BrainyBeeBrainyBee
Exam Cram Sheet850 words

Exam Cram: Data in Transit Controls (AWS Security Specialty)

Design and implement controls for data in transit

Exam Cram: Data in Transit Controls

This guide covers Domain 5.1 of the SCS-C03 exam: Designing and implementing controls for data in transit, ensuring confidentiality and integrity as data moves between users, services, and networks.

## Topic Weighting

DomainEstimated WeightingFocus Area for 5.1
Domain 5: Data Protection16% - 20%TLS/SSL, VPC Endpoints, VPNs, and Inter-node encryption.

[!IMPORTANT] Expect at least 5-8 questions directly related to encrypting data in motion, specifically involving ELB security policies and VPC Endpoint architectures.

## Key Concepts Summary

  • TLS Enforcement: Using aws:SecureTransport in S3 bucket policies or IAM policies to deny non-HTTPS traffic.
  • VPC Endpoints:
    • Interface Endpoints: Powered by PrivateLink (ENIs with private IPs). Used for most services (Kinesis, EC2 API, etc.).
    • Gateway Endpoints: Used ONLY for S3 and DynamoDB. Managed via Route Tables, no cost.
  • ELB Security Policies: Predefined combinations of TLS versions and Ciphers. Use ELBSecurityPolicy-TLS-1-2-2017-01 or later for high security.
  • Nitro System: Provides automatic wire encryption between specific Nitro-based instances in the same VPC/peered VPCs without configuration.
  • AWS Verified Access: Provides VPN-less secure access to corporate applications using OIDC/SAML and device posture.
Loading Diagram...

## Common Pitfalls

  • ❌ Mistake: Using a Gateway Endpoint for a service other than S3 or DynamoDB.
    • ✅ Fix: Use Interface Endpoints (PrivateLink) for all other AWS services.
  • ❌ Mistake: Assuming VPC Peering encrypts traffic by default.
    • ✅ Fix: While Nitro instances encrypt automatically, others require application-level TLS.
  • ❌ Mistake: Forgetting that ALB requires a certificate from ACM (or imported) to terminate TLS.
    • ✅ Fix: Ensure the listener is configured for HTTPS (Port 443).

## Mnemonics / Memory Triggers

  • "S-D-G" (S-D-Great): S3 and DynamoDB use Gateway Endpoints. Everything else is Interface.
  • "Transport is False": If aws:SecureTransport is false, it means the connection is NOT encrypted (Insecure). Always deny if false.
  • "ACM is the Key": AWS Certificate Manager is required for ELB and CloudFront TLS termination.

## Formula / Equation Sheet

Comparison: VPC Endpoints

FeatureGateway EndpointInterface Endpoint (PrivateLink)
ServicesS3, DynamoDB100+ Services, Marketplace, Custom
MechanismRoute Table entry (Prefix List)Elastic Network Interface (ENI) + DNS
CostFreeHourly + Data Processing Fee
AccessInternal VPC onlyCross-region, On-premises (via VPN/DX)

Common TLS Policy Syntax

Deny if {aws:SecureTransport==false}\text{Deny} \text{ if } \{ \text{aws:SecureTransport} == \text{false} \}

## Practice Set

  1. Question: A security engineer needs to ensure that all objects uploaded to an S3 bucket are encrypted in transit. Which policy condition should be used?
    • Answer: "Condition": {"Bool": {"aws:SecureTransport": "false"}} with an Effect: Deny.
  2. Question: Which service allows for secure, VPN-less access to internal web applications using identity-based policies?
    • Answer: AWS Verified Access.
  3. Question: You need to connect an on-premises data center to an AWS Interface Endpoint. What is required?
    • Answer: Site-to-Site VPN or Direct Connect (Gateway Endpoints are not accessible via VPN/DX).
  4. Question: How can you enforce the use of specific high-strength ciphers on an Application Load Balancer?
    • Answer: Select a predefined ELB Security Policy that excludes weak ciphers (e.g., FS policies).
  5. Question: Does traffic between two EC2 instances across a VPC Peering connection stay on the public internet?
    • Answer: No, it stays on the AWS global network backbone, but it is only encrypted by default if using Nitro-to-Nitro instances.

## Worked Examples

Scenario: Enforcing HTTPS on S3

Goal: Prevent any API call to my-secure-bucket that does not use SSL/TLS.

Policy Implementation:

json
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSSLRequestsOnly", "Action": "s3:*", "Effect": "Deny", "Resource": [ "arn:aws:s3:::my-secure-bucket", "arn:aws:s3:::my-secure-bucket/*" ], "Condition": { "Bool": {"aws:SecureTransport": "false"} }, "Principal": "*" } ] }

Explanation: The aws:SecureTransport key checks if the request was sent over HTTPS. If it is false (not HTTPS), the Deny effect triggers, overriding any Allow permissions.

## Fact Recall Blanks

  1. The two services that use Gateway Endpoints are  S3  and  DynamoDB .
  2. To provide a private connection between two VPCs or between a VPC and an AWS service without using public IPs, you use  AWS PrivateLink .
  3. The AWS service used to provision and manage SSL/TLS certificates is  AWS Certificate Manager (ACM) .
  4.  Nitro  encryption provides automatic encryption between supported instance types at the physical network layer.
  5. To inspect encrypted traffic at the edge before it reaches your origin, you would integrate CloudFront with  AWS WAF .
All AWS Certified Security - Specialty (SCS-C03) Study Resources

Ready to study AWS Certified Security - Specialty (SCS-C03)?

Practice tests, flashcards, and all study notes — free, no sign-up needed.

Start Studying — Free