We need to ensure our software is compliant with Amazon Marketplace Web Services (MWS) conditions of use. One key area is database encryption at rest for PII.
We use Amazon RDS and have encryption at rest enabled already (https://aws.amazon.com/rds/features/security/). On its own, this is our perfect solution as it allows simple data access and search from without our application.
Additional to the encryption provided by RDS, there are a lot of solutions available to repeat and/or replace this at an application level. i.e. a function is used to encrypt and decrypt the data into and out of the database.
My question is... are both of these necessary? Amazon will be able to approve/disapprove our plan either way but I wonder more from a pragmatic viewpoint.
My thoughts are:
If the webserver is compromised then either way our data is likely to be exposed.
If the database server is compromised; whether we use RDS integrated encryption and/or our own then the data is secure.
From the research I have done, the primary need for at rest encryption is for either database server attacks or physical removal of the hardware storing data (i.e. theft of a hard drive).
When using Amazon RDS with a private network between your webserver and database server, both of the above scenarios are generally considered quite unlikely.
However, it is still a requirement by MWS that you have at rest encryption in place. In this case, there appears to be little difference between using Amazon RDS's in-built at rest encryption vs. encrypting/decrypting at application level.
The complexity of doing it at application level means in most cases RDS only encryption would be preferred.
Amazon MWS have confirmed that this is also the case as far as meeting their requirements.