BrainyBeeBrainyBee
Hands-On Lab1,050 words

Lab: Design and Implement Data in Transit Controls on AWS

Design and implement controls for data in transit

Lab: Design and Implement Data in Transit Controls on AWS

This hands-on lab focuses on securing data as it moves through the network. You will implement industry-standard encryption protocols (TLS) on an Application Load Balancer and establish private connectivity using VPC Endpoints to prevent traffic from traversing the public internet.

[!WARNING] Implementing these resources may incur costs. Remember to follow the Teardown section at the end of this lab to delete all resources and avoid ongoing charges.

Prerequisites

  • AWS Account: An active AWS account with permissions to create VPC, EC2, ELB, and IAM resources.
  • AWS CLI: Installed and configured with your credentials (aws configure).
  • VPC: A standard VPC with at least two public subnets in different Availability Zones (AZs).
  • Certificate: An SSL/TLS certificate in AWS Certificate Manager (ACM). If you don't have one, you can request a public certificate for a domain you own or use a self-signed certificate for testing purposes.

Learning Objectives

By the end of this lab, you will be able to:

  1. Configure ALB Security Policies to enforce modern TLS versions (1.2 or 1.3).
  2. Implement Interface VPC Endpoints (PrivateLink) to secure communication between a VPC and AWS services.
  3. Validate Data in Transit Controls using command-line tools to inspect encryption protocols.

Architecture Overview

This lab builds a secure path for data from the user to the internal AWS service without exposing traffic to the public internet where possible.

Loading Diagram...

Step-by-Step Instructions

Step 1: Create a Secure Security Group

Before creating the Load Balancer, we need a Security Group that allows HTTPS traffic (Port 443).

bash
# Create the Security Group aws ec2 create-security-group \ --group-name alb-secure-sg \ --description "Security group for ALB HTTPS traffic" \ --vpc-id <YOUR_VPC_ID> # Authorize HTTPS traffic from anywhere aws ec2 authorize-security-group-ingress \ --group-id <SG_ID_FROM_PREVIOUS_STEP> \ --protocol tcp \ --port 443 \ --cidr 0.0.0.0/0
Console alternative
  1. Navigate to VPC Dashboard > Security Groups.
  2. Click Create security group.
  3. Name: alb-secure-sg, Description: Allow HTTPS.
  4. Inbound Rules: Add Rule > Type: HTTPS > Source: 0.0.0.0/0.
  5. Click Create security group.

Step 2: Provision an ALB with a Modern Security Policy

The ALB Security Policy determines which SSL/TLS protocols and ciphers are supported. We will enforce TLS 1.2 or higher.

bash
# Create the ALB aws elbv2 create-load-balancer \ --name secure-app-alb \ --subnets <SUBNET_1_ID> <SUBNET_2_ID> \ --security-groups <SG_ID_FROM_STEP_1> # Create the HTTPS listener with a specific security policy aws elbv2 create-listener \ --load-balancer-arn <ALB_ARN> \ --protocol HTTPS \ --port 443 \ --certificates CertificateArn=<YOUR_ACM_CERT_ARN> \ --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06

[!IMPORTANT] The policy ELBSecurityPolicy-TLS13-1-2-2021-06 supports both TLS 1.2 and 1.3 but removes older, insecure versions like TLS 1.0 and 1.1.

Step 3: Implement an Interface VPC Endpoint

To ensure data sent from your EC2 instances to AWS APIs (like SSM or S3) does not leave the AWS network, we use PrivateLink.

bash
# Create an Interface VPC Endpoint for the EC2 service aws ec2 create-vpc-endpoint \ --vpc-id <YOUR_VPC_ID> \ --service-name com.amazonaws.<YOUR_REGION>.ec2 \ --vpc-endpoint-type Interface \ --subnet-ids <PRIVATE_SUBNET_ID> \ --security-group-ids <SG_ID_FROM_STEP_1>
Console alternative
  1. Navigate to VPC Dashboard > Endpoints.
  2. Click Create endpoint.
  3. Service category: AWS services.
  4. Service Name: Select com.amazonaws.<region>.ec2 (Interface type).
  5. Select your VPC and Private Subnets.
  6. Enable DNS Name: Checked (allows using the standard service URL).
  7. Click Create endpoint.

