Protecting Data in Transit
Data in transit is any data that is sent from one system to another. This includes communication between resources within your workload as well as communication between other services and your end users. By providing the appropriate level of protection for your data in transit, you protect the confidentiality and integrity of your workload’s data.
Implement secure key and certificate management: Store
encryption keys and certificates securely and rotate them at appropriate time intervals with
strict access control. The best way to accomplish this is to use a managed service, such as
AWS Certificate Manager
Enforce encryption in transit: Enforce your defined encryption requirements based on appropriate standards and recommendations to help you meet your organizational, legal, and compliance requirements. AWS services provide HTTPS endpoints using TLS for communication, thus providing encryption in transit when communicating with the AWS APIs. Insecure protocols, such as HTTP, can be audited and blocked in a VPC through the use of security groups. HTTP requests can also be automatically redirected to HTTPS in Amazon CloudFront or on an Application Load Balancer. You have full control over your computing resources to implement encryption in transit across your services. Additionally, you can use VPN connectivity into your VPC from an external network to facilitate encryption of traffic. Third-party solutions are available in the AWS Marketplace, if you have special requirements.
Authenticate network communications: Using network protocols
that support authentication allows for trust to be established between the parties. This adds
to the encryption used in the protocol to reduce the risk of communications being altered or
intercepted. Common protocols that implement authentication include Transport Layer Security
(TLS), which is used in many AWS services, and IPsec, which is used in AWS Virtual Private Network (AWS VPN)
Automate detection of unintended data access: Use tools such
as Amazon GuardDuty to automatically detect suspicious activity or attempts to move data outside of
defined boundaries. For example, GuardDuty can detect S3 read activity that is unusual with
the Exfiltration:S3/ObjectRead.Unusual finding. In addition to Amazon GuardDuty, Amazon VPC Flow Logs,
which capture network traffic information, can be used with Amazon EventBridge to trigger
detection of abnormal connections–both successful and denied. S3 Access Analyzer
Secure data from between VPC or on-premises locations:
You can use AWS PrivateLink