This content is outdated. This version of the Well-Architected Framework is now found at: https://docs.aws.amazon.com/en_us/wellarchitected/2022-03-31/framework/security.html

SEC 9: How do you protect your data in transit?

Protect your data in transit by implementing multiple controls to reduce the risk of unauthorized access or loss.

Resources

AWS Certificate Manager
Services Integrated with AWS Certificate Manager
HTTPS Listeners for Your Application Load Balancer
AWS VPN
API Gateway Edge-Optimized

Best Practices:

Implement secure key and certificate management: Store encryption keys and certificates securely and rotate them at appropriate time intervals while applying strict access control; for example, by using a certificate management service, such as AWS Certificate Manager (ACM).
Enforce encryption in transit: Enforce your defined encryption requirements based on appropriate standards and recommendations to help you meet your organizational, legal, and compliance requirements.
Automate detection of unintended data access: Use tools such as GuardDuty to automatically detect attempts to move data outside of defined boundaries based on data classification level, for example, to detect a trojan that is copying data to an unknown or untrusted network using the DNS protocol.
Authenticate network communications: Verify the identity of communications by using protocols that support authentication, such as Transport Layer Security (TLS) or IPsec.

Improvement Plan

Implement secure key and certificate management

Implement secure key and certificate management: Implement your defined secure key and certificate management solution.
AWS Certificate Manager
How to host and manage an entire private certificate infrastructure in AWS

Implement secure protocols: Use secure protocols that offer authentication and confidentiality, such as Transport Layer Security (TLS) or IPsec, to reduce the risk of data tampering or loss. Check the AWS documentation for the protocols and security relevant to the services that you are using.
AWS Documentation

Enforce encryption in transit

Enforce encryption in transit: Your defined encryption requirements should be based on the latest standards and best practices and only allow secure protocols. For example, only configure a security group to allow HTTPS protocol to an Application Load Balancer or EC2 instance.

Configure secure protocols in edge services: Configure HTTPS with Amazon CloudFront and required ciphers.
Using HTTPS with CloudFront

Use a VPN for external connectivity: Consider using an IPsec VPN for securing point-to-point or network-to-network connections to provide both data privacy and integrity.
VPN connections

Configure secure protocols in load balancers: Enable HTTPS listener for securing connections to load balancers.
HTTPS listeners for your application load balancer

Configure secure protocols for instances: Consider configuring HTTPS encryption on instances.
Tutorial: Configure Apache web server on Amazon Linux 2 to use SSL/TLS

Configure secure protocols in Amazon Relational Database Service (Amazon RDS): Use SSL/TLS to encrypt connection to database instances.
Using SSL to encrypt a connection to a DB Instance

Configure secure protocols in Amazon Redshift: Configure your cluster to require an SSL/TLS connection.
Configure security options for connections

Configure secure protocols in additional AWS services: For the AWS services you use, determine the encryption in transit capabilities.
AWS documentation

Automate detection of unintended data access

Automate detection of unintended data access: Use a tool or detection mechanism to automatically detect attempts to move data outside of defined boundaries, for example, to detect a database system that is copying data to an unrecognized host.
VPC Flow Logs

Consider Amazon Macie: Amazon Macie continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks.
Amazon Macie

Authenticate network communications