Checkpoints

Checkpoint 1: Verify TLS Version Enforcement

Use openssl to verify that the load balancer rejects old protocols.

bash
# Attempt to connect using TLS 1.1 (Should fail if policy is correct) openssl s_client -connect <ALB_DNS_NAME>:443 -tls1_1 # Attempt to connect using TLS 1.2 (Should succeed) openssl s_client -connect <ALB_DNS_NAME>:443 -tls1_2

Expected Result: The TLS 1.1 connection should be rejected with a "handshake failure," while the TLS 1.2 connection succeeds.

Checkpoint 2: VPC Endpoint DNS Resolution

Inside an EC2 instance within your VPC, run:

bash
nslookup ec2.<YOUR_REGION>.amazonaws.com

Expected Result: The IP address returned should be a private IP from your VPC's subnet range, not a public AWS IP.

Concept Review: The TLS Handshake

Understanding the handshake is critical for Domain 5.1 of the SCS-C03 exam. It ensures confidentiality and integrity before data transfer begins.

\begin{tikzpicture}[node distance=2.5cm, auto, thick] \node (client) [rectangle, draw, minimum width=2cm] {Client}; \node (server) [rectangle, draw, minimum width=2cm, right=6cm of client] {AWS ALB};

\draw[->] ([yshift=0.8cm]client.east) -- node[above, font=\small] {1. ClientHello (Suite/Version)} ([yshift=0.8cm]server.west); \draw[<-] ([yshift=0.4cm]client.east) -- node[above, font=\small] {2. ServerHello + Certificate} ([yshift=0.4cm]server.west); \draw[->] ([yshift=0.0cm]client.east) -- node[below, font=\small] {3. Client Key Exchange} ([yshift=0.0cm]server.west); \draw[<-] ([yshift=-0.4cm]client.east) -- node[below, font=\small] {4. Change Cipher Spec} ([yshift=-0.4cm]server.west); \draw[<->, dashed] ([yshift=-1.0cm]client.east) -- node[below, font=\small] {\textbf{Encrypted Session Tunnel}} ([yshift=-1.0cm]server.west); \end{tikzpicture}

Troubleshooting

ProblemPossible CauseSolution
SSL Handshake FailedMismatch between client capabilities and ALB Security Policy.Ensure your browser/CLI supports TLS 1.2+ or relax the ALB policy (not recommended for production).
VPC Endpoint UnreachableSecurity Group of the Endpoint does not allow ingress from the EC2 instance.Add an Inbound rule to the Endpoint's SG allowing Port 443 from your VPC CIDR or EC2 SG.
DNS resolves to Public IP"Enable Private DNS" was not checked during Endpoint creation.Modify the VPC Endpoint and enable the Private DNS option.

Clean-Up / Teardown

To avoid ongoing charges, delete the resources in this order:

  1. Delete the ALB Listener:
    bash
    aws elbv2 delete-listener --listener-arn <LISTENER_ARN>
  2. Delete the ALB:
    bash
    aws elbv2 delete-load-balancer --load-balancer-arn <ALB_ARN>
  3. Delete the VPC Endpoint:
    bash
    aws ec2 delete-vpc-endpoints --vpc-endpoint-ids <ENDPOINT_ID>
  4. Delete the Security Group (Wait for ALB to be fully deleted first):
    bash
    aws ec2 delete-security-group --group-id <SG_ID>

[!IMPORTANT] Some resources like ALBs take a few minutes to fully decommission. Ensure they are "Deleted" in the console before closing your session.

All AWS Certified Security - Specialty (SCS-C03) Study Resources

Ready to study AWS Certified Security - Specialty (SCS-C03)?

Practice tests, flashcards, and all study notes — free, no sign-up needed.

Start Studying — Free