AWS services that store data enable you to encrypt your data using Server Side Encryption, so that the customer effort is minimal, that’s why Werner Vogels, Amazon.com CTO often says “Encrypt everything”.
Ensure all critical data in your organization is encrypted. It’s recommended that you encrypt all sensitive data using your own encryption key instead of using AWS encryption keys, for that we provide a service called AWS Key Management Service.
There are plenty of benefits of having your own Key.
An easy way to check for resources that are not encrypted in your organization is using the following checks on AWS Security Hub :
These controls are available on the AWS Security Hub NIST SP 800-53 security standard , and there are also many other controls to check for encryption in other type of resources such as DynamoDB, DocumentDB, clusters, OpenSearch, EKS Secrets, etc.
If you require a dedicated Hardware Security Module for your organization, otherwise use KMS instead, as it is more cost effective, it provides Multi-AZ High availability and it’s also backed by Hardware HSMs that are tamper proof. If you use CloudHSM in production, remember to create a cluster for High Availability.
If you use your own CloudHSMs remember to set up a cluster with nodes in Multiple Availability Zones.
Unless you have a very good reason to do so, avoid the following options for Key material origin:
We generally advice against these options because of the security and durability implications
https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
https://aws.amazon.com/kms/pricing
AWS Free Tier includes 20,000 free AWS KMS requests each month.