Encryption in transit
All services that transmit data from AWS to on-prem, and vice versa allow encryption in transit using secure protocols. Configure encryption whenever sensitive data is transmitted, or adopt the good practice of encrypting everything in transit to prevent transmition of sensitive data without encryption by mistake.
Configure load balancer listeners to use secure protocols
Some examples of services that support encryption in transit:
- AWS VPN (Site to site VPN / Client VPN)
- AWS Elastic Disaster Recovery
- Database Migration Services, Schema Convertion Tool
- Workspaces, Workdocs
- CloudEndure, DataSync, AWS Storage Gateway
- AWS Backups
AWS Certificate Manager
Use AWS Certificate Manager to automatically renew and rotate TLS/SSL certificates within Application Load Balancers to prevent certificates from expiring due to mistakes or forgetfulness and users from receiving error messages.
For internal applications you can also deploy a Private CA using AWS Certificate Manager and have certificates automatically rotated.
Pricing
https://aws.amazon.com/certificate-manager/pricing Public SSL/TLS certificates provisioned by ACM from Amazon CA are free.