Amazon DataSync encryption at rest - Amazon DataSync
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon DataSync encryption at rest

Because Amazon DataSync is a transfer service, it doesn't manage your storage data at rest. The storage services and systems that DataSync supports are responsible for protecting data in that state. However, there is some service-related data that DataSync manages at rest.

What's encrypted?

The only data that DataSync handles at rest relates to the information that it needs to complete your transfer (also known as a task). DataSync stores the following data with full at-rest encryption in Amazon DynamoDB:

  • Task configurations (for example, details about the locations in your transfer).

  • User credentials that allow your DataSync agent to authenticate with a location. These credentials are encrypted by using your agent's public keys. The agent can decrypt these keys as needed with its private keys.

For more information, see DynamoDB encryption at rest in the Amazon DynamoDB Developer Guide.

Key management

You can't manage the encryption keys that DataSync uses to store information in DynamoDB related to running your task. This information includes your task configurations and the credentials that agents use to authenticate with a storage location.

What's not encrypted?

Though DataSync doesn’t control how your storage data is encrypted at rest, we still recommend configuring your locations with the highest level of security that they support. For example, you can encrypt objects with Amazon S3 managed encryption keys (SSE-S3) or Amazon Key Management Service (Amazon KMS) keys (SSE-KMS).

Learn more about how Amazon storage services encrypt data at rest: