Task Statement 1.3: Determine appropriate data security controls.
📘AWS Certified Solutions Architect – (SAA-C03)
1. What Is Data in Transit?
Data in transit (also called data in motion) is data that is moving between systems.
In an IT environment, this includes:
- A user accessing a web application from a browser
- An application server calling a backend API
- An EC2 instance connecting to an RDS database
- A microservice calling another microservice
- Data replicating between AWS Regions
- Traffic between on-premises and AWS over VPN or Direct Connect
When data travels across a network, it can be intercepted if it is not protected.
To secure it, we use:
🔐 Encryption in transit
2. What Is Encryption in Transit?
Encryption in transit means:
Data is encrypted before it leaves the source and decrypted only at the destination.
Even if someone captures the network traffic, they cannot read it without the encryption keys.
In AWS, this is typically done using:
- TLS (Transport Layer Security)
- HTTPS
- SSL/TLS certificates
- AWS Certificate Manager (ACM)
3. What Is TLS?
Transport Layer Security
TLS is a cryptographic protocol that:
- Encrypts data
- Ensures data integrity
- Verifies server identity
TLS is the modern replacement for SSL (Secure Sockets Layer).
When you see:
https://example.com
That means:
- HTTP + TLS
- The communication is encrypted
4. What Does TLS Provide?
TLS provides three important security properties:
1️⃣ Encryption
Data is unreadable if intercepted.
2️⃣ Integrity
Data cannot be changed without detection.
3️⃣ Authentication
The client verifies that it is talking to the real server.
5. What Is an SSL/TLS Certificate?
A TLS certificate:
- Proves the identity of a server
- Contains the server’s public key
- Is signed by a trusted Certificate Authority (CA)
Without a valid certificate:
- Browsers show warnings
- Clients may reject the connection
6. What Is AWS Certificate Manager (ACM)?
AWS Certificate Manager
AWS Certificate Manager (ACM) is a managed AWS service that:
- Issues SSL/TLS certificates
- Manages certificate renewal automatically
- Deploys certificates to AWS services
It eliminates manual certificate handling.
7. Why ACM Is Important for the Exam
For SAA-C03, remember:
✅ ACM provides free public certificates
✅ ACM automatically renews certificates
✅ ACM integrates with many AWS services
❌ ACM certificates cannot be exported (except ACM Private CA certificates)
❌ ACM certificates must be in the same Region as the resource (except CloudFront)
8. Services That Integrate with ACM
You must know where ACM certificates can be used:
1️⃣ Elastic Load Balancing
Elastic Load Balancing
- Application Load Balancer (ALB)
- Network Load Balancer (NLB)
TLS can terminate at the load balancer.
2️⃣ Amazon CloudFront
Amazon CloudFront
- Uses ACM certificates in us-east-1
- Encrypts traffic between users and CloudFront
- Can also encrypt between CloudFront and origin
3️⃣ Amazon API Gateway
Amazon API Gateway
- Custom domain names require ACM certificates
- Secures APIs with HTTPS
4️⃣ AWS App Runner
5️⃣ AWS Elastic Beanstalk
6️⃣ AWS Global Accelerator
All can use ACM certificates.
9. TLS Termination
Very important exam topic.
What Is TLS Termination?
TLS termination means:
- TLS encryption ends at a specific resource (like a Load Balancer).
- Traffic inside the VPC may continue as HTTP (unencrypted).
Example architecture:
User → HTTPS → ALB → HTTP → EC2
The ALB decrypts traffic.
Is This Secure?
Yes, if:
- Internal VPC is trusted
- Security groups restrict traffic
But for higher security:
User → HTTPS → ALB → HTTPS → EC2
This is called:
🔐 End-to-End Encryption
10. End-to-End Encryption
Data remains encrypted:
- From client
- Through load balancer
- To backend servers
Used for:
- Highly sensitive workloads
- Financial systems
- Healthcare systems
Exam tip:
If question mentions “encrypt traffic all the way to the backend”, choose end-to-end TLS.
