Lab: Implementing Network Confidentiality and Data-in-Transit Encryption

This hands-on lab focuses on Task 4.3 of the AWS Advanced Networking Specialty: implementing and maintaining confidentiality. You will configure secure communication channels using AWS Certificate Manager (ACM) for TLS termination on a Load Balancer and enforce data-in-transit encryption for Amazon S3.

[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges for the Application Load Balancer.

Prerequisites

An AWS Account with Administrator access.
AWS CLI installed and configured with <YOUR_REGION>.
Basic knowledge of VPCs and Security Groups.
A local terminal (Bash or PowerShell).

Learning Objectives

Provision and manage SSL/TLS certificates using AWS Certificate Manager (ACM).
Configure an Application Load Balancer (ALB) with an HTTPS listener to ensure communication confidentiality.
Implement S3 Bucket Policies to enforce encrypted connections (SecureTransport).

Architecture Overview

Loading Diagram...

Step-by-Step Instructions

Step 1: Create a Private Certificate in ACM

In a real-world scenario, you would use a public certificate. For this lab, we will generate a self-signed certificate and import it into ACM to simulate the process.

Generate a private key and a self-signed certificate using OpenSSL:

bash

# Generate private key
openssl genrsa -out lab-private.key 2048

# Generate a self-signed certificate
openssl req -new -x509 -sha256 -key lab-private.key -out lab-cert.pem -days 365 -subj "/CN=brainybee-lab.local"

Import the certificate into ACM:

bash

aws acm import-certificate --certificate fileb://lab-cert.pem --private-key fileb://lab-private.key --region <YOUR_REGION>

▶Console Alternative

Open the AWS Certificate Manager console.
Click Import a certificate.
Paste the contents of lab-cert.pem into Certificate body.
Paste the contents of lab-private.key into Certificate private key.
Click Next and Import.

Step 2: Enforce Encryption for S3 Data Access

We must ensure that data is only accessible over encrypted connections (TLS/HTTPS).

Create an S3 bucket:

bash

aws s3 mb s3://brainybee-lab-confidentiality-<YOUR_ACCOUNT_ID> --region <YOUR_REGION>

Apply a policy that denies any non-HTTPS (non-SecureTransport) requests:

bash

# Create a policy file named policy.json
cat <<EOF > policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOnlyHTTPS",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::brainybee-lab-confidentiality-<YOUR_ACCOUNT_ID>",
        "arn:aws:s3:::brainybee-lab-confidentiality-<YOUR_ACCOUNT_ID>/*"
      ],
      "Condition": {
        "Bool": {"aws:SecureTransport": "false"}
      }
    }
  ]
}
EOF

# Apply the policy
aws s3api put-bucket-policy --bucket brainybee-lab-confidentiality-<YOUR_ACCOUNT_ID> --policy file://policy.json

Step 3: Configure ALB HTTPS Listener

To maintain confidentiality from the client to the load balancer, we must configure an HTTPS listener using the ACM certificate.

Create an Application Load Balancer (assuming you have subnets subnet-123 and subnet-456 and a security group sg-789 allowing port 443):

bash

aws elbv2 create-load-balancer --name lab-alb --subnets subnet-123 subnet-456 --security-groups sg-789

Create an HTTPS Listener (replace <CERT_ARN> with the ARN from Step 1):

bash

aws elbv2 create-listener --load-balancer-arn <ALB_ARN> --protocol HTTPS --port 443 --certificates CertificateArn=<CERT_ARN> --default-actions Type=fixed-response,FixedResponseConfig="{StatusCode=200,ContentType=text/plain,MessageBody=Confidentiality_Maintained}"

Checkpoints

Verification 1: Run aws acm list-certificates. You should see the ARN for brainybee-lab.local.
Verification 2: Try to access the S3 bucket via HTTP (simulated by the CLI). Run aws s3 ls s3://brainybee-lab-confidentiality-<YOUR_ACCOUNT_ID>. This uses HTTPS by default and should succeed. If you were to use a tool that forces HTTP, the bucket policy would return 403 Forbidden.
Verification 3: Run aws elbv2 describe-listeners --load-balancer-arn <ALB_ARN>. Ensure the protocol is HTTPS and the port is 443.

Clean-Up / Teardown

Delete the ALB Listener and the ALB:

bash

aws elbv2 delete-listener --listener-arn <LISTENER_ARN>
aws elbv2 delete-load-balancer --load-balancer-arn <ALB_ARN>

Delete the S3 Bucket Policy and the Bucket:

bash

aws s3api delete-bucket-policy --bucket brainybee-lab-confidentiality-<YOUR_ACCOUNT_ID>
aws s3 rb s3://brainybee-lab-confidentiality-<YOUR_ACCOUNT_ID> --force

Delete the ACM Certificate:

bash

aws acm delete-certificate --certificate-arn <CERT_ARN>

Troubleshooting

Error	Possible Cause	Fix
`An error occurred (AccessDenied)` when listing S3	Bucket policy is too restrictive or IAM user lacks permissions	Ensure the `aws:SecureTransport` condition is set to `false` within a `Deny` effect.
ALB Listener fails to create	Security group does not allow port 443	Update the ALB Security Group to allow inbound TCP 443 from `0.0.0.0/0`.
Certificate Import Error	Incorrect file format	Ensure you are using `fileb://` prefix in the CLI for binary/file imports.

Stretch Challenge

Task: Configure a "Redirect" rule on the ALB. If a user tries to connect via HTTP (port 80), automatically redirect them to HTTPS (port 443) to ensure they cannot transmit data in the clear.

Cost Estimate

Service	Estimated Cost (per hour)
Application Load Balancer	~$0.0225 per hour + LCU charges
AWS Certificate Manager	$0.00 (Public/Imported are free)
Amazon S3	~$0.023 per GB/month (Negligible for lab)
Total	<$1.00 for 1 hour of lab time

Concept Review

Confidentiality is a core pillar of the CIA triad (Confidentiality, Integrity, Availability). On AWS, this is achieved through encryption both at rest and in transit.

Comparison: Encryption Methods

Method	Layer	Best For
TLS (ACM)	Session/Application	Public-facing web traffic and API endpoints.
IPsec (VPN)	Network	Hybrid connectivity between on-premises and AWS VPCs.
SSE-S3	Application	Automatic encryption of objects stored in S3.
DNSSEC	Application	Protecting DNS records from spoofing/man-in-the-middle.