Data in Transit
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.
Included in this chapter:
- Enforcing TLS: listeners, policies, and SecureTransport
- Private paths: PrivateLink, endpoints, and endpoint policies
- Inter-resource encryption: Nitro, EMR, and friends
Private and enforced-TLS paths to AWS resources
| Mechanism | Interface endpoint (PrivateLink) | Gateway endpoint | Client VPN | Verified Access |
|---|---|---|---|---|
| What it connects | VPC to a service or partner endpoint | VPC to S3 or DynamoDB only | Remote user to a VPC | Remote user to one app |
| How traffic routes | Private-IP ENI in your subnet | Route-table prefix list | TLS VPN tunnel into the VPC | Per-request TLS, no tunnel |
| Keeps off internet | Yes | Yes | Tunnel is encrypted over internet | TLS over internet, identity-gated |
| Access control | Endpoint policy + security group | Endpoint policy | Authorization rules + SG | Access policy with identity/device |
| Typical cost note | Hourly + data per ENI | No hourly charge | Hourly per association + connection | Per-app-hour + data |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- Create an HTTPS listener for your Application Load Balancer
- Security policies for your Application Load Balancer
- AWS global condition context keys
- What is AWS Private CA?
- Require HTTPS for communication between viewers and CloudFront
- AWS PrivateLink concepts
- Gateway endpoints
- Control access to VPC endpoints using endpoint policies
- Controlling access from VPC endpoints with bucket policies
- Data protection in Amazon EC2
- Encryption options for Amazon EMR