11. Public vs Private Certificates
Public Certificates
- Issued by public CA
- Used for internet-facing applications
- Provided free by ACM
Private Certificates
- Used for internal systems
- Issued using:
AWS Private Certificate Authority
Used for:
- Internal APIs
- Microservices
- Internal load balancers
12. Encrypting Traffic Between AWS Services
Know these common scenarios:
1️⃣ EC2 to RDS
Amazon RDS
- RDS supports SSL/TLS connections
- Must enable SSL in DB client
- Protects database credentials and queries
2️⃣ S3 Access via HTTPS
Amazon S3
S3 supports HTTPS by default.
You can enforce HTTPS using bucket policies:
- Deny non-TLS requests
- Use condition:
"aws:SecureTransport": "false"
Exam tip:
If question says:
“Ensure all S3 access is encrypted in transit”
→ Use bucket policy to enforce HTTPS.
3️⃣ API Communication
- Use HTTPS endpoints
- Enforce TLS 1.2 minimum
- Use ACM certificate
13. Minimum TLS Version
Security best practice:
- Use TLS 1.2 or TLS 1.3
- Disable TLS 1.0 and 1.1
In:
- ALB security policies
- CloudFront security policies
- API Gateway custom domains
Exam tip:
If asked to “improve security posture” → choose newer TLS version.
14. Mutual TLS (mTLS)
Mutual TLS means:
- Client verifies server
- Server verifies client
Used for:
- B2B APIs
- Internal service-to-service authentication
Supported in:
- API Gateway
- ALB (with configuration)
Important for high-security environments.
15. VPN and Direct Connect Encryption
For hybrid environments:
AWS Site-to-Site VPN
- Encrypts traffic between on-premises and AWS using IPsec
AWS Direct Connect
- Does NOT encrypt by default
- Can combine with VPN for encryption
Exam tip:
If question says:
“Encrypt traffic over Direct Connect”
→ Use VPN over Direct Connect.
16. Security Groups and NACLs with TLS
Encryption protects data content.
Security groups and NACLs protect:
- Who can connect
- Which ports are open
For HTTPS:
- Port 443 must be open
Exam scenario:
If HTTPS not working → check security group allows port 443.
17. Common Exam Scenarios and Correct Answers
Scenario 1:
Secure public website with HTTPS.
✅ Use ACM certificate
✅ Attach to ALB or CloudFront
Scenario 2:
Ensure S3 only accepts encrypted traffic.
✅ Use bucket policy with SecureTransport condition
Scenario 3:
Encrypt traffic between microservices internally.
✅ Use ACM Private CA
✅ Enable TLS between services
Scenario 4:
Encrypt hybrid connection.
✅ Use Site-to-Site VPN
Scenario 5:
Certificate renewal management required.
✅ Use ACM (automatic renewal)
18. Best Practices for the Exam
✔ Always use HTTPS
✔ Use ACM instead of managing certificates manually
✔ Enforce TLS 1.2+
✔ Use end-to-end encryption when sensitive
✔ Use Private CA for internal systems
✔ Enforce HTTPS with S3 bucket policies
✔ Use VPN for encrypted hybrid connectivity
19. Key Differences to Remember
| Feature | ACM | IAM Server Certificate |
|---|---|---|
| Automatic renewal | Yes | No |
| Free public certs | Yes | No |
| Exportable | No | Yes |
| Recommended? | Yes | Legacy |
Exam tip:
Choose ACM unless there is a specific reason not to.
20. Final Exam Summary
For SAA-C03, you must understand:
- What data in transit is
- How TLS works
- What certificates do
- How ACM simplifies management
- Where ACM integrates
- When to use end-to-end encryption
- How to enforce HTTPS in S3
- How VPN encrypts hybrid traffic
- Difference between public and private certificates
- How TLS termination works
Simple One-Line Summary
Encrypting data in transit in AWS means using TLS (HTTPS) and AWS Certificate Manager to protect data as it moves between users, applications, and services.
