SEC09-BP02 Enforce encryption in transit
Enforce your defined encryption requirements based on your organization’s policies, regulatory obligations and standards to help meet organizational, legal, and compliance requirements. Only use protocols with encryption when transmitting sensitive data outside of your virtual private cloud (VPC). Encryption helps maintain data confidentiality even when the data transits untrusted networks.
Desired outcome: All data should be encrypted in transit using secure TLS protocols and cipher suites. Network traffic between your resources and the internet must be encrypted to mitigate unauthorized access to the data. Network traffic solely within your internal AWS environment should be encrypted using TLS wherever possible. The AWS internal network is encrypted by default and network traffic within a VPC cannot be spoofed or sniffed unless an unauthorized party has gained access to whatever resource is generating traffic (such as Amazon EC2 instances, and Amazon ECS containers). Consider protecting network-to-network traffic with an IPsec virtual private network (VPN).
Common anti-patterns:
-
Using deprecated versions of SSL, TLS, and cipher suite components (for example, SSL v3.0, 1024-bit RSA keys, and RC4 cipher).
-
Allowing unencrypted (HTTP) traffic to or from public-facing resources.
-
Not monitoring and replacing X.509 certificates prior to expiration.
-
Using self-signed X.509 certificates for TLS.
Level of risk exposed if this best practice is not established: High
Implementation guidance
AWS services provide HTTPS endpoints using TLS for communication, providing encryption
in transit when communicating with the AWS APIs. Insecure protocols like HTTP can be audited
and blocked in a VPC through the use of security groups. HTTP requests can also be automatically redirected to HTTPS in Amazon CloudFront or on an Application Load Balancer. You have full control over your computing resources to implement encryption
in transit across your services. Additionally, you can use VPN connectivity into your VPC from
an external network or AWS Direct Connect
Implementation steps
-
Enforce encryption in transit: Your defined encryption requirements should be based on the latest standards and best practices and only allow secure protocols. For example, configure a security group to only allow the HTTPS protocol to an application load balancer or Amazon EC2 instance.
-
Configure secure protocols in edge services: Configure HTTPS with Amazon CloudFront and use a security profile appropriate for your security posture and use case.
-
Use a VPN for external connectivity: Consider using an IPsec VPN for securing point-to-point or network-to-network connections to help provide both data privacy and integrity.
-
Configure secure protocols in load balancers: Select a security policy that provides the strongest cipher suites supported by the clients that will be connecting to the listener. Create an HTTPS listener for your Application Load Balancer.
-
Configure secure protocols in Amazon Redshift: Configure your cluster to require a secure socket layer (SSL) or transport layer security (TLS) connection.
-
Configure secure protocols: Review AWS service documentation to determine encryption-in-transit capabilities.
-
Configure secure access when uploading to Amazon S3 buckets: Use Amazon S3 bucket policy controls to enforce secure access to data.
-
Consider using AWS Certificate Manager
: ACM allows you to provision, manage, and deploy public TLS certificates for use with AWS services. -
Consider using AWS Private Certificate Authority
for private PKI needs: AWS Private CA allows you to create private certificate authority (CA) hierarchies to issue end-entity X.509 certificates that can be used to create encrypted TLS channels.
Resources
Related documents: