SEC09-BP02 Enforce encryption in transit
Enforce your defined encryption requirements based on your organization’s policies, regulatory obligations and standards to help meet organizational, legal, and compliance requirements. Only use protocols with encryption when transmitting sensitive data outside of your virtual private cloud (VPC). Encryption helps maintain data confidentiality even when the data transits untrusted networks.
Desired outcome: You encrypt network traffic between your resources and the internet to mitigate unauthorized access to the data. You encrypt network traffic within your internal AWS environment according to your security requirements. You encrypt data in transit using secure TLS protocols and cipher suites.
Common anti-patterns:
-
Using deprecated versions of SSL, TLS, and cipher suite components (for example, SSL v3.0, 1024-bit RSA keys, and RC4 cipher).
-
Allowing unencrypted (HTTP) traffic to or from public-facing resources.
-
Not monitoring and replacing X.509 certificates prior to expiration.
-
Using self-signed X.509 certificates for TLS.
Level of risk exposed if this best practice is not established: High
Implementation guidance
AWS services provide HTTPS endpoints using TLS for communication,
providing encryption in transit when communicating with the AWS
APIs. Insecure HTTP protocols can be audited and blocked in a
Virtual Private Cloud (VPC) through the use of security groups.
HTTP requests can also be
automatically
redirected to HTTPS in Amazon CloudFront or on an
Application Load Balancer. You can use an
Amazon Simple Storage Service (Amazon S3) bucket policy
Implementation steps
-
Enforce encryption in transit: Your defined encryption requirements should be based on the latest standards and best practices and only allow secure protocols. For example, configure a security group to only allow the HTTPS protocol to an application load balancer or Amazon EC2 instance.
-
Configure secure protocols in edge services: Configure HTTPS with Amazon CloudFront and use a security profile appropriate for your security posture and use case.
-
Use a VPN for external connectivity: Consider using an IPsec VPN for securing point-to-point or network-to-network connections to help provide both data privacy and integrity.
-
Configure secure protocols in load balancers: Select a security policy that provides the strongest cipher suites supported by the clients that will be connecting to the listener. Create an HTTPS listener for your Application Load Balancer.
-
Configure secure protocols in Amazon Redshift: Configure your cluster to require a secure socket layer (SSL) or transport layer security (TLS) connection.
-
Configure secure protocols: Review AWS service documentation to determine encryption-in-transit capabilities.
-
Configure secure access when uploading to Amazon S3 buckets: Use Amazon S3 bucket policy controls to enforce secure access to data.
-
Consider using AWS Certificate Manager
: ACM allows you to provision, manage, and deploy public TLS certificates for use with AWS services. -
Consider using AWS Private Certificate Authority
for private PKI needs: AWS Private CA allows you to create private certificate authority (CA) hierarchies to issue end-entity X.509 certificates that can be used to create encrypted TLS channels.
Resources
Related documents:
