π Data Security on AWS
Master KMS encryption, VPC security, PrivateLink, and security best practices.
Module: AWS Data Engineering β’ Topic 27 of 65 β’ Premium Content
Security Architecture
Architecture Diagram
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DATA SECURITY LAYERS β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β LAYER 1: ENCRYPTION β β
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β β
β β β KMS β β S3 SSE β β EBS β β β
β β β (Keys) β β (At Rest) β β (Disk) β β β
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β LAYER 2: NETWORK SECURITY β β
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β β
β β β VPC β β Security β β PrivateLink β β β
β β β (Isolation) β β Groups β β (Private) β β β
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β LAYER 3: ACCESS CONTROL β β
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β β
β β β IAM β β Lake β β SSO β β β
β β β (Least Priv) β β Formation β β (Identity) β β β
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β LAYER 4: MONITORING & DETECTION β β
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β β
β β β CloudTrail β β GuardDuty β β Security Hub β β β
β β β (Audit) β β (Threat) β β (Dashboard) β β β
β β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
KMS Encryption
import boto3
kms = boto3.client('kms')
# Create KMS key
response = kms.create_key(
Description='Data lake encryption key',
KeyUsage='ENCRYPT_DECRYPT',
Origin='AWS_KMS',
Tags=[
{'TagKey': 'Environment', 'TagValue': 'production'},
{'TagKey': 'Purpose', 'TagValue': 'data-lake'}
]
)
key_id = response['KeyMetadata']['KeyId']
# Create alias
kms.create_alias(
AliasName='alias/data-lake-key',
TargetKeyId=key_id
)
# Encrypt data
encrypted = kms.encrypt(
KeyId=key_id,
Plaintext=b'sensitive data'
)
# Decrypt data
decrypted = kms.decrypt(
CiphertextBlob=encrypted['CiphertextBlob']
)
S3 Bucket Security
import json
bucket_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceEncryption",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::data-lake-raw/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "EnforceTLS",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::data-lake-raw",
"arn:aws:s3:::data-lake-raw/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "RestrictVPCEndpoint",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::data-lake-raw",
"arn:aws:s3:::data-lake-raw/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1234567890abcdef0"
}
}
}
]
}
PrivateLink for Data Services
Architecture Diagram
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PRIVATELINK ARCHITECTURE β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β YOUR VPC β β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Private Subnet β β β
β β β ββββββββββββ ββββββββββββββββββββββββββββββββββββββββ β β β
β β β β EC2/ECS ββββββΊβ VPC Endpoint (Interface) β β β β
β β β β Instance β β com.amazonaws.us-east-1.redshift β β β β
β β β ββββββββββββ β com.amazonaws.us-east-1.glue β β β β
β β β β com.amazonaws.us-east-1.kinesis β β β β
β β β ββββββββββββββββββββββββββββββββββββββββ β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββ β
β β Private Connection β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β AWS SERVICE (Private Endpoint) β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Redshift / Glue / Kinesis / etc. β β β
β β β (Never exposed to public internet) β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Interview Q&A
Q1: What is the difference between SSE-S3 and SSE-KMS?
Answer: SSE-S3 uses AWS-managed keys (no audit trail). SSE-KMS uses customer-managed keys (audit trail via CloudTrail, key policies).
Q2: When should you use PrivateLink?
Answer: When you need to access AWS services without internet exposure. Critical for compliance requirements and reducing attack surface.
Q3: What is the principle of least privilege?
Answer: Grant only the minimum permissions needed to perform a task. Reduces risk of accidental or malicious data access.
Summary
- Encryption: KMS for key management, SSE-S3/SSE-KMS for S3
- Network: VPC, Security Groups, PrivateLink for isolation
- Access: IAM least privilege, Lake Formation for data
- Monitoring: CloudTrail, GuardDuty, Security Hub
- Best Practice: Defense in depth with multiple security layers