# Encryption

FinOps Center leverages native services encryption of data at rest and in transit. 

All FinOps Center data is stored in S3 or DynamoDB when at rest. When users are accessing the application CloudFront provides the SSL connection for the frontend application.

#### **1. React Frontend (S3 Hosting)** <a href="#id-1-react-frontend-s3-hosting-0" id="id-1-react-frontend-s3-hosting-0"></a>

**Data at Rest:**

* **S3 Server-Side Encryption (SSE):**
  * **SSE-S3**: Encrypts objects using AES-256, managed by S3.
  * **SSE-KMS**: Uses AWS Key Management Service (KMS) for encryption keys, giving more control over key policies and auditability.
  * **SSE-C**: Customer-provided encryption keys, if you prefer to manage keys outside AWS.
* **Client-Side Encryption:** Use AWS SDK for encryption before uploading objects to S3. You manage keys and encrypt data client-side.

**Data in Transit:**

* Use **HTTPS** (TLS 1.2 or higher) for all communications to and from S3.
* Enforce HTTPS using S3 bucket policies or CloudFront distribution.

***

#### **2. QuickSight Dashboards** <a href="#id-2-quicksight-dashboards-1" id="id-2-quicksight-dashboards-1"></a>

**Data at Rest:**

* QuickSight encrypts your data at rest using **AWS KMS** by default.
* For additional control, configure your own **KMS Customer Managed Key (CMK)** for QuickSight to use.

**Data in Transit:**

* All communication between QuickSight, S3, and other AWS services is protected using **TLS 1.2**.

**Embedded Dashboards:**

* Use secure **HTTPS connections** for embedding dashboards within your React frontend.
* FinOps Center Custom **IAM policies** and **Row-Level Security (RLS)** to ensure users only see authorized data.

***

#### **3. Lambda Functions (Business Logic)** <a href="#id-3-lambda-functions-business-logic-2" id="id-3-lambda-functions-business-logic-2"></a>

**Data at Rest:**

* By default, AWS Lambda encrypts deployment packages and environment variables at rest using AWS-managed keys.
* For additional control, use **KMS** for:
  * Encrypting environment variables (configure KMS keys in Lambda function settings).
  * Encrypting sensitive application secrets (e.g., credentials, tokens) stored in AWS Secrets Manager or SSM Parameter Store.

**Data in Transit:**

* All data passed to and from Lambda is encrypted using **TLS 1.2**.
* Use **HTTPS endpoints** for API Gateway and other services invoked by Lambda.

***

#### **4. DynamoDB (Application Data)** <a href="#id-4-dynamodb-application-data-3" id="id-4-dynamodb-application-data-3"></a>

**Data at Rest:**

* **Default Encryption with AWS KMS**: All DynamoDB tables are encrypted at rest using AES-256.
* Use **Customer Managed KMS Keys (CMK)** for:
  * More control over the encryption keys.
  * Auditability and fine-grained key management.

**Data in Transit:**

* All DynamoDB connections use **TLS 1.2** to secure data in transit.
* Enforce the use of HTTPS for all interactions with DynamoDB.

***

#### **5. Cross-Service Encryption Management** <a href="#id-5-cross-service-encryption-management-4" id="id-5-cross-service-encryption-management-4"></a>

* Use **AWS Key Management Service (KMS)** to unify encryption management across services like S3, Lambda, DynamoDB, and QuickSight.
* Monitor key usage with **AWS CloudTrail** for auditing encryption activities.

***

#### **Summary Table of Encryption Options** <a href="#summary-table-of-encryption-options-5" id="summary-table-of-encryption-options-5"></a>

| **Component**               | **At Rest**                         | **In Transit**  | **Additional Notes**                     |
| --------------------------- | ----------------------------------- | --------------- | ---------------------------------------- |
| **S3 (React Frontend)**     | SSE-S3, SSE-KMS, SSE-C, Client-Side | TLS 1.2 (HTTPS) | Enforce HTTPS using policies.            |
| **QuickSight**              | AWS KMS (default or CMK)            | TLS 1.2         | Use IAM and Row-Level Security (RLS).    |
| **Lambda (Business Logic)** | AWS KMS for environment variables   | TLS 1.2         | Use KMS for Secrets Manager or SSM data. |
| **DynamoDB (Data Storage)** | AWS KMS (default or CMK)            | TLS 1.2 (HTTPS) | Enforce HTTPS for DynamoDB connections.  |

***

#### **Tools for Monitoring and Auditing Encryption** <a href="#tools-for-monitoring-and-auditing-encryption-6" id="tools-for-monitoring-and-auditing-encryption-6"></a>

* **AWS CloudTrail**: Track key usage, access logs, and API calls.
* **AWS CloudWatch**: Monitor encryption-related metrics.
* **AWS Config**: Ensure encryption configurations remain compliant with best practices.

**Agent Bill Bedrock Agent**

Agent Bill has an additional encrypted connection between the MCP Server on Lambda to the Bedrock Agent/Action Group.&#x20;

**Data in Transit:**

* All data passed to and from Lambda (MCP Server) is encrypted using **TLS 1.2**.
* Use **HTTPS endpoints** for API Gateway and other services invoked by Lambda.