Data-in-transit Encryption on AWS
Data-in-transit refers to data is being transfer over the network. Data-in-transit encryption one of the standard and important part of cybersecurity. It is especially important for data transferring over the Internet to protect data from thread, like man-in-the-middle attack.
Transport Layer Security (TLS) is probably the best known protocol to encrypt data-in-transit over HTTP connections, known as HTTPS. HTTPS appears in the URL when a website is secured by an SSL certificate, where SSL stands for Secure Sockets Layer. Traditionally, when you need to establish and maintain a web app or Restful API, you’ll need to do the following:
- Register a unique domain name of your own.
- Buy an SSL certificate for your domain name from one of the certificate authorities (CA) or their resellers (e.g. Verisign, GoDaddy, etc.). You’ll need to prove the ownership of your domain in the purchase process.
- Install the certificate to your web servers.
- Periodically renew your certificate when expired. Update your web severs to use the new certificate. Note that the maximum validity period of SSL certificates is 2 years.
With the Amazon AWS, we can leverage their services to make our life much easier.
AWS Route 53 is a reliable and powerful Domain Name System (DNS) web service. The service is more than a conventional DNS service. It also offers domain name registration services, where you can search for and register available domain names.
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.
AWS Certificate Manager (ACM) offers you to request SSL certificate quickly and deploy it on ACM-integrated AWS resources, such as Elastic Load Balancers (ELB), Amazon CloudFront distributions, etc. ACM simplifies the overall processes of generating, distributing, and rotating digital certificates. Another benefit is that SSL certificates provisioned through ACM and use in some AWS’s services are free, including the two mentioned above.
We help our customer to set up a mechanism of data-in-transit encryption for APIs services run on EC2s and static file assets services on S3 to protect all data connections that are public facing to the Internet.
Amazon EC2 + Amazon ELB – Application Load Balancer (ALB) + AWS Route 53 + Amazon Certificate Manager (ACM)
Amazon S3 bucket + Amazon CloudFront + AWS Route 53 + Amazon Certificate Manager (ACM)
(For more detail of this solution, please refer to the article [Hosting Static Website & File Assets on AWS)