By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

how to encrypt personal data on database

0

Database is not encrypted (data at rest on cloud where customer's personal data is getting stored)

Topics
Migration & ModernizationAnalyticsDatabaseCompute
Tags
Amazon Relational Database ServiceAmazon EC2RDS Custom for SQL OracleRDS Custom for SQL Server
Language
English
rePost-User-6730249
asked 10 months ago312 views
4 Answers
0

You can have a look here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Encryption.html and this as example:

https://repost.aws/knowledge-center/rds-encrypt-instance-mysql-mariadb

From my experience encryption at rest is a must and usually using a customer managed KMS key fits most cases.

Some also perform client encryption, meaning that have the application programmatically encrypting/hashing/encoding the data before is saved in database, and decrypt/rehash/decide when is retrieved.

profile picture
EXPERT
Antonio_Lagrotteria
answered 10 months ago
0

Hi, AWS RDS encrypts data at rest.

See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html

Amazon RDS can encrypt your Amazon RDS DB instances. Data that is encrypted at rest 
includes the underlying storage for DB instances, its automated backups, read replicas, 
and snapshots.

Amazon RDS encrypted DB instances use the industry standard AES-256 encryption 
algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. 
After your data is encrypted, Amazon RDS handles authentication of access and decryption 
of your data transparently with a minimal impact on performance. You don't need to modify
 your database client applications to use encryption.
profile pictureAWS
EXPERT
Didier_Durand
answered 10 months ago
profile pictureAWS
EXPERT
Jonathan_D
reviewed 10 months ago
0

As Didier_AWS and alatech have suggested, you need to consider encrypting the whole DB instance. If you are referring to column-level encryption, it is supported only for RDS SQL Server.

AWS
Behrang_KS
answered 10 months ago
0

Hello,

I assume you are referring to the Personal sensitive data which under PCI-DSS standard should be protected using strong cryptography with associated key management process and procedures. Amazon RDS do provide encryption at rest as explained in earlier suggestions using CMK and even with CloudHSM depending the RDS Engine type. For all of the database engines encryption (AES-256) and decryption are applied automatically and transparently to RDS storage and to database snapshots. You don’t need to make any changes to your code or to your operating model in order to benefit from this important data protection feature.

AWS KMS is FIPS 140-2 Level 2 certified however if you intend to use FIPS 140-2 Level 3 you can use HSM to meet more stringent compliance standard and regulations.

Please refer to this blog # https://aws.amazon.com/blogs/security/architecting-for-database-encryption-on-aws/ which has very detailed explanations and options you can use while migrating or building your Databases in AWS.

AWS
SSaxena
answered 10 months ago
profile pictureAWS
EXPERT
Jonathan_D
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content