The Key Management Service (KMS) allows you to create encryption keys and control their access. Both symmetric and asymmetric keys can be created, as you can see in Figure 10.1.
FIGURE 10.1 KMS
Key features of AWS KMS include
The ability to create, view, and edit keys
Use policies to control access to keys
The ability to disable (and enable) keys
Automatic key rotation
Key use monitoring
Consider how you would treat data that contains credit card information compared to how you would treat data that contains comments that have been made regarding your company website. The data that contains credit card information is much more sensitive than the data that contains customer comments, so you would want to treat the data differently.
In this situation, data classification becomes important. With data classification, you place data into different categories depending on how you want to treat the data. These categories can be based on rules related to how sensitive the data is, who should be able to read the data, who should be able to modify the data, and how long the data should be available. Unless you are storing data that is related to compliance regulations (like SOC 2, GDPR, PCI-DSS, or HIPAA), the data classification criteria are up to you.
For example, you might consider classifying data based on who is permitted to access it. In this case, you might use the following commonly used categories:
Public: This data is available to anyone, including those who are not a part of your organization. This typically includes information found on your public website, announcements made on social media sites, and data found in your company press releases.
Internal: This data should be available only to members of your organization. An example of this data would be upcoming enhancements to a software product that your organization creates.
Confidential: This data should be available only to select individuals who have the need to access this information. This could include personally identifiable information (PII), such as an employee Social Security number. Often the rules for handling this data are also governed by compliance regulations.
Restricted: This data may seem similar to confidential data, but it is normally more related to proprietary information, company secrets, and in some cases, data that is regarded by the government as secret.
In the cloud, there are different techniques to handle different types of data. These techniques could include placing different types of data into different storage locations.