SEC09-BP02 Enforce encryption in transit - AWS Well-Architected Framework (2022-03-31)
Implementation guidanceResources

SEC09-BP02 Enforce encryption in transit

Enforce your defined encryption requirements based on appropriate standards and recommendations to help you meet your organizational, legal, and compliance requirements. AWS services provide HTTPS endpoints using TLS for communication, thus providing encryption in transit when communicating with the AWS APIs. Insecure protocols, such as HTTP, can be audited and blocked in a VPC through the use of security groups. HTTP requests can also be automatically redirected to HTTPS in Amazon CloudFront or on an Application Load Balancer. You have full control over your computing resources to implement encryption in transit across your services. Additionally, you can use VPN connectivity into your VPC from an external network to facilitate encryption of traffic. Third-party solutions are available in the AWS Marketplace, if you have special requirements.

Level of risk exposed if this best practice is not established: High

Implementation guidance

  • Enforce encryption in transit: Your defined encryption requirements should be based on the latest standards and best practices and only allow secure protocols. For example, only configure a security group to allow HTTPS protocol to an application load balancer or Amazon Elastic Compute Cloud (Amazon EC2) instance.

  • Configure secure protocols in edge services: Configure HTTPS with Amazon CloudFront and required ciphers.

  • Use a VPN for external connectivity: Consider using an IPsec virtual private network (VPN) for securing point-to-point or network-to-network connections to provide both data privacy and integrity.

  • Configure secure protocols in load balancers: Enable HTTPS listener for securing connections to load balancers.

  • Configure secure protocols for instances: Consider configuring HTTPS encryption on instances.

  • Configure secure protocols in Amazon Relational Database Service (Amazon RDS): Use secure socket layer (SSL) or transport layer security (TLS) to encrypt connection to database instances.

  • Configure secure protocols in Amazon Redshift: Configure your cluster to require an secure socket layer (SSL) or transport layer security (TLS) connection.

  • Configure secure protocols in additional AWS services For the AWS services you use, determine the encryption-in-transit capabilities.

Resources

Related documents: