Encryption best practices for Amazon ECS

Amazon Elastic Container Service (Amazon ECS) is a fast and scalable container management service that helps you run, stop, and manage containers on a cluster.

With Amazon ECS, you can encrypt data in transit by using any of the following approaches:

Create a service mesh. Using AWS App Mesh, configure TLS connections between the deployed Envoy proxies and mesh endpoints, such as virtual nodes or virtual gateways. You can use TLS certificates from AWS Private Certificate Authority or customer-provided certificates. For more information and walkthroughs, see Enable traffic encryption between services in AWS App Mesh using AWS Certificate Manager (ACM) or customer-provided certificates (AWS blog post).
If supported, use AWS Nitro Enclaves. AWS Nitro Enclaves is an Amazon EC2 feature that allows you to create isolated execution environments, called enclaves, from Amazon EC2 instances. They are designed to help protect your most sensitive data. Additionally, ACM for Nitro Enclaves allows you to use public and private SSL/TLS certificates with your web applications and web servers running on Amazon EC2 instances with AWS Nitro Enclaves. For more information, see AWS Nitro Enclaves – Isolated EC2 Environments to Process Confidential Data (AWS blog post).
Use Server Name Indication (SNI) protocol with Application Load Balancers. You can deploy multiple applications behind a single HTTPS listener for an Application Load Balancer. Each listener has its own TLS certificate. You can certificates provided by ACM, or you can use self-signed certificates. Both Application Load Balancer and Network Load Balancer support SNI. For more information, see Application Load Balancers Now Support Multiple TLS Certificates with Smart Selection Using SNI (AWS blog post).
For improved security and flexibility, use AWS Private Certificate Authority to deploy a TLS certificate with the Amazon ECS task. For more information, see Maintaining TLS all the way to your container part 2: Using AWS Private CA (AWS blog post).
Implement mutual TLS (mTLS) in App Mesh by using Secret discovery service (Envoy) or certificates hosted in ACM (GitHub).

Consider the following encryption best practices for this service:

Where technically feasible, for enhanced security, configure Amazon ECS interface VPC endpoints in AWS PrivateLink. Accessing these endpoints over a VPN connection encrypts data in transit.
Store sensitive materials, such as API keys or database credentials, securely. You can store these as encrypted parameters in Parameter Store, a capability of AWS Systems Manager. However, we recommend you use AWS Secrets Manager because this service allows you to automatically rotate secrets, generate random secrets, and share secrets across AWS accounts.
If users or applications in your data center or an external third party on the web are making direct HTTPS API requests to AWS services, sign those requests with temporary security credentials obtained from AWS Security Token Service (AWS STS).

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon ECR

Amazon EFS