWS whitepapers documentation change
Summary
Updated formatting and links in GDPR compliance whitepaper section on encrypting data at rest, including adding markdown links, updating navigation, expanding Linux to include Microsoft for EC2 instance store encryption, and removing formatting from list items.
Security assessment
The changes are primarily editorial improvements, formatting updates, and adding hyperlinks to existing documentation. No evidence of addressing a specific security vulnerability or incident. The content updates (like adding Microsoft libraries for encryption) expand existing security documentation but don't introduce new security features or address vulnerabilities.
Diff
diff --git a/whitepapers/latest/navigating-gdpr-compliance/encrypt-data-at-rest.md b/whitepapers/latest/navigating-gdpr-compliance/encrypt-data-at-rest.md index 7e04a6c48..5b48724c1 100644 --- a//whitepapers/latest/navigating-gdpr-compliance/encrypt-data-at-rest.md +++ b//whitepapers/latest/navigating-gdpr-compliance/encrypt-data-at-rest.md @@ -1 +1 @@ -[](/pdfs/whitepapers/latest/navigating-gdpr-compliance/navigating-gdpr-compliance.pdf#encrypt-data-at-rest "Open PDF") +[View a markdown version of this page](encrypt-data-at-rest.md) @@ -3 +3 @@ -[Documentation](/index.html)[AWS Whitepapers](https://aws.amazon.com/whitepapers/)[AWS Whitepaper](welcome.html) +[](/pdfs/whitepapers/latest/navigating-gdpr-compliance/navigating-gdpr-compliance.pdf#encrypt-data-at-rest "Open PDF") @@ -5 +5 @@ -This whitepaper is for historical reference only. Some content might be outdated and some links might not be available. +[Documentation](/index.html)[AWS Whitepapers](https://aws.amazon.com/whitepapers/)[AWS Whitepaper](navigating-gdpr-compliance-on-aws.html) @@ -9 +9 @@ This whitepaper is for historical reference only. Some content might be outdated -[Encrypting data at rest](https://d1.awsstatic.com/whitepapers/AWS_Securing_Data_at_Rest_with_Encryption.pdf) is vital for regulatory compliance and data protection. It helps to ensure that sensitive data saved on disks is not readable by any user or application without a valid key. AWS provides multiple options for encryption at rest and encryption key management. For example, you can use the AWS Encryption SDK with an AWS KMS Key created and managed in AWS KMS to encrypt arbitrary data. All 117 AWS services that store customer data offer the ability to encrypt that data. +Encrypting data at rest is vital for regulatory compliance and data protection. It helps to ensure that sensitive data saved on disks is not readable by any user or application without a valid key. AWS provides multiple options for encryption at rest and encryption key management. For example, you can use the [AWS Encryption SDK](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html) with an [AWS KMS Key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) created and managed in AWS KMS to encrypt arbitrary data. All 117 AWS services that store customer data offer the ability to encrypt that data. @@ -11 +11 @@ This whitepaper is for historical reference only. Some content might be outdated -Encrypted data can be securely stored at rest and can be decrypted only by a party with authorized access to the AWS KMS Key. As a result, you get confidential envelope-encrypted data, policy mechanisms for authorization and authenticated encryption, and audit logging through AWS CloudTrail. Some of the AWS foundation services have built-in encryption at rest features, providing the option to encrypt data before it is written to non-volatile storage. For example, you can encrypt Amazon EBS volumes and configure Amazon S3 buckets for Server-Side Encryption (SSE) using AES-256 encryption. Amazon S3 also supports _client-side encryption_ , which allows you to encrypt data before sending it to Amazon S3. AWS SDKs support client-side encryption to facilitate encryption and decryption operations of objects. Amazon RDS also supports Transparent Data Encryption (TDE). +Encrypted data can be securely stored at rest and can be decrypted only by a party with authorized access to the AWS KMS Key. As a result, you get confidential envelope-encrypted data, policy mechanisms for authorization and authenticated encryption, and audit logging through AWS CloudTrail. Some of the AWS foundation services have built-in encryption at rest features, providing the option to encrypt data before it is written to non-volatile storage. For example, you can encrypt Amazon EBS volumes and configure Amazon S3 buckets for Server-Side Encryption (SSE) using AES-256 encryption. Amazon S3 also supports client-side encryption, which allows you to encrypt data before sending it to Amazon S3. AWS SDKs support client-side encryption to facilitate encryption and decryption operations of objects. [Amazon RDS](https://aws.amazon.com/rds/) also supports Transparent Data Encryption (TDE). @@ -13 +13 @@ Encrypted data can be securely stored at rest and can be decrypted only by a par -It is possible to encrypt data on Linux Amazon EC2 instance stores by using built-in Linux libraries. This method encrypts files transparently, which protects confidential data. As a result, applications that process the data are unaware of the disk-level encryption. +It is possible to encrypt data on Linux Amazon EC2 instance stores by using built-in Linux or Microsoft libraries. This method encrypts files transparently, which protects confidential data. As a result, applications that process the data are unaware of the disk-level encryption. @@ -17 +17 @@ You can use two methods to encrypt files on instance stores: - * **Disk-level encryption** — With this method, the entire disk, or a block within the disk, is encrypted using one or more encryption keys. Disk encryption operates below the file system level, is operating-system agnostic, and hides directory and file information, such as name and size. Encrypting File System, for example, is a Microsoft extension to the Windows NT operating system’s New Technology File System (NTFS) that provides disk encryption. + * Disk-level encryption — With this method, the entire disk, or a block within the disk, is encrypted using one or more encryption keys. Disk encryption operates below the file system level, is operating-system agnostic, and hides directory and file information, such as name and size. Encrypting File System, for example, is a Microsoft extension to the Windows NT operating system’s New Technology File System (NTFS) that provides disk encryption. @@ -19 +19 @@ You can use two methods to encrypt files on instance stores: - * **File system-level encryption** — With this method, files and directories are encrypted, but not the entire disk or partition. File-system-level encryption operates on top of the file system and is portable across operating systems. + * File system-level encryption — With this method, files and directories are encrypted, but not the entire disk or partition. File-system-level encryption operates on top of the file system and is portable across operating systems. @@ -24 +24 @@ You can use two methods to encrypt files on instance stores: -For Non-Volatile Memory express (NVMe) [SSD instance store volumes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ssd-instance-store.html), _disk-level encryption_ is the default option. Data in an NVMe instance storage is encrypted using an XTS-AES-256 block cipher implemented in a hardware module on the instance. The encryption keys are generated using the hardware module and are unique to each NVMe instance storage device. All encryption keys are destroyed when the instance is stopped or terminated and cannot be recovered. You cannot use your own encryption keys. +For Non-Volatile Memory express (NVMe) SSD instance store volumes, disk-level encryption is the default option. Data in an NVMe instance storage is encrypted using an XTS-AES-256 block cipher implemented in a hardware module on the instance. The encryption keys are generated using the hardware module and are unique to each NVMe instance storage device. All encryption keys are destroyed when the instance is stopped or terminated and cannot be recovered. You cannot use your own encryption keys.