O'Reilly logo
live online training icon Live Online training

Continuous Encryption on AWS

Learn how to define encryption as code and run in a deployment pipeline on AWS

Paul Duvall

Encryption is essential for data protection and AWS is making it easier to encrypt every part of your software systems and offering new techniques to enable encryption at scale via automation. Just like the rest of your software system and infrastructure, encryption can be defined as code, and so, in this course, you will see how encryption as code can be versioned, tested, and applied as part of every source code commit.

This course will help learn how to use AWS services that provide encryption in transit and at rest, detection, management, and logging. These services include AWS Certificate Manager, AWS Key Management Service, AWS Config Rules, AWS Encryption SDK, Amazon CloudFront, Amazon DynamoDB, AWS Secrets Manager, and AWS CloudTrail.

You’ll also see working examples of how to automate the provisioning of all of these services and how they can be included as part of a deployment pipeline using AWS CloudFormation and AWS CodePipeline.

What you'll learn-and how you can apply it

  • Enable client-side encryption, encryption in transit and at rest, detection, logging, and key management using AWS services
  • Automate the provisioning and configuration of encryption capabilities on AWS as part of a deployment pipeline using AWS CloudFormation and AWS CodePipeline

This training course is for you because...

  • You are a developer who wants to integrate encryption into every facet of the software development and delivery process
  • You are a security professional who wants to learn the AWS services that support encryption and how automation can ensure that all relevant resources are always encrypted
  • You have a working knowledge of AWS and programming experience and want to make encryption ubiquitous across all your systems


  • Working knowledge of AWS (e.g. 1-2+ years working with AWS). Knowledge of AWS CloudFormation is helpful.
  • High-level programming experience such as Python, Java, Node.js, etc.
  • No knowledge of writing cryptographic algorithms is necessary

Course Set-up

While it's not necessary for the course, it might benefit you to have Administrator access to an existing AWS account: https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/. Otherwise, you can watch live walkthroughs of the examples during the online training and will have access to these examples afterwards for your own study.

Recommended Preparation

About your instructor

  • Paul Duvall is a founder of Stelligent and Chief AWS Evangelist at Mphasis, which is an AWS Premier Consulting Partner with the DevOps, Security, and Financial Services Competencies that has been implementing Continuous Delivery solutions on AWS since 2009. He's been an AWS Community Hero since 2016.

    He is 6x AWS certified including AWS Certified DevOps Engineer Professional and AWS Certified Security - Specialty. He has architected, implemented, and managed software and systems solutions for over 20 years, and is principal author of Continuous Integration: Improving Software Quality and Reducing Risk (Addison-Wesley, 2007), a 2008 Jolt Award Winner.

    He is also the author of many other publications, including DevOps Essentials on AWS LiveLessons (Addison-Wesley, 2017) and over 30 articles on topics around automation, DevOps, and AWS.


The timeframes are only estimates and may vary according to how the class is progressing

Introduction (10 min)

Automating AWS Resources (20 min)

  • About AWS CloudFormation
  • Exercise: Launch a simple CloudFormation stack

Developing with Encryption (20 min)

  • About AWS Encryption SDK and AWS Secrets Manager
  • Exercise: Perform client-side encryption

Encryption In Transit (15 min)

  • About encryption in transit for AWS Certificate Manager, Amazon CloudFront, and Elastic Load Balancing
  • Exercise: Launch a website using Amazon CloudFront and AWS Certificate Manager

Q&A (5 min)

Break (10 min)

Encryption At Rest (20 min)

  • About encryption at rest for AWS EBS, Amazon RDS, Amazon DynamoDB, and Amazon S3
  • Exercise: Encrypt a DynamoDB database using AWS CloudFormation

Key Management (25 min)

  • About AWS KMS
  • Exercise: Create a customer-managed customer master key using AWS CloudFormation

Detecting Encrypted Resources (20 min)

  • About AWS Config Rules
  • Exercise: Launch a Managed Config Rule via AWS CloudFormation

Q&A (5 min)

Break (10 min)

Logging Key Usage (20 min)

  • About AWS CloudTrail
  • Exercise: Provision a CloudTrail log and view the JSON payload

Continuous Encryption (25 min)

  • About AWS CodePipeline
  • Exercise: Deployment pipeline for encryption detection and remediation workflow

Summary and Q&A (15 min)