Encryption protects data at rest or in transit, but it does not decide who is allowed to reach the data. Access control governs the identities and roles that can open, copy, modify, or export it. Mature AWS governance needs both, because encrypted data with broad entitlements can still be exposed through legitimate credentials.
Why This Matters for Security Teams
Encryption and access control are often discussed together, but they solve different problems. Encryption protects data confidentiality, whether it sits in Amazon S3, moves across a network, or is stored in a database backup. Access control decides whether a principal, human or non-human, may read, write, copy, or export that data. If entitlements are too broad, encrypted data can still be exposed through legitimate credentials, which is why NHI governance must treat identity as the real control plane.
This matters most in AWS because service roles, API keys, CI/CD runners, and workload identities can all reach sensitive data without a human in the loop. The Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which means the access decision is frequently the weak point rather than the cipher. That pattern shows up in real incidents covered in the 52 NHI Breaches Analysis, where leaked secrets and over-permissioned identities turn protected data into reachable data.
From a governance perspective, this aligns with the least-privilege expectations in NIST Cybersecurity Framework 2.0 and the identity misuse themes in the OWASP Non-Human Identity Top 10. In practice, many security teams encounter overexposure only after a legitimate role is abused, rather than through intentional misuse testing.
How It Works in Practice
In AWS, encryption is the data-layer safeguard and access control is the identity-layer gate. A file in S3 may be encrypted with AWS KMS, but that does not stop a role with GetObject permissions from downloading it. Likewise, an encrypted database snapshot still becomes readable if the attached IAM role, secret, or session token is valid. The effective control is the combination of storage encryption, key management, IAM policy, resource policy, and session boundaries.
Practitioners should think in terms of specific permissions rather than broad “secure bucket” assumptions. Good practice includes:
- Use encryption by default for data at rest and TLS for data in transit.
- Apply least-privilege IAM so NHIs can only access the exact data actions they need.
- Prefer short-lived credentials and JIT access where operationally feasible.
- Separate key administration from data access so the same identity cannot both decrypt and exfiltrate freely.
- Review resource policies, KMS key policies, and trust policies together, not in isolation.
The NHI problem is usually the access path, not the encryption algorithm. The Ultimate Guide to NHIs — Key Challenges and Risks highlights how misconfigured vaults and long-lived secrets expand exposure, while Ultimate Guide to NHIs — Key Research and Survey Results shows how common secret sprawl remains. In AWS terms, that means a protected object can still be reachable through a CI job, Lambda execution role, federated workload token, or an over-permissioned service account. These controls tend to break down when identities are reused across environments because one trusted role then becomes a convenient route to many encrypted datasets.
Common Variations and Edge Cases
Tighter access control often increases operational overhead, so organisations must balance blast-radius reduction against deployment speed and support burden. That tradeoff is especially visible in AWS when teams share roles across pipelines, development accounts, and production workloads.
There is no universal standard for every environment, but current guidance suggests treating long-lived secrets as a liability and moving toward ephemeral credentials wherever possible. For human operators, that may mean stronger RBAC, MFA, and break-glass processes. For NHIs, it usually means workload identity, scoped sessions, and policy conditions that bind access to workload, environment, and purpose. Encryption still matters, but it is not a substitute for intent-aware authorisation.
Edge cases often appear in data sharing and automation-heavy environments. Backup jobs, cross-account analytics, and data lake exports can all preserve encryption while widening access paths. The same is true for agentic workloads that chain tools: if an autonomous process can assume another role, call a secret store, and export data in one workflow, encryption alone offers little protection. For implementation detail, the NIST Cybersecurity Framework 2.0 reinforces continuous governance, while the OWASP Non-Human Identity Top 10 remains the best starting point for identity risk validation. Where regulated payment data is involved, PCI DSS v4.0 adds another reason to verify both encryption and explicit authorization. In practice, this guidance breaks down when legacy apps require shared credentials, because attribution and revocation become too weak to support reliable access decisions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity misuse is the main gap when encryption exists but access is too broad. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access control is central to protecting encrypted AWS data. |
| OWASP Agentic AI Top 10 | A1 | Autonomous workloads need runtime authorization, not static access assumptions. |
Use context-aware, JIT authorization for agents instead of fixed long-lived permissions.
Related resources from NHI Mgmt Group
- What is the difference between reviewing human access and reviewing NHIs?
- What is the difference between role-based access and API key governance for NHI security?
- What is the difference between protecting applications and protecting access?
- What is the difference between attack surface management and NHI governance?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 26, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
