SkarpSkarp

Chapter 8 of 26

Data Protection in Transit and Application-Level Security Patterns

From TLS termination to private connectivity and token-based access, protecting data in transit is a core exam theme. This module connects the dots between network encryption, application protocols, and managed services.

27 min readen

Big Picture: Protecting Data in Transit on AWS

Why This Module Matters

You will connect three layers of secure communication on AWS: the network, the application protocol, and identity. These are core to the Solutions Architect – Associate exam.

What Is Data in Transit?

Data in transit is any data moving between clients, services, or regions: browser to web app, app server to database, on-prem to AWS, or service-to-service inside a VPC.

Main Protection Tools

You protect data in transit with TLS, careful HTTPS termination, service-specific encryption options, private connectivity (VPC endpoints, VPN, Direct Connect), and short-lived credentials.

Protocol Currency

As of 2026, TLS 1.2 is the baseline and TLS 1.3 is recommended. SSLv3 and TLS 1.0/1.1 are deprecated and should be disabled in secure architectures.

Exam Language Hints

Phrases like "all data must be encrypted in transit" or "traffic must not traverse the public internet" point directly to specific AWS services and patterns you will learn.

TLS/SSL Fundamentals and AWS Certificate Management

What TLS Gives You

TLS provides confidentiality (encryption), integrity (tamper detection), and authentication (server identity, sometimes client identity) for data in transit.

Certificates and CAs

TLS relies on X.509 certificates issued by trusted Certificate Authorities. Browsers trust public CAs, while internal systems may trust a private CA.

ACM for Public Endpoints

AWS Certificate Manager issues free public certificates for your domains, auto-renews them, and attaches them to ALB, NLB (TLS), CloudFront, and API Gateway.

Internal Certificates

For internal hostnames, you use ACM Private CA or import certificates from your own CA. Public ACM cannot issue for internal-only names.

Exam Focus Points

Expect questions about choosing ACM vs ACM Private CA and enforcing a minimum TLS version on ALB or CloudFront to meet compliance requirements.

HTTPS Termination Patterns: ELB vs Application Servers

What Is TLS Termination?

TLS termination is the point where encrypted traffic is decