SEC 9: How do you protect your data in transit?

Protect your data in transit by implementing multiple controls to reduce the risk of unauthorized access or loss.

Resources

AWS Certificate Manager
Services Integrated with AWS Certificate Manager
HTTPS Listeners for Your Application Load Balancer
AWS VPN
API Gateway Edge-Optimized

Best Practices:

Improvement Plan

Implement secure key and certificate management

  • Implement secure key and certificate management: Implement your defined secure key and certificate management solution.
    AWS Certificate Manager
    How to host and manage an entire private certificate infrastructure in AWS
  • Implement secure protocols: Use secure protocols that offer authentication and confidentiality, such as Transport Layer Security (TLS) or IPsec, to reduce the risk of data tampering or loss. Check the AWS documentation for the protocols and security relevant to the services that you are using.
    AWS Documentation
  • Enforce encryption in transit

  • Enforce encryption in transit: Your defined encryption requirements should be based on the latest standards and best practices and only allow secure protocols. For example, only configure a security group to allow HTTPS protocol to an Application Load Balancer or EC2 instance.
  • Configure secure protocols in edge services: Configure HTTPS with Amazon CloudFront and required ciphers.
    Using HTTPS with CloudFront
  • Use a VPN for external connectivity: Consider using an IPsec VPN for securing point-to-point or network-to-network connections to provide both data privacy and integrity.
    VPN connections
  • Configure secure protocols in load balancers: Enable HTTPS listener for securing connections to load balancers.
    HTTPS listeners for your application load balancer
  • Configure secure protocols for instances: Consider configuring HTTPS encryption on instances.
    Tutorial: Configure Apache web server on Amazon Linux 2 to use SSL/TLS
  • Configure secure protocols in Amazon Relational Database Service (Amazon RDS): Use SSL/TLS to encrypt connection to database instances.
    Using SSL to encrypt a connection to a DB Instance
  • Configure secure protocols in Amazon Redshift: Configure your cluster to require an SSL/TLS connection.
    Configure security options for connections
  • Configure secure protocols in additional AWS services: For the AWS services you use, determine the encryption in transit capabilities.
    AWS documentation
  • Automate detection of unintended data access

  • Automate detection of unintended data access: Use a tool or detection mechanism to automatically detect attempts to move data outside of defined boundaries, for example, to detect a database system that is copying data to an unrecognized host.
    VPC Flow Logs
  • Consider Amazon Macie: Amazon Macie continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks.
    Amazon Macie
  • Authenticate network communications

  • Implement secure protocols: Use secure protocols that offer authentication and confidentiality, such as Transport Layer Security (TLS) or IPsec, to reduce the risk of data tampering or loss. Check the AWS documentation for the protocols and security relevant to the services you are using.
    AWS Documentation