AWS Network Security: Encryption in Transit (ANS-C01)

This guide covers the critical aspects of implementing encryption for data in transit across AWS services, including edge locations, load balancers, hybrid connections, and internal resources. Understanding these mechanisms is essential for the AWS Certified Advanced Networking Specialty (ANS-C01) exam.

Learning Objectives

After studying this guide, you should be able to:

Differentiate between TLS termination and TLS passthrough on Elastic Load Balancers.
Configure VPN over Direct Connect to provide encrypted hybrid connectivity.
Implement end-to-end encryption using CloudFront and AWS Certificate Manager (ACM).
Secure communications for AWS managed databases and Amazon S3.
Optimize network performance while maintaining encryption (MTU/MSS considerations).

Key Terms & Glossary

TLS (Transport Layer Security): The successor to SSL, providing cryptographic security for communications over a computer network.
IPsec (Internet Protocol Security): A protocol suite for securing IP communications by authenticating and encrypting each IP packet in a communication session.
ACM (AWS Certificate Manager): A service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates.
PFS (Perfect Forward Secrecy): A feature of specific key agreement protocols that ensures that a session key derived from a set of long-term keys will not be compromised if one of the long-term keys is compromised in the future.
Cipher Suite: A set of algorithms used to secure a network connection via TLS/SSL.

The "Big Idea"

In the AWS Shared Responsibility Model, AWS manages the security of the infrastructure (e.g., encryption between Nitro-based instances), but the customer is responsible for implementing encryption for application-level data. Encryption in transit ensures that data remains confidential and untampered while moving across the public internet or even between internal AWS VPCs. The "Big Idea" is to create multiple layers of defense—securing the edge (CloudFront), the entry point (Load Balancers), and the backend (EC2/DBs) to meet strict compliance standards like HIPAA or PCI-DSS.

Formula / Concept Box

Concept	Port/Protocol	Requirement/Notes
HTTPS	Port 443 (TCP)	Requires SSL/TLS Certificate on Listener
IPsec (IKE)	Port 500 (UDP)	Used for Phase 1 key exchange
IPsec (NAT-T)	Port 4500 (UDP)	Used when traffic traverses a NAT device
MSS Adjustment	MSS = MTU - 60	Necessary for IPsec to avoid fragmentation (typically 1360-1380)

Hierarchical Outline

I. Edge Security & Global Acceleration
- CloudFront: Enforcing HTTPS using Viewer Protocol Policy.
- Global Accelerator: Terminating TLS at the edge to reduce latency.
II. Load Balancing & Traffic Distribution
- Application Load Balancer (ALB): TLS Termination; supports SNI (Server Name Indication).
- Network Load Balancer (NLB): TLS Termination or Passthrough; supports ultra-low latency.
III. Hybrid Connectivity
- VPN over Direct Connect: Providing an encrypted tunnel over a private physical connection.
- Transit Gateway (TGW): Using TGW Connect for GRE/IPsec integration.
IV. Storage & Database Encryption
- S3: Using bucket policies to enforce aws:SecureTransport.
- RDS/Aurora: Implementing SSL/TLS for database connections (e.g., REQUIRE SSL in MySQL).

Visual Anchors

Typical Encryption Flow: Edge to Backend

Loading Diagram...

IPsec ESP Packet Structure (Tunnel Mode)

\begin{tikzpicture}[node distance=0cm, start chain=1 going right] \tikzstyle{box}=[draw, minimum height=1cm, inner sep=2pt, font=\small] \node[box, on chain=1, fill=blue!10] (newip) {New IP Header}; \node[box, on chain=1, fill=red!10] (esp) {ESP Header}; \node[box, on chain=1, fill=green!10] (oldip) {Original IP}; \node[box, on chain=1, fill=yellow!10] (payload) {TCP/UDP Payload}; \node[box, on chain=1, fill=red!10] (espt) {ESP Trailer}; \node[box, on chain=1, fill=gray!10] (auth) {ESP Auth};

code

\draw [decorate, decoration={brace, amplitude=5pt, mirror}] (oldip.south west) -- (espt.south east) node [midway, yshift=-0.5cm] {Encrypted Data};
\draw [decorate, decoration={brace, amplitude=5pt}] (esp.north west) -- (espt.north east) node [midway, yshift=0.5cm] {Authenticated Data};

\end{tikzpicture}

Definition-Example Pairs

TLS Termination: The process where the load balancer decrypts traffic before sending it to the backend.
- Example: An ALB handles the certificate for api.example.com, decrypts the traffic, and forwards it to EC2 instances over HTTP (Port 80) in a secure private subnet.
TLS Passthrough: The load balancer passes the encrypted traffic directly to the backend without decryption.
- Example: An NLB using a TCP listener on port 443 sends raw encrypted packets to an EC2 instance where the application itself manages the private key and certificate.
Certificate Pinning: A security mechanism where the client is hardcoded to trust only a specific certificate or public key.
- Example: A mobile app only connects to an AWS endpoint if the certificate presented matches the specific fingerprint stored in the app code, preventing Man-in-the-Middle (MITM) attacks.

Worked Examples

Scenario 1: Enforcing HTTPS on S3

To ensure data is only accessible over an encrypted connection, use a Bucket Policy.

Requirement: Deny any GetObject request that does not use HTTPS.
Policy Snippet:
json
{ "Version": "2012-10-17", "Statement": [{ "Action": "s3:Get*", "Effect": "Deny", "Principal": "*", "Resource": "arn:aws:s3:::my-secure-bucket/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } }] }

Scenario 2: VPN over Direct Connect (DX)

Provision DX: Establish a physical connection via a DX Partner.
Public VIF: Create a Public Virtual Interface to reach the AWS Site-to-Site VPN endpoints (public IPs).
VPN Connection: Create a Customer Gateway (CGW) and Virtual Private Gateway (VGW).
Security: The VPN provides the IPsec layer (encryption), while DX provides the dedicated path (performance).

Checkpoint Questions

Which load balancer supports SNI to host multiple SSL certificates on a single listener?
In a "VPN over Direct Connect" setup, should you use a Private VIF or a Public VIF for the VPN tunnel if using a VGW?
What is the maximum MTU supported by an AWS Site-to-Site VPN tunnel?

▶Click to see answers

Application Load Balancer (ALB).
A Public VIF (to reach VPN public endpoints) or a Transit VIF (via Transit Gateway).
1500 bytes (but it is recommended to keep MSS at 1379 or lower to avoid fragmentation due to IPsec overhead).

Muddy Points & Cross-Refs

CloudFront Origin Protocol Policy: A common point of confusion is the difference between Viewer Protocol Policy (Client to CloudFront) and Origin Protocol Policy (CloudFront to ALB). To have end-to-end encryption, both must be set to HTTPS.
ACM Certificate Renewal: Public certificates managed by ACM renew automatically. However, if you use a Private CA, you are responsible for the certificate lifecycle on the actual EC2 instances.
Cross-Ref: See Unit 1: Network Design for details on Direct Connect VIF types.

Comparison Tables

ALB vs. NLB for Encryption

Feature	Application Load Balancer (ALB)	Network Load Balancer (NLB)
OSI Layer	Layer 7 (HTTP/HTTPS)	Layer 4 (TCP/TLS/UDP)
Termination	Always terminates TLS	Supports Termination or Passthrough
Certificates	Managed via ACM; SNI supported	Managed via ACM; SNI supported
Backend Traffic	Can be HTTP or HTTPS	Can be TCP or TLS
Best For	Complex routing (Path/Host)	Extreme performance/Static IPs

IPsec Tunnel Mode vs. Transport Mode

Feature	Tunnel Mode	Transport Mode
Original IP Header	Encapsulated (New Header added)	Preserved (Not encrypted)
Use Case	Site-to-Site VPNs (Gateway-to-Gateway)	End-to-Host (Host-to-Host)
Security	Higher (Hides internal network)	Lower (Reveals source/destination)
Overhead	Higher (Extra 20-byte IP header)	Lower

[!IMPORTANT] For the ANS-C01 exam, always remember that AWS Site-to-Site VPN uses Tunnel Mode by default.

AWS Network Security: Encryption in Transit (ANS-C01 Study Guide)