AWS Encryption in flight (TLS / SSL) | Overview.

AWS Encryption in flight (TLS / SSL) - Overview.

Scope:

• Intro,
• Foundational Protocols,
• Service-Specific Implementation,
• Connectivity and Management Tools,
• Best Practices,
• Encryption in flight (TLS / SSL) deep dive,
• Core Components of Encryption in Flight & Description,
• TLS / SSL Encryption Workflow (High Level),
• AWS Certificate Management Services & Purpose,
• Integration with AWS Services & Encryption-in-Flight Details,
• Encryption Protocols & Algorithms,
• Enforcing TLS Across AWS & Examples,
• Monitoring & Compliance,
• Sample Architecture Flow (TLS End-to-End).

Intro:

• AWS provides several layers of encryption in flight to protect data as it moves between:
•  Clients and services, 
• As well as between internal AWS resources. 

Foundational Protocols

• TLS and HTTPS: Most AWS service API endpoints use Transport Layer Security (TLS) to provide encryption in transit. 
• As of February 2024, AWS requires a minimum of TLS 1.2 for all API calls, with TLS 1.3 recommended for better performance and security.
• s2n-tls: AWS uses its own open-source implementation of the TLS protocol called s2n-tls, designed to be small, fast, and easier to audit than OpenSSL. 

Service-Specific Implementation

• Elastic Load Balancing (ELB): Supports HTTPS listeners that terminate TLS traffic using certificates managed via AWS Certificate Manager (ACM).
• Amazon S3: Supports encrypted endpoints using SSL/TLS. 
• twtech can enforce bucket policies that deny any non-HTTPS (aws:SecureTransport) requests.
• Amazon EFS: Provides encryption in transit via the EFS mount helper, which sets up a TLS 1.2 tunnel between the client and the service.
• Amazon ElastiCache: Supports in-transit encryption for Valkey, Redis OSS, and Memcached, ensuring client-to-server and inter-node communication is encrypted.
• Amazon EC2: Traffic between supported Nitro System instance types is automatically encrypted at the physical layer when deployed within the same region or peered VPCs. 

Connectivity and Management Tools

• AWS Certificate Manager (ACM): Simplifies provisioning, managing, and deploying SSL/TLS certificates for use with services like ELB, CloudFront, and API Gateway.
• AWS Site-to-Site VPN: Establishes secure IPsec tunnels between on-premises networks and AWS VPCs.
• AWS Direct Connect: While not encrypted by default, it supports MACsec (IEEE 802.1AE) for hardware-level encryption on dedicated 10Gbps and 100Gbps connections.
• AWS Network Firewall: Can be configured for TLS inspection to decrypt, inspect, and re-encrypt inbound and outbound traffic. 

Best Practices

• Enforce HTTPS: Use IAM and bucket policies to require secure transport for all data access.
• Use Modern TLS: Standardize on TLS 1.2 or 1.3 and disable older versions (TLS 1.0/1.1) to avoid known vulnerabilities.
• Automate Renewals: Leverage AWS Certificate Manager (ACM) managed renewal to prevent service outages caused by expired certificates.

NB:

• TLS (Transport Layer Security) is the newer version of SSL (Secure Sockets Layer).

1. Encryption in flight (TLS / SSL) deep dive

•   Encryption in Flight (also called data-in-transit encryption) ensures that data traveling between systems (e.g., clients ↔ servers, services ↔ APIs, regions ↔ regions) is protected against interception and tampering using cryptographic protocols — primarily with TLS (Transport Layer Security) or SSL (Secure Sockets Layer).
•   AWS automatically provides or supports TLS-based encryption for most service communications.
•  AWS also allows twtech to enforce encryption policies at the network, service, or application layer.

