Reading20 min read·Module 1

Encryption in Transit (TLS/SSL)

Key concepts

  • TLS for data in motion

  • HTTPS listeners on load balancers

  • SSL/TLS certificates from ACM

  • End-to-end encryption

  • Perfect Forward Secrecy

Overview

Encryption in transit protects data as it moves between systems, preventing eavesdropping, tampering, and man-in-the-middle attacks. AWS provides multiple mechanisms to encrypt data in transit, with TLS (Transport Layer Security) being the primary protocol.

Understanding encryption in transit is essential for the SAA-C03 exam because it's fundamental to securing communications between users, applications, and AWS services. You must know how to implement TLS using AWS Certificate Manager (ACM), configure secure endpoints, and understand the differences between public and private certificates.

Minimum TLS Requirements

AWS requires TLS 1.2 minimum and recommends TLS 1.3 for all communications. Cipher suites with Perfect Forward Secrecy (PFS) using ECDHE or DHE are strongly recommended.

Exam Tip

Focus on ACM integration with AWS services, certificate validation methods, the difference between public and private certificates, and how to enforce encryption in transit using bucket policies and security parameters.


Key Concepts

TLS Protocol Overview

TLS Handshake Overview
Figure 1: TLS handshake establishes secure encrypted connection

TLS Versions

TLS (Transport Layer Security) is the cryptographic protocol that encrypts data in transit. AWS has deprecated older versions due to security vulnerabilities.

TLS Version Status

TLS VersionStatusAWS Recommendation
TLS 1.0DeprecatedDo not use
TLS 1.1DeprecatedDo not use
TLS 1.2Required minimumAcceptable
TLS 1.3LatestRecommended

AWS Certificate Manager (ACM)

ACM simplifies the provisioning, management, and deployment of SSL/TLS certificates:

ACM Certificate Types

ACM offers public certificates (free, issued by Amazon Trust Services) and private certificates (paid, issued by AWS Private CA). Public certs auto-renew and work with ACM-integrated services. Private certs offer custom validity and can be used for internal resources.

TEXTACM Key Features
Certificate Types:
├── Public Certificates (FREE)
│   ├── Issued by Amazon Trust Services
│   ├── Domain Validated (DV) only
│   ├── Auto-renewal every 13 months
│   └── Used with ACM-integrated services
│
└── Private Certificates (PAID)
    ├── Issued by AWS Private CA
    ├── Custom validity periods
    ├── Organization/Extended Validation possible
    └── Used for internal resources

ACM Certificate Validation Methods

Validation Methods

MethodHow It WorksBest For
DNS ValidationAdd CNAME record to DNSAutomated renewal, preferred
Email ValidationRespond to email sent to domain contactsLegacy, manual process
TEXTDNS Validation CNAME Record
Record Name:  _a1b2c3d4e5.example.com
Record Type:  CNAME
Record Value: _x1y2z3.acm-validations.aws.

Note: This record validates domain ownership
      Must remain in DNS for auto-renewal

ACM-Integrated Services

ACM certificates work automatically with these AWS services:

ACM Integrated Services
Figure 2: ACM provides free certificates for integrated AWS services

ACM-Integrated Services

ServiceUse CaseNotes
Elastic Load BalancingALB, NLB HTTPS listenersSNI support
Amazon CloudFrontCDN HTTPS deliveryGlobal edge
Amazon API GatewayREST/HTTP API endpointsCustom domains
AWS App RunnerContainer web appsAutomatic TLS
AWS Elastic BeanstalkApplication deploymentsVia load balancer
Amazon CloudFormationInfrastructure templatesCertificate resources
ACM Export Limitation

ACM certificates CANNOT be exported or used on EC2 instances directly. For EC2, use imported certificates or AWS Private CA.


How It Works

Certificate Deployment Flow

ACM Certificate Deployment Flow
Figure 3: ACM certificate lifecycle from request to deployment
TEXTACM Certificate Lifecycle
1. REQUEST
   └── User requests certificate for domain(s)

2. VALIDATE
   └── DNS validation (add CNAME) OR Email validation

3. ISSUE
   └── ACM issues certificate (13-month validity)

4. DEPLOY
   └── Associate with ALB, CloudFront, API Gateway

5. RENEW
   └── Automatic renewal 60 days before expiry
       (requires DNS validation record to remain)

TLS Termination Options

TLS Termination Options
Figure 4: Different TLS termination points with varying security levels

TLS Termination Points

Termination PointTraffic AfterSecurity LevelUse Case
CloudFrontHTTP to originMediumCDN with HTTP origin
ALBHTTP to EC2MediumStandard web apps
ALBHTTPS to EC2HighEnd-to-end encryption
NLBPass-throughHighestTLS on backend

Server Name Indication (SNI)

SNI Multi-Certificate Support

SNI allows multiple TLS certificates on a single IP address, enabling a single ALB to host multiple domains with different certificates. This reduces infrastructure costs and simplifies management.

TEXTSNI with Application Load Balancer
Single ALB with multiple certificates:

HTTPS:443 Listener
├── Rule 1: Host = app1.example.com → Target Group 1
│           Certificate: app1.example.com
│
├── Rule 2: Host = app2.example.com → Target Group 2
│           Certificate: app2.example.com
│
└── Default: → Target Group 3
              Certificate: default.example.com

Benefits:
- Multiple domains on one load balancer
- Reduced infrastructure costs
- Simplified management

AWS Service Encryption in Transit

S3 Encryption in Transit

JSONS3 Bucket Policy - Enforce HTTPS
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSSLRequestsOnly",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

RDS Encryption in Transit

TEXTRDS SSL/TLS Connection
Enable require_ssl parameter:
  MySQL/MariaDB: require_secure_transport = 1
  PostgreSQL:    rds.force_ssl = 1
  SQL Server:    rds.force_ssl = 1

Connect with SSL:
  mysql -h mydb.xxx.rds.amazonaws.com \
        --ssl-ca=rds-ca-2019-root.pem \
        --ssl-mode=VERIFY_IDENTITY

Certificate bundles available at:
  https://truststore.pki.rds.amazonaws.com/

VPC Endpoint Encryption

VPC Endpoints

All VPC Interface Endpoints use TLS by default:

TEXTVPC Endpoint TLS
Interface Endpoint → AWS Service
        ↓
    Always TLS 1.2+

No additional configuration needed
Traffic encrypted on AWS backbone

Use Cases

Use Case 1: Public Website with HTTPS

Scenario: Deploy a public website with HTTPS using ALB and ACM.

Public Website HTTPS
Figure 5: Free ACM certificate with ALB provides HTTPS for public websites

Solution:

  • Request public ACM certificate for domain
  • Use DNS validation (add CNAME record)
  • Create HTTPS listener on ALB
  • Configure HTTP to HTTPS redirect
  • Cost: FREE (ACM public certificates)

Use Case 2: End-to-End Encryption

Scenario: Financial application requires encryption from client to database.

Solution:

  • ACM certificate on ALB (client to ALB)
  • Self-signed or Private CA certificate on EC2 (ALB to EC2)
  • RDS with require_ssl enabled (EC2 to database)
  • VPC endpoints for AWS services (all internal traffic encrypted)

Use Case 3: Internal Microservices with Private CA

Scenario: Microservices need mutual TLS (mTLS) for service-to-service communication.

Solution:

  • Deploy AWS Private CA
  • Issue private certificates to each service
  • Configure mutual TLS authentication
  • Automatic certificate rotation via ACM

Use Case 4: Multi-Domain Application

Scenario: Single ALB serving multiple domains with different certificates.

Solution:

  • Request ACM certificates for each domain
  • Configure ALB HTTPS listener with SNI
  • Add host-based routing rules
  • Each domain uses its own certificate

Best Practices

ACM Best Practices

  1. Use DNS validation over email validation

    • Enables automatic certificate renewal
    • No manual intervention required
    • Keep CNAME records in DNS permanently
  2. Request certificates in the correct region

    • CloudFront: us-east-1 only
    • Regional services: Same region as service
  3. Use wildcard certificates carefully

    • *.example.com covers one level only
    • Doesn't cover example.com (apex)
    • Consider security implications
  4. Monitor certificate expiration

    • Set CloudWatch alarms for ACM events
    • Use AWS Config rule acm-certificate-expiration-check

TLS Configuration Best Practices

  1. Enforce minimum TLS 1.2

    • Configure security policies on ALB/CloudFront
    • Use ELBSecurityPolicy-TLS-1-2-2017-01 or newer
  2. Use Perfect Forward Secrecy (PFS)

    • ECDHE cipher suites preferred
    • Protects past sessions if key compromised
  3. Implement HTTPS redirects

    • ALB listener rules can redirect HTTP to HTTPS
    • CloudFront can enforce HTTPS-only
  4. Enable HSTS (HTTP Strict Transport Security)

    • Add header: Strict-Transport-Security: max-age=31536000
    • Prevents downgrade attacks

Private CA Best Practices

  1. Use for internal resources only

    • EC2 instances, containers, IoT devices
    • Service-to-service communication
  2. Implement certificate hierarchy

    • Root CA → Intermediate CA → End-entity certificates
    • Protect root CA offline when possible
  3. Define validity periods appropriately

    • Shorter periods = more security, more rotation
    • Balance security with operational overhead

Common Exam Scenarios

Exam Scenarios

ScenarioSolutionWhy
Public HTTPS websiteACM public certificate + ALBFree, automatic renewal
CloudFront custom domainACM certificate in us-east-1CloudFront requires us-east-1
EC2 instance needs certificateImport certificate or use Private CAACM cant export to EC2
Enforce HTTPS for S3Bucket policy with aws:SecureTransportDenies HTTP requests
RDS encryption in transitEnable force_ssl parameterForces TLS connections
Multiple domains on one ALBSNI with multiple ACM certificatesOne listener, multiple certs
Internal microservices TLSAWS Private CAPrivate certificates for internal use
Certificate for apex + wwwRequest both names in one certificateSingle cert, multiple names

Common Pitfalls

Pitfall 1: Wrong Region for CloudFront Certificate

Mistake: Requesting ACM certificate in regional region for CloudFront.

Why it fails: CloudFront only uses certificates from us-east-1

Correct Approach: Always request CloudFront certificates in us-east-1

Pitfall 2: Email Validation Blocking Auto-Renewal

Mistake: Using email validation for ACM certificates.

Why it fails: Auto-renewal requires DNS validation; email needs manual intervention

Correct Approach: Always use DNS validation for production certificates

Pitfall 3: Assuming ACM Works on EC2

Mistake: Trying to install ACM certificate on EC2 instance.

Why it fails: ACM certificates cannot be exported; only work with integrated services

Correct Approach: Use imported certificates or AWS Private CA for EC2

Pitfall 4: Wildcard Certificate Misconceptions

Mistake: Expecting *.example.com to cover example.com or sub.sub.example.com.

Why it fails: Wildcards only cover one level of subdomains

Correct Approach: Include apex domain explicitly; request separate certs for deeper subdomains

Pitfall 5: Forgetting HTTP to HTTPS Redirect

Mistake: Only configuring HTTPS listener, leaving HTTP open.

Why it fails: Users accessing via HTTP get connection refused or unencrypted access

Correct Approach: Configure HTTP listener with redirect action to HTTPS



Quick Reference

ACM Certificate Limits

ACM Limits

ResourceDefault Limit
Certificates per region2,500
Domain names per certificate10
Certificates per ALB25 (via SNI)
Private CAs per account200

ALB Security Policies

ALB Security Policies

PolicyMin TLSRecommended For
ELBSecurityPolicy-TLS13-1-2-2021-06TLS 1.2Most secure, TLS 1.3 support
ELBSecurityPolicy-TLS-1-2-2017-01TLS 1.2Standard compliance
ELBSecurityPolicy-2016-08TLS 1.0Legacy compatibility only

ACM Pricing

ACM Pricing

Certificate TypeCost
Public certificatesFREE
Private CA$400/month per CA
Private certificates$0.75 per certificate/month

CLI Commands

SHRequest ACM Certificate
# Request public certificate
aws acm request-certificate \
  --domain-name example.com \
  --subject-alternative-names www.example.com \
  --validation-method DNS \
  --region us-east-1

# List certificates
aws acm list-certificates --region us-east-1

# Describe certificate
aws acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/xxx

Test Your Knowledge

Q

A company needs an SSL certificate for their CloudFront distribution. In which region must the ACM certificate be requested?

AThe region closest to most users
BThe same region as the S3 origin bucket
Cus-east-1 (N. Virginia)
DAny region - CloudFront is global
Q

Which ACM validation method enables automatic certificate renewal?

AEmail validation
BDNS validation
CBoth methods support auto-renewal
DNeither - renewal is always manual
Q

A company wants to use ACM certificates on EC2 instances running a web application. What is the correct approach?

AExport the ACM certificate and install on EC2
BACM certificates work automatically on EC2
CUse AWS Private CA or import certificates
DUse Systems Manager to deploy ACM certificates
Q

An ALB needs to serve multiple domains with different SSL certificates. Which feature enables this?

ACertificate rotation
BServer Name Indication (SNI)
CMulti-certificate listener
DDomain-based routing

Further Reading

Related services

ACMELBCloudFront