Lesson 14: Security Architecture: Encryption & Key Management

Multi-Region Platform Engineering: AWS, Kubernetes, and Aurora at Scale

Episode 14 of 16 | Duration: 18 minutes

Target Audience: Senior platform engineers, SREs, DevOps engineers (5+ years experience)

Encryption at-rest: KMS per-region keys vs multi-region keys, envelope encryption, key rotation
Encryption in-transit: TLS 1.3 for external, mTLS for service-to-service, certificate management at scale
Multi-region key management: Per-region isolation (secure, complex failover) vs replicated keys (simple, wider blast radius)
Zero-trust networking: VPC endpoints eliminate internet exposure, PrivateLink for service access
Security monitoring: CloudTrail multi-region aggregation, GuardDuty findings, Security Hub centralization