 2. Core Components of Encryption in Flight & Description

Layer	AWS Services / Features	Description
Network Layer	TLS / SSL, VPN, Direct Connect, PrivateLink, VPC Peering	Protects data as it moves between networks.
Application Layer	ALB / NLB with TLS, CloudFront HTTPS, API Gateway, Elastic Beanstalk, App Load Balancer (ALB)	Ensures secure client-server communication using certificates.
Service Layer	S3 HTTPS, DynamoDB HTTPS, RDS SSL connections, Kinesis HTTPS, SNS/SQS HTTPS endpoints	AWS-managed services enforcing TLS 1.2+ for API endpoints.
Internal AWS Communications	Service-to-service encryption (managed by AWS)	AWS automatically encrypts all internal service communication with TLS.

 3. TLS / SSL Encryption Workflow (High Level)

1.     Client Initiates a Connection

•    The client sends a ClientHello message specifying supported TLS versions and cipher suites.

2.     Server Responds

•    The server sends a ServerHello message and its SSL/TLS certificate (X.509), signed by a trusted CA (e.g., ACM, ACM PCA, third-party).

3.     Certificate Validation

•    The client validates the server’s certificate chain (issuer, expiry, domain, revocation status).

4.     Key Exchange

•    Using asymmetric encryption (RSA or ECDHE), both sides agree on a shared session key.

5.     Session Encryption

•    All subsequent traffic uses symmetric encryption with that session key.

6.     Rekeying / Session Resumption

•    Session keys are refreshed periodically to maintain forward secrecy.

 4. AWS Certificate Management Services & Purpose

Service	Purpose
AWS Certificate Manager (ACM)	Automatically provisions and renews public or private TLS certificates for CloudFront, ALB, API Gateway, etc.
ACM Private CA	Issues internal private certificates for use inside twtech organization (e.g., EC2-to-EC2 TLS).
IAM Server Certificates	Legacy storage for SSL/TLS certs (superseded by ACM).
Custom Certificates	twtech can import third-party certs or use self-signed certs for testing.

 5. Integration with AWS Services & Encryption-in-Flight Details

AWS Service	Encryption-in-Flight Details
S3	All requests must use HTTPS; supports TLS 1.2+
RDS / Aurora	SSL/TLS connections using server certificates
ECS / EKS	Encrypted service-to-service communication via mutual TLS or service mesh (App Mesh / Istio)
CloudFront	Enforces HTTPS viewer connections; supports SNI and custom certs
API Gateway	Enforces HTTPS-only endpoints
Elastic Load Balancing (ALB/NLB)	Terminate or pass-through TLS
AWS IoT Core	TLS mutual authentication for devices
Direct Connect / VPN	Encrypted tunnels using IPSec and TLS
PrivateLink	Keeps data private on AWS backbone, optionally with TLS

 6. Encryption Protocols & Algorithms

• TLS Versions: TLS 1.2 (default), TLS 1.3 (increasing adoption)
• Cipher Suites: AES-GCM, ChaCha20-Poly1305
• Key Exchange: ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)
• Signature Algorithms: RSA, ECDSA
• Forward Secrecy: Supported via ephemeral key exchanges

 7. Enforcing TLS Across AWS & Examples

Enforcement Mechanism	Example
S3 Bucket Policy	"aws:SecureTransport": "true"
CloudFront Viewer Protocol Policy	“Redirect HTTP to HTTPS”
API Gateway	Enforce TLS 1.2 minimum
Load Balancers	Use custom SSL policies (e.g., ELBSecurityPolicy-TLS13-1-2-2021-06)
IAM Policies	Deny access if aws:SecureTransport = false

 8. Monitoring & Compliance

        AWS Config Rules

•    acm-certificate-expiration-check
•    s3-bucket-ssl-requests-only

        AWS CloudTrail

•    Logs all API requests; verify HTTPS

        AWS Security Hub

•    Flags insecure protocols

        AWS WAF

•    Filters insecure or downgraded requests

        Certificate Manager

•    Automatic renewal and monitoring

 9. Sample Architecture Flow (TLS End-to-End)

Client → CloudFront → ALB → EC2 / Lambda → RDS (TLS)

• Each hop uses HTTPS/TLS.
• ACM manages certificates at CloudFront and ALB layers.
• Internal service calls (EC2 → RDS) use mutual TLS or database SSL.
• Monitoring and enforcement via Config + Security Hub.