Encryption at rest in Amazon Keyspaces - Amazon Keyspaces (for Apache Cassandra)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encryption at rest in Amazon Keyspaces

Amazon Keyspaces (for Apache Cassandra) encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in Amazon Key Management Service (Amazon KMS). This functionality helps reduce the operational burden and complexity involved in protecting sensitive data. With encryption at rest, you can build security-sensitive applications that meet strict compliance and regulatory requirements for data protection.

Amazon Keyspaces encryption at rest encrypts your data using 256-bit Advanced Encryption Standard (AES-256). This helps secure your data from unauthorized access to the underlying storage.

Amazon Keyspaces encrypts and decrypts the table data transparently. Amazon Keyspaces uses envelope encryption and a key hierarchy to protect data encryption keys. It integrates with Amazon KMS for storing and managing the root encryption key. For more information about the encryption key hierarchy, see Encryption at rest: How it works in Amazon Keyspaces. For more information about Amazon KMS concepts like envelope encryption, see Amazon KMS management service concepts in the Amazon Key Management Service Developer Guide.

When creating a new table, you can choose one of the following Amazon KMS keys (KMS keys):

  • Amazon owned key – This is the default encryption type. The key is owned by Amazon Keyspaces (no additional charge).

  • Customer managed key – This key is stored in your account and is created, owned, and managed by you. You have full control over the customer managed key (Amazon KMS charges apply).

You can switch between the Amazon owned key and the customer managed key at any given time. You can specify a customer managed key when you create a new table or change the KMS key of an existing table by using the console or programmatically using CQL statements. To learn how, see Encryption at rest: How to use customer managed keys to encrypt tables in Amazon Keyspaces.

Encryption at rest using the default option of Amazon owned keys is offered at no additional charge. However, Amazon KMS charges apply for customer managed keys. For more information about pricing, see Amazon KMS pricing.

Amazon Keyspaces encryption at rest is available in all Amazon Web Services Regions, including the Amazon China (Beijing) and Amazon China (Ningxia) Regions. For more information, see Encryption at rest: How it works in Amazon Keyspaces.

Topics