Encryption in transit

All services that transmit data from AWS to on-prem, and vice versa allow encryption in transit using secure protocols. Configure encryption whenever sensitive data is transmitted, or adopt the good practice of encrypting everything in transit to prevent transmition of sensitive data without encryption by mistake.

Configure load balancer listeners to use secure protocols

Some examples of services that support encryption in transit:

  • AWS VPN (Site to site VPN / Client VPN)
  • AWS Elastic Disaster Recovery
  • Database Migration Services, Schema Convertion Tool
  • Workspaces, Workdocs
  • CloudEndure, DataSync, AWS Storage Gateway
  • AWS Backups

AWS Certificate Manager

Use AWS Certificate Manager to automatically renew and rotate TLS/SSL certificates within Application Load Balancers to prevent certificates from expiring due to mistakes or forgetfulness and users from receiving error messages.

AWS Certificate Manager

For internal applications you can also deploy a Private CA using AWS Certificate Manager and have certificates automatically rotated.

Pricing

https://aws.amazon.com/certificate-manager/pricing Public SSL/TLS certificates provisioned by ACM from Amazon CA are free.