You can encrypt the content of your resources. This basically means that the content can't be viewable by an AWS employee. The only way to decrypt the content is via logging into the AWS Account that created the encrypted data in the first place, and also you need to login with the appropriate account privileges.
There are 3 main resource types, whose data you can encrypt:
- S3 Buckets
- Uses AES-256 encription to encrypt data at rest. It is decrypted only when it receives a valid request, by a valid IAM user or ec2 instance.
- EBS volumes -
- When enabled, this essentially means that the EC2 instance will first always encrypt the data before sending it to the EBS volume for storage.
- EBS snapshot therefore only stores encrypted data. only A user with the right IAM role can access this data by mounting it onto a EBS volume.
- RDS level encryption
- here the underlying EC2 instances encrypts the data before storing it on it's block devices (which could also be an EBS device)
- Automated backups and snapshots are consequently encrypted too. Note, snapshots are backups that are manually created
- Read replicas are encrypted too
- By default RDS endpoints are https rather than http, so that data traffic are also encrypted.