Domain 4.3: Network Confidentiality & Encryption

This cram sheet focuses on implementing and maintaining the confidentiality of data in transit across AWS networks, covering encryption methods, VPNs, certificate management, and DNS security.

Topic Weighting

Key Concepts Summary

• Encryption in Transit: Mandatory for compliance (HIPAA, PCI DSS). Primary methods are IPsec (Network Layer) and TLS (Application/Transport Layer).
• Direct Connect (DX) Encryption: DX is NOT encrypted by default. Use MACsec (IEEE 802.1AE) for hop-by-hop Layer 2 encryption or VPN over DX for end-to-end Layer 3 encryption.
• VPN Architecture: AWS Site-to-Site VPN uses two tunnels for high availability. Each tunnel supports up to 1.25 Gbps. Use ECMP (Equal-Cost Multi-Path) to aggregate throughput over multiple tunnels.
• ACM vs. Private CA:
  • ACM: Provision public/private TLS certificates. Integrated with ALB, CloudFront, API Gateway.
  • ACM Private CA (PCA): For internal services where public trust is not required or forbidden. Requires a root or subordinate CA hierarchy.
• DNSSEC: Protects Route 53 zones from "Man-in-the-Middle" attacks and DNS spoofing by digitally signing records.
• Nitro-to-Nitro Encryption: Automated MACsec-like encryption for traffic between certain EC2 instance types within a VPC/Region.

Common Pitfalls

• Assuming DX is Secure: DX is a private circuit, but it is unencrypted. If the requirement is "Confidentiality," you MUST add MACsec or a VPN.
• MTU Mismatches: Standard MTU is 1500 bytes. IPsec adds overhead, reducing effective MTU to 1446 bytes. Failure to adjust for this causes packet fragmentation or drops.
• Public vs. Private VIF for VPN: To run a VPN over DX, you typically use a Public VIF (terminating at AWS public endpoints) or a Transit VIF with Transit Gateway.
• TLS Termination: Terminating TLS at the Load Balancer (ALB) means traffic from the ALB to the EC2 instances is unencrypted unless a second TLS session is established to the targets.

Mnemonics / Memory Triggers

• "MAC-D": MACsec is for Direct Connect (Layer 2).
• "IP-VPN": IPsec is for VPN (Layer 3).
• "DS-DNSSEC": The DS (Delegation Signer) record is the link in the chain of trust for DNSSEC.
• "1446": The magic number for VPN MTU (avoiding the 1500 crash).

Formula / Equation Sheet

Practice Set

1. Scenario: A financial firm requires 10 Gbps throughput between on-premises and AWS with full encryption. They use Direct Connect. Which solution fits?
   • Answer: Use multiple 10Gbps DX connections with MACsec enabled (assuming the DX location supports it).
2. Scenario: You need to encrypt traffic between a VPC and an on-premises data center over the public internet. Which protocol is used?
   • Answer: IPsec (Site-to-Site VPN).
3. Scenario: An application requires end-to-end encryption from the client to the EC2 instance. Where should the SSL certificate be installed?
   • Answer: On the EC2 instance itself (using NLB in TCP Passthrough mode or re-encrypting at the ALB).
4. Scenario: How do you ensure Route 53 responses haven't been tampered with during transit?
   • Answer: Enable DNSSEC signing for the hosted zone.
5. Scenario: You are hitting bandwidth limits on a single VPN tunnel. How do you scale?
   • Answer: Use Transit Gateway with ECMP enabled to spread traffic across multiple tunnels.

Fact Recall Blanks

• Direct Connect encryption at Layer 2 is provided by __________ (Answer: MACsec).
• The protocol used by AWS Site-to-Site VPN to secure traffic is __________ (Answer: IPsec).
• To manage internal certificates without using public CAs, use __________ (Answer: AWS Private CA / ACM PCA).
• The default MTU for a VPN tunnel is __________ bytes (Answer: 1446).
• __________ is the AWS service used to automate the rotation and management of TLS certificates (Answer: AWS Certificate Manager / ACM).

Worked Examples

Scenario: Configuring VPN over Direct Connect (High Security)

Goal: Secure a 1Gbps DX connection with IPsec encryption to meet compliance for data-in-transit.

Step-by-Step Breakdown:

1. Establish DX Connection: Provision a 1Gbps Dedicated Connection.
2. Create Public VIF: Create a Public Virtual Interface to reach the AWS VPN endpoints (public IPs).
3. Configure Customer Gateway (CGW): On-premises router must support BGP and IPsec.
4. Create Virtual Private Gateway (VGW): Attach it to the target VPC.
5. Build VPN Tunnel: Create the Site-to-Site VPN connection using the Public VIF as the transport.
6. Routing: Enable BGP. Ensure the on-premises router advertises the local CIDR and receives the VPC CIDR through the encrypted tunnel, NOT directly through the VIF.

[!IMPORTANT] When using VPN over DX, ensure your router's crypto-engine can handle the 1.25 Gbps throughput to avoid becoming a bottleneck.

Visualizing the Security Layers (TikZ)

\begin{tikzpicture} % Layers \draw[thick, fill=blue!10] (0,0) rectangle (6,1) node[midway] {Physical Layer (DX Wire)}; \draw[thick, fill=green!10] (0,1.2) rectangle (6,2.2) node[midway] {Data Link Layer (MACsec)}; \draw[thick, fill=orange!10] (0,2.4) rectangle (6,3.4) node[midway] {Network Layer (IPsec)}; \draw[thick, fill=red!10] (0,3.6) rectangle (6,4.6) node[midway] {Application Layer (TLS)};

\end{tikzpicture}