Data Protection
Encryption at Rest
| Resource | Encryption |
|---|---|
| RDS | AWS managed key |
| EBS volumes | AWS managed key |
| S3 buckets | Server-side encryption |
Encryption in Transit
- TLS 1.2+ required for all connections
- ALB terminates HTTPS
- Database connections use SSL in production
Application-Level Encryption
Sensitive data encrypted with AES-256-GCM:
const encrypted = encryptionService.encrypt(apiKey);
const decrypted = encryptionService.decrypt(encrypted);
Format: {iv}:{authTag}:{ciphertext} (hex-encoded)