- Encryption:
- Encryption at Rest and in Transit: AWS services offer encryption for data at rest (stored data) and in transit (data moving between services).
- Encryption Methods:
- Client-side encryption: Customer encrypts data before sending it to AWS.
- Server-side encryption: AWS encrypts data, which is easier for customers to implement correctly and consistently.
- Some services like Amazon S3, DynamoDB, and SageMaker encrypt data by default.
- AWS Key Management Service (KMS): Allows customers to manage encryption keys and control access via IAM policies. This adds an extra layer of protection.
- AWS Managed Keys vs. Customer-Managed Keys: You can use AWS-managed keys or customer-managed keys for more control over encryption, key policies, and rotation.
- TLS: All AWS service endpoints use TLS for secure encrypted connections over HTTPS.
- Amazon Macie:
- Sensitive Data Identification: Macie scans S3 buckets and detects sensitive data like PII (Personally Identifiable Information).
- It generates reports on bucket status (e.g., public/private access, encryption), and alerts you to potential security risks.
- Best practice: Remove PII from training data during ingestion and transformation.
- Virtual Private Cloud (VPC):
- Managing Cloud Infrastructure Security: Customers are responsible for configuring their own cloud networks using AWS VPC.
- SageMaker VPC Configuration: SageMaker by default uses public internet access, which may expose data to security risks.
- Best practice: Create a private VPC for SageMaker Studio and notebook instances, controlling internet access using security groups and firewalls.
- VPC Interface Endpoints: For secure communication with AWS services, use VPC interface endpoints with AWS PrivateLink to keep traffic within your private network.
