Monday, October 13, 2025

Encryption in flight (TLS / SSL) | Deep Dive.

A deep into AWS Encryption in Flight (TLS/SSL).

  • TLS (Transport Layer Security) is the newer version of SSL (Secure Sockets Layer).

View:

  •        How AWS Encryption in Flight works,
  •        Where AWS Encryption in Flight applies,
  •        How AWS Encryption in Flight integrates with AWS services (for end-to-end data protection).

 1. Overview

  •        Encryption in Flight (also called data-in-transit encryption) ensures that data traveling between systems (e.g., clients ↔ servers, services ↔ APIs, regions ↔ regions) is protected against interception and tampering using cryptographic protocols primarily with TLS (Transport Layer Security) or SSL (Secure Sockets Layer).
  •        AWS automatically provides or supports TLS-based encryption for most service communications.
  •        AWS also allows twtech to enforce encryption policies at the network, service, or application layer.

 2. Core Components of Encryption in Flight

Layer

AWS Services / Features

Description

Network Layer

TLS / SSL, VPN, Direct Connect, PrivateLink, VPC Peering

Protects data as it moves between networks.

Application Layer

ALB / NLB with TLS, CloudFront HTTPS, API Gateway, Elastic Beanstalk, App Load Balancer (ALB)

Ensures secure client-server communication using certificates.

Service Layer

S3 HTTPS, DynamoDB HTTPS, RDS SSL connections, Kinesis HTTPS, SNS/SQS HTTPS endpoints

AWS-managed services enforcing TLS 1.2+ for API endpoints.

Internal AWS Communications

Service-to-service encryption (managed by AWS)

AWS automatically encrypts all internal service communication with TLS.

 3. TLS / SSL Encryption Workflow (High Level)

1.     Client Initiates a Connection

o   The client sends a ClientHello message specifying supported TLS versions and cipher suites.

2.     Server Responds

o   The server sends a ServerHello message and its SSL/TLS certificate (X.509), signed by a trusted CA (e.g., ACM, ACM PCA, third-party).

3.     Certificate Validation

o   The client validates the server’s certificate chain (issuer, expiry, domain, revocation status).

4.     Key Exchange

o   Using asymmetric encryption (RSA or ECDHE), both sides agree on a shared session key.

5.     Session Encryption

o   All subsequent traffic uses symmetric encryption with that session key.

6.     Rekeying / Session Resumption

o   Session keys are refreshed periodically to maintain forward secrecy.

 4. AWS Certificate Management

Service

Purpose

AWS Certificate Manager (ACM)

Automatically provisions and renews public or private TLS certificates for CloudFront, ALB, API Gateway, etc.

ACM Private CA

Issues internal private certificates for use inside twtech organization (e.g., EC2-to-EC2 TLS).

IAM Server Certificates

Legacy storage for SSL/TLS certs (superseded by ACM).

Custom Certificates

twtech can import third-party certs or use self-signed certs for testing.

 5. Integration with AWS Services

AWS Service

Encryption-in-Flight Details

S3

All requests must use HTTPS; supports TLS 1.2+

RDS / Aurora

SSL/TLS connections using server certificates

ECS / EKS

Encrypted service-to-service communication via mutual TLS or service mesh (App Mesh / Istio)

CloudFront

Enforces HTTPS viewer connections; supports SNI and custom certs

API Gateway

Enforces HTTPS-only endpoints

Elastic Load Balancing (ALB/NLB)

Terminate or pass-through TLS

AWS IoT Core

TLS mutual authentication for devices

Direct Connect / VPN

Encrypted tunnels using IPSec and TLS

PrivateLink

Keeps data private on AWS backbone, optionally with TLS

 6. Encryption Protocols & Algorithms

  •         TLS Versions: TLS 1.2 (default), TLS 1.3 (increasing adoption)
  •         Cipher Suites: AES-GCM, ChaCha20-Poly1305
  •         Key Exchange: ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)
  •         Signature Algorithms: RSA, ECDSA
  •         Forward Secrecy: Supported via ephemeral key exchanges

 7. Enforcing TLS Across AWS

Enforcement Mechanism

Example

S3 Bucket Policy

"aws:SecureTransport": "true"

CloudFront Viewer Protocol Policy

“Redirect HTTP to HTTPS”

API Gateway

Enforce TLS 1.2 minimum

Load Balancers

Use custom SSL policies (e.g., ELBSecurityPolicy-TLS13-1-2-2021-06)

IAM Policies

Deny access if aws:SecureTransport = false

 8. Monitoring & Compliance

  •         AWS Config Rules
    •    acm-certificate-expiration-check
    •    s3-bucket-ssl-requests-only
  •         AWS CloudTrail
    •    Logs all API requests; verify HTTPS
  •         AWS Security Hub
    •    Flags insecure protocols
  •         AWS WAF
    •    Filters insecure or downgraded requests
  •         Certificate Manager
    •    Automatic renewal and monitoring

 9. Example Architecture Flow (TLS End-to-End)

Client → CloudFront → ALB → EC2 / Lambda → RDS (TLS)

  •         Each hop uses HTTPS/TLS.
  •         ACM manages certificates at CloudFront and ALB layers.
  •         Internal service calls (EC2 → RDS) use mutual TLS or database SSL.
  •         Monitoring and enforcement via Config + Security Hub.



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...