Task Statement 4.3: Implement and maintain confidentiality of data andcommunications of the network.
📘AWS Certified Advanced Networking – Specialty
🔐 1. What “Data in Transit Encryption” Means (Core Concept)
Data in transit means:
Data moving between systems over a network (internet, AWS networks, hybrid connections).
Examples in AWS:
- User → CloudFront
- Client → Application Load Balancer
- On-premises → AWS via VPN / Direct Connect
- Application → RDS / S3
- EC2 → EC2
- VPC → VPC (via Transit Gateway)
Why encryption is needed
Encryption ensures:
- Confidentiality (no one can read data)
- Integrity (data is not changed)
- Secure communication between systems
Main protocols used:
- TLS (Transport Layer Security) → for HTTPS, APIs, web traffic
- IPsec → for VPN tunnels (network-level encryption)
🌐 2. CloudFront Encryption (CDN Security Layer)
Amazon Web Services
What it does
Amazon CloudFront encrypts data between:
- User → Edge Location (Viewer connection)
- CloudFront → Origin (S3, ALB, EC2)
🔒 Encryption types in CloudFront
1. Viewer HTTPS (User to CloudFront)
- Uses TLS encryption
- Requires SSL/TLS certificate from:
- AWS Certificate Manager (ACM)
2. Origin HTTPS (CloudFront to backend)
- CloudFront connects to:
- S3 bucket (HTTPS)
- ALB (HTTPS)
- EC2 (HTTPS via custom server)
Exam point:
✔ Always enforce HTTPS using “Redirect HTTP to HTTPS”
Key exam keywords:
- “Viewer protocol policy”
- “Origin protocol policy”
- “ACM certificate required”
⚖️ 3. Application Load Balancer (ALB) Encryption
Application Load Balancer
What ALB does
ALB distributes traffic to:
- EC2 instances
- Containers (ECS/EKS)
- Lambda (via HTTP API integration)
🔐 TLS encryption in ALB
1. Client → ALB (Front-end encryption)
- Uses HTTPS listener (TLS)
- Certificate attached via ACM
2. ALB → Backend (Back-end encryption)
Options:
- HTTP (not encrypted internally)
- HTTPS (recommended for full encryption)
Exam focus:
✔ ALB supports TLS termination
✔ ALB supports end-to-end encryption
⚡ 4. Network Load Balancer (NLB) Encryption
Network Load Balancer
What NLB does
- Works at Layer 4 (TCP/UDP)
- Handles millions of requests with low latency
🔐 TLS features in NLB
1. TLS termination at NLB
- NLB decrypts traffic
- Sends to backend as HTTP or TCP
2. TLS pass-through
- NLB does NOT decrypt
- Traffic remains encrypted end-to-end to backend
Exam keywords:
- “TLS listener on NLB”
- “TCP passthrough mode”
- “Preserve source IP”
🌉 5. VPN over AWS Direct Connect
Components:
- AWS Direct Connect
- IPsec VPN overlay
Why combine them?
Direct Connect alone:
- Private connection
- NOT encrypted by default
VPN over Direct Connect:
Adds:
- IPsec encryption
- Secure tunnel over dedicated link
Architecture:
On-premises → Direct Connect → AWS Router → IPsec VPN tunnel → VPC
Exam focus:
✔ Direct Connect = private but not encrypted
✔ VPN = adds encryption (IPsec)
✔ Both together = secure + reliable hybrid network
🗄️ 6. Encryption for AWS Managed Databases
Amazon RDS
Amazon Aurora
What is protected:
- Client → database traffic
- Application → database connection
TLS encryption in databases
1. Encrypted connections
- Use TLS certificates
- Required for:
- RDS MySQL / PostgreSQL / Oracle / SQL Server
- Aurora clusters
2. Force SSL connections
- DB parameter group settings enforce TLS only
Exam keywords:
- “require SSL”
- “rds.force_ssl”
- “CA certificates”
🪣 7. Amazon S3 Encryption in Transit
Amazon S3
Two types of access:
1. HTTPS access (TLS)
- Client → S3 encrypted
- Uses endpoint:
https://bucket.s3.amazonaws.com
2. HTTP access (NOT secure)
- Should be blocked using bucket policy
Security best practice:
✔ Enforce HTTPS using S3 bucket policy:
- Deny requests if
aws:SecureTransport = false
Exam keywords:
- “S3 bucket policy enforce TLS”
- “HTTPS-only access”
💻 8. Custom Encryption on Amazon EC2
Amazon EC2
What is required:
- You manage encryption at application level
Methods:
1. TLS at application layer
- Web servers (Nginx, Apache)
- APIs using HTTPS certificates
2. Mutual TLS (mTLS)
- Both client and server verify certificates
- Used in microservices security
3. Custom encryption libraries
- Encrypt payload before sending over network
Exam focus:
✔ EC2 does NOT provide encryption automatically
✔ You must configure TLS yourself
🌐 9. Transit Gateway Encryption Considerations
AWS Transit Gateway
What Transit Gateway does:
- Connects multiple VPCs and networks
- Acts as a central routing hub
Encryption behavior:
Important exam point:
- Transit Gateway does NOT encrypt traffic by itself
- Encryption must be added using:
- VPN (IPsec)
- TLS at application level
Common architecture:
VPC A ↔ Transit Gateway ↔ VPC B
- IPsec or TLS for encryption
📌 10. Summary Table (Exam Quick Revision)
| Service | Encryption Method | Key Point |
|---|---|---|
| CloudFront | TLS (HTTPS) | Viewer + origin encryption |
| ALB | TLS | SSL termination or end-to-end |
| NLB | TLS or TCP passthrough | Layer 4 encryption support |
| Direct Connect | No encryption by default | Add VPN (IPsec) |
| RDS/Aurora | TLS | Enforce SSL connections |
| S3 | TLS (HTTPS) | Enforce SecureTransport |
| EC2 | Custom TLS | App-managed encryption |
| Transit Gateway | None built-in | Needs VPN/TLS |
🎯 11. Exam Traps (Very Important)
✔ Direct Connect ≠ encrypted
✔ VPN over Direct Connect = encrypted
✔ S3 must be forced to HTTPS using policy
✔ ALB can terminate TLS
✔ NLB can pass TLS without decrypting
✔ Transit Gateway does NOT encrypt traffic
✔ TLS = application/web encryption
✔ IPsec = network-level VPN encryption
🧠 Final Simple Understanding
In AWS networking:
- TLS = protects web/API traffic
- IPsec = protects network tunnels
- AWS services often support TLS, but not always automatic
- You must explicitly enforce encryption in many services
