Task Statement 4.3: Implement and maintain confidentiality of data and communications of the network.
📘AWS Certified Advanced Networking – Specialty
1. What does “network encryption” mean in AWS?
Network encryption means protecting data while it is moving across a network so that:
- It cannot be read if intercepted
- It cannot be modified without detection
- Only authorized systems can access it
In AWS, encryption is mainly used for:
- Data moving between users and AWS
- Data moving between AWS services
- Data moving inside a VPC (east-west traffic)
- Data moving between AWS and on-premises networks
2. Main Network Encryption Options in AWS
AWS provides multiple encryption methods depending on where the data is moving.
We can group them into 4 major categories:
2.1 TLS / SSL Encryption (Application-Level Encryption)
What it is
TLS (Transport Layer Security) encrypts data at the application layer during communication.
Where it is used in AWS
- HTTPS websites hosted on Amazon EC2
- Application Load Balancer (ALB) HTTPS listeners
- API Gateway endpoints
- S3 HTTPS access
- CloudFront distributions
Key AWS services involved
- AWS Certificate Manager (ACM) → manages TLS certificates
- ELB (ALB/NLB) → supports TLS termination or passthrough
Exam points
- TLS ensures data confidentiality and integrity in transit
- Replaces older SSL (SSL is deprecated)
- Uses certificates for authentication and encryption
Common exam scenario
- Secure web traffic between client and ALB using HTTPS
- API communication encrypted using TLS certificates
2.2 IPsec VPN Encryption (Site-to-Site & Client VPN)
What it is
IPsec (Internet Protocol Security) encrypts traffic at the network layer (Layer 3).
Types in AWS
1. Site-to-Site VPN
Used to connect:
- On-premises network ↔ AWS VPC
2. Client VPN
Used for:
- Individual user devices ↔ AWS VPC
How encryption works
- Uses IPsec tunnels
- Creates encrypted VPN tunnels over the internet
- Uses IKE (Internet Key Exchange) for key management
AWS components
- Virtual Private Gateway (VGW)
- Transit Gateway VPN attachment
- AWS Client VPN endpoint
Exam points
- Always encrypted using IPsec
- Supports AES encryption algorithms
- Provides secure hybrid connectivity
- Can be used with BGP for routing
2.3 MACsec (Layer 2 Encryption)
What it is
MACsec encrypts traffic at Layer 2 (Ethernet level).
Where it is used in AWS
- AWS Direct Connect (DX) private connections
Why it is important
Direct Connect is a private physical link, but MACsec adds:
- Encryption of all Ethernet frames
- Protection from data interception inside the physical path
Key points for exam
- Works only on Direct Connect dedicated connections
- Provides point-to-point encryption
- Uses IEEE 802.1AE standard
- Uses GCM-AES encryption
When to use
- When you need private high-speed connection + encryption
- When compliance requires encryption even on private circuits
2.4 AWS-native Encryption (Service-to-Service Encryption)
This includes encryption between AWS services inside AWS infrastructure.
Examples
1. VPC Encryption (in transit inside AWS)
- Traffic between EC2 instances in same or different VPCs
- Traffic via Transit Gateway or VPC Peering
2. Elastic Load Balancer encryption
- ALB/NLB supports encrypted backend traffic
3. S3 encrypted transfer
- HTTPS enforced using bucket policies
AWS services involved
- AWS KMS (Key Management Service)
- AWS Certificate Manager (ACM)
- AWS PrivateLink (for private service access)
Exam points
- AWS uses default encryption for many internal services
- Encryption is often transparent to users
- KMS keys manage encryption keys securely
3. AWS PrivateLink (Important Exam Topic)
What it is
PrivateLink allows private connectivity between VPCs and AWS services without using the public internet.
How encryption works
- Uses secure AWS backbone network
- Traffic stays private and encrypted
Use cases
- Access AWS services like S3, DynamoDB privately
- Connect SaaS applications securely
Exam keyword
- “Interface VPC endpoint”
- “Private connectivity without internet exposure”
4. Encryption Between AWS Regions
When data moves across regions:
AWS uses:
- TLS encryption
- VPN/IPsec tunnels (for custom setups)
- AWS backbone network (encrypted by default in many cases)
Key exam idea:
- Inter-region traffic is encrypted in transit
- AWS backbone reduces exposure to public internet
5. Encryption Key Management (Very Important for Exam)
Encryption is useless without proper key management.
AWS KMS (Key Management Service)
Used for:
- Creating encryption keys
- Rotating keys
- Controlling access to keys
Types of keys
- AWS managed keys
- Customer managed keys (CMK)
- Imported keys
Exam points
- KMS integrates with most AWS services
- IAM controls access to encryption keys
- Audit logs via CloudTrail
6. Summary Table (Very Important for Revision)
| Encryption Type | OSI Layer | AWS Service | Use Case |
|---|---|---|---|
| TLS/SSL | Layer 7 | ACM, ALB, API Gateway | Secure web/API traffic |
| IPsec VPN | Layer 3 | Site-to-Site VPN, Client VPN | Hybrid network connectivity |
| MACsec | Layer 2 | Direct Connect | Private link encryption |
| PrivateLink | Network | VPC Endpoints | Private AWS service access |
| AWS internal encryption | Multi-layer | VPC, TGW, S3 | Service-to-service encryption |
7. Key Exam Takeaways
To pass the exam, remember these core ideas:
- TLS = application-level encryption (HTTPS)
- IPsec = VPN encryption for hybrid networks
- MACsec = Direct Connect Layer 2 encryption
- PrivateLink = private AWS service access without internet
- KMS = key management backbone for all encryption
- AWS encrypts data:
- In transit (network encryption)
- At rest (storage encryption – related but separate topic)
