Field-Level Encryption in Amazon CloudFront
1. Introduction
Field-Level Encryption (FLE) is a security feature provided by
Amazon Web Services (AWS)
and implemented in
Amazon CloudFront.
It allows you to encrypt specific sensitive fields in an HTTP request instead of encrypting only the entire connection via HTTPS.
This ensures that sensitive data remains encrypted even when it travels through multiple backend components.
2. The Security Problem
HTTPS provides:
- Encryption in transit
- Protection against man-in-the-middle attacks
However:
- Once the request reaches the backend, data is decrypted.
- In multi-tier architectures (ALB, EC2, Lambda, microservices), sensitive data may be exposed internally.
Field-Level Encryption solves this by:
- Encrypting only selected fields (e.g., credit card numbers).
- Keeping those fields encrypted until they reach the trusted backend system with the private key.
3. How It Works
Step 1 – Client Sends Request
A user submits an HTTPS POST request containing:
- name
- credit_card_number (sensitive field)
Step 2 – Encryption at CloudFront Edge
At the CloudFront Edge Location:
- CloudFront uses an RSA public key.
- Only the configured sensitive field (e.g., credit_card_number) is encrypted.
- Other fields remain unchanged.
Step 3 – Request Sent to Origin
The origin server receives:
- name → readable
- email → readable
- credit_card_number → encrypted (ciphertext)
Step 4 – Decryption at Backend
The backend application:
- Uses the corresponding private key
- Decrypts the encrypted field
- Processes the data securely
4. Key Components
-
Public Key
- Uploaded to CloudFront
- Used to encrypt sensitive fields
-
Private Key
- Stored securely at the backend
- Used to decrypt encrypted fields
-
Field-Level Encryption Profile
- Defines which fields must be encrypted
-
Field-Level Encryption Configuration
- Attached to a CloudFront distribution behavior
5. HTTPS vs Field-Level Encryption
| Feature | HTTPS | Field-Level Encryption |
|---|---|---|
| Encrypts data in transit | Yes | Yes |
| Encrypts specific fields | No | Yes |
| Protects sensitive data across backend layers | No | Yes |
| Uses asymmetric encryption (RSA) | No | Yes |
6. When to Use It
- Online payment systems (PCI DSS compliance)
- Applications collecting personal identifiable information (PII)
- Multi-tier or microservices architectures
- Systems requiring strict decryption access control
7. Summary
Field-Level Encryption in Amazon CloudFront:
- Encrypts specific fields in HTTP requests.
- Performs encryption at the Edge Location.
- Ensures only trusted systems with the private key can decrypt data.
- Provides stronger protection for sensitive data compared to HTTPS alone.
It is especially useful for financial systems and applications handling highly sensitive user data.
Top comments (0)