Network Encryption & The AWS Shared Responsibility Model

This study guide covers the critical aspects of protecting data in transit within the AWS ecosystem, focusing on the boundary between AWS-managed security and customer-managed encryption configurations as required for the ANS-C01 exam.

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between AWS and customer responsibilities for network encryption.
• Identify appropriate encryption protocols (TLS, IPsec, MACsec) for various use cases.
• Implement secure connectivity solutions including VPN over Direct Connect and Transit Gateway.
• Manage certificates using AWS Certificate Manager (ACM) and Private CA.
• Secure DNS communications using DNSSEC.

Key Terms & Glossary

• IPsec (Internet Protocol Security): A suite of protocols used to secure IP communications by authenticating and encrypting each IP packet in a communication session.
• TLS (Transport Layer Security): A cryptographic protocol designed to provide communications security over a computer network, commonly used for HTTPS.
• MACsec (IEEE 802.1AE): A layer 2 hop-by-hop encryption standard used to secure point-to-point links (e.g., AWS Direct Connect).
• Perfect Forward Secrecy (PFS): A feature of specific key agreement protocols that ensures that session keys are not compromised even if the server's private key is compromised in the future.
• DNSSEC (Domain Name System Security Extensions): A suite of specifications for securing information provided by DNS by providing origin authority and data integrity.

The "Big Idea"

In the AWS cloud, security is a partnership. While AWS ensures the physical infrastructure and the underlying virtualization layer are secure and often encrypted (e.g., encryption between Nitro instances), the Customer is responsible for choosing the right protocol (TLS vs. IPsec), managing certificates, and ensuring that compliance requirements (like FIPS 140-2) are met for the application-level data flowing through the network.

Formula / Concept Box

Hierarchical Outline

• AWS Shared Responsibility for Encryption
  • AWS Responsibility (Security OF the Cloud)
    • Physical security of data centers
    • Encryption of physical links between AWS Regions
    • Automatic encryption between specific Nitro-based EC2 instances
  • Customer Responsibility (Security IN the Cloud)
    • Configuration of SSL/TLS on Load Balancers (ALB/NLB)
    • IPsec VPN configuration and key management
    • Certificate Lifecycle Management via ACM
    • DNSSEC implementation on Route 53
• Implementation Patterns
  • Edge Security: CloudFront (TLS), AWS WAF, and Shield
  • Hybrid Connectivity: MACsec for DX, IPsec for VPN, and VPN over DX for "Encryption over Encryption"
  • Inter-VPC Security: Transit Gateway (TGW) and VPC Peering limitations

Visual Anchors

Shared Responsibility Flow

Encryption at Different Layers

\begin{tikzpicture}[node distance=1.5cm, every node/.style={rectangle, draw, minimum width=4cm, minimum height=0.8cm}] \node (l7) {Layer 7: TLS (HTTPS)}; \node (l3) [below of=l7] {Layer 3: IPsec (VPN)}; \node (l2) [below of=l3] {Layer 2: MACsec (Direct Connect)}; \draw[<->, thick] (l7) -- (l3); \draw[<->, thick] (l3) -- (l2); \node[draw=none, right=1cm of l7] {Application Level}; \node[draw=none, right=1cm of l3] {Network Level}; \node[draw=none, right=1cm of l2] {Hardware Level}; \end{tikzpicture}

Definition-Example Pairs

• TLS Termination: The process of decrypting TLS-encrypted traffic at the load balancer before sending it to the backend server.
  • Example: An Application Load Balancer (ALB) decrypting HTTPS traffic from a user and forwarding HTTP to an EC2 instance in a private subnet.
• VPN over Direct Connect: Layering an IPsec VPN on top of a Direct Connect virtual interface to ensure end-to-end encryption.
  • Example: A financial institution using a 10Gbps Direct Connect link but requiring IPsec for compliance-mandated data-in-transit encryption.

Worked Examples

Scenario: Securing a Multi-Region Hybrid Cloud

Problem: A company needs to connect their on-premises data center to two AWS Regions. They require 10Gbps bandwidth but must encrypt all traffic to meet HIPAA compliance. Standard VPN is too slow.

Step-by-Step Solution:

1. Provision Direct Connect (DX): Order a 10Gbps dedicated connection to an AWS Direct Connect location.
2. Enable MACsec: Verify the DX location supports MACsec for Layer 2 encryption between the on-premises router and the AWS device.
3. Transit Gateway (TGW): Deploy a Transit Gateway in each region.
4. Direct Connect Gateway: Use a DX Gateway to associate the DX connection with both TGWs.
5. Optional IPsec Layer: If the customer requires Layer 3 encryption specifically (or MACsec is unavailable), create a Public VIF on the DX and establish a Site-to-Site VPN to the TGW.

Checkpoint Questions

1. Who is responsible for managing the SSL/TLS certificates used on an Application Load Balancer?
2. Which protocol provides hop-by-hop encryption at the physical layer for Direct Connect?
3. True or False: AWS automatically encrypts all traffic between any two EC2 instances in the same VPC.
4. What service should you use to create and manage a private subordinate CA within AWS?

[!NOTE] Answers: 1. The Customer (using ACM). 2. MACsec. 3. False (only specific Nitro-based instances support automatic wire encryption). 4. AWS Private Certificate Authority (Private CA).

Muddy Points & Cross-Refs

• MACsec vs IPsec: Students often confuse these. Remember: MACsec is Layer 2 (hardware-to-hardware), while IPsec is Layer 3 (tunnel-to-tunnel). MACsec is not available at all DX locations.
• Nitro Encryption: It is important to know that while Nitro-to-Nitro encryption is "automatic," it only applies to specific instance types. Always verify the instance family for exam questions involving "default" encryption.
• Further Study: Cross-reference with AWS KMS for data-at-rest encryption and AWS CloudHSM for dedicated hardware security modules.

Comparison Tables

IPsec vs. TLS vs. MACsec