Introducing Field-Level Encryption on Amazon CloudFront
Starting today, you can use a new Amazon CloudFront capability called Field-Level Encryption to further enhance the security of sensitive data, such as credit card numbers or personally identifiable information (PII) like social security numbers. CloudFront’s field-level encryption further encrypts sensitive data in an HTTPS form using field-specific encryption keys (which you supply) before a POST request is forwarded to your origin. This ensures that sensitive data can only be decrypted and viewed by certain components or services in your application stack.
Many web applications collect sensitive data from users that is then processed by application services running on the origin infrastructure. All these web applications use SSL/TLS encryption between the end user and CloudFront, and between CloudFront and your origin. Your origin could have multiple micro-services that perform critical operations based on user input. For instance, an e-commerce site could collect the purchaser’s credit card number as well as their shipping address to process an order. These orders may be processed by a payment micro-service as well as an order fulfillment service in the application layer. The order fulfillment service doesn't need access to credit card numbers. With field-level encryption, CloudFront’s edge locations can encrypt the credit card data. From that point on, only applications that have the private keys can decrypt the sensitive fields. So the order fulfillment service can only view encrypted credit card numbers, but the payment services can decrypt credit card data. This ensures a higher level of security since even if one of the application services leaks plain text, the credit card data remains cryptographically protected.
Field-level encryption is easy to setup. Simply configure the fields that have to be further encrypted by CloudFront using the public keys you specify and you can reduce attack surface for your sensitive data. This makes it easier to meet security compliance requirements such as PCI DSS. Field-level encryption is charged based on the number of requests that need the additional encryption; you pay $0.02 for every 10,000 requests that CloudFront encrypts using field-level encryption in addition to the standard HTTPS request fee; see the pricing page for more details.
To learn more about how field-level encryption works, see our documentation. To help you get started, we have written a blog post that includes a sample application deployed using CloudFormation template and detailed walk-through steps for setting up and testing field-level encryption functionality.