Data encryption during transit for AWS Ground Station
AWS Ground Station provides encryption by default to protect your sensitive data during transit. Data can be streamed between AWS Ground Station antenna locations and your Amazon EC2 instances in two ways, depending on the mission profile configuration.
-
AWS Ground Station Agent
-
Dataflow endpoint
Each method of streaming data handles encrypting data in transit differently. The following sections describe each method.
AWS Ground Station Agent streams
AWS Ground Station Agent encrypts its streams using customer managed AWS KMS keys. The AWS Ground Station Agent running on your Amazon EC2 instance will automatically decrypt the stream to provide decrypted data.
The AWS KMS key used for encrypting a stream is specified when creating a
MissionProfile
in the
streamsKmsKey
parameter. All permissions granting AWS Ground Station access to the keys are handled through the
AWS KMS key policy attached to streamsKmsKey
.
Dataflow endpoint streams
Dataflow endpoint streams are encrypted using
Datagram Transport Layer Security (DTLS)