Domain 5 of 6 · Chapter 1 of 3

Data in Transit

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.

Included in this chapter:

  • Enforcing TLS: listeners, policies, and SecureTransport
  • Private paths: PrivateLink, endpoints, and endpoint policies
  • Inter-resource encryption: Nitro, EMR, and friends

Private and enforced-TLS paths to AWS resources

MechanismInterface endpoint (PrivateLink)Gateway endpointClient VPNVerified Access
What it connectsVPC to a service or partner endpointVPC to S3 or DynamoDB onlyRemote user to a VPCRemote user to one app
How traffic routesPrivate-IP ENI in your subnetRoute-table prefix listTLS VPN tunnel into the VPCPer-request TLS, no tunnel
Keeps off internetYesYesTunnel is encrypted over internetTLS over internet, identity-gated
Access controlEndpoint policy + security groupEndpoint policyAuthorization rules + SGAccess policy with identity/device
Typical cost noteHourly + data per ENINo hourly chargeHourly per association + connectionPer-app-hour + data

Decision tree

Who is the caller?service / app vs human userReach AWS serviceprivately?Whole VPC or one app?service / apphuman userInterface endpointPrivateLink ENIGateway endpointS3 / DynamoDBClient VPNTLS tunnel to VPCVerified Accessper-app, no tunnelmost servicesS3/DDBwhole VPCone appAlways: TLS13 ELB policy on listeners + deny aws:SecureTransport=falseenforce encryption regardless of path

Cheat sheet

  • Deny aws:SecureTransport false to force HTTPS on a resource
  • The ELB security policy sets the minimum TLS version
  • ALBs use predefined security policies, not custom ciphers
  • FS-named and TLS 1.3-only policies guarantee forward secrecy
  • Redirect HTTP to HTTPS at the listener, not in the app
  • Interface endpoints use a PrivateLink ENI in your subnet
  • Gateway endpoints serve only S3 and DynamoDB
  • An endpoint policy scopes what passes through a VPC endpoint
  • Pair a gateway endpoint with aws:sourceVpce to force the private path
  • Nitro encrypts inter-instance traffic automatically with no config
  • Nitro auto-encryption needs same Region, same/peered VPC, no middlebox
  • AWS already encrypts inter-AZ and cross-Region backbone traffic
  • EMR encrypts node traffic only with an in-transit security configuration
  • EKS and SageMaker inter-node encryption is opt-in per service
  • Client VPN is a TLS tunnel into the whole VPC
  • Verified Access grants per-app TLS access with no VPN tunnel
  • ELB, CloudFront, and Verified Access take certificates from ACM
  • Session Manager replaces open SSH/RDP ports for admin access
  • Encrypt EKS pod-to-pod traffic by chaining a WireGuard CNI onto the VPC CNI
  • Roll out App Mesh mTLS with listener mode PERMISSIVE, then switch to STRICT
  • Site-to-Site VPN: AES256-GCM for AEAD, SHA2 integrity, DH group 19-21 for ECDH PFS
  • SageMaker inter-container encryption uses IPsec ESP, so allow IP protocol 50
  • EMR nodes fetch the in-transit PEM .zip via the EC2 instance profile, and the key must be passphrase-free
  • Enforce API Gateway mTLS by disabling the default execute-api endpoint and pointing the truststore at S3
  • OAC with an SSE-KMS S3 origin needs kms:Decrypt for the CloudFront service principal
  • Interface endpoints carry TLS, but private DNS needs both VPC DNS attributes on

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. Create an HTTPS listener for your Application Load Balancer
  2. Security policies for your Application Load Balancer
  3. AWS global condition context keys
  4. What is AWS Private CA?
  5. Require HTTPS for communication between viewers and CloudFront
  6. AWS PrivateLink concepts
  7. Gateway endpoints
  8. Control access to VPC endpoints using endpoint policies
  9. Controlling access from VPC endpoints with bucket policies
  10. Data protection in Amazon EC2
  11. Encryption options for Amazon EMR