Many AWS services also offer their own level of encryption in addition to KMS. For example, S3 uses a myriad of encryption mechanisms including these:

• Server-side encryption options:
  • SSE-KMS (use of KMS)
  • SSE-S3 (encryption managed by AWS)
  • SSE-C (encryption managed by customer-managed keys)
• Client-side encryption options:
  • CSE-KMS (use of KMS)
  • CSE-C (encryption managed by customer-managed keys)

Another example is Relational Database Service (RDS). When creating your database, you can select Enable encryption on the Configure advanced settings screen:

This encryption will by default encrypt all of your storage at rest, all of your DB snapshots, backups, and also any read replicas that you may have in place. KMS is being used to apply this encryption and the first time RDS encryption is enabled it will create the default master key of AWS/RDS. The encryption process itself is managed by RDS without the end user having to perform any other actions.

In addition to KMS encryption, the service also utilizes other methods of encryption at the platform level, Oracle and SQL Server Transparent Data Encryption (TDE), which could be used in conjunction with the KMS keys mentioned previously, although this would add an additional minimal impact to the performance of the database. MySQL cryptographic functions and Microsoft SQL Transact-SQL cryptographic functions are also possible encryption mechanisms with RDS. Although these additional encryption mechanisms will not be mentioned on the exam, I am just trying to demonstrate that you do not only have to rely on KMS to perform encryption at rest for your data services, many of them come with their own features of encryption.

These encryption mechanisms should be explored when you are using services that offer them to understand how they could help you achieve the best level of protection of your data.

Having encryption applied to your data when at rest is one thing, but it's also just as important that your data does not get intercepted between services or while connecting to your services to transfer data, for example. Applying encryption in transit is also a best practice when it comes providing additional data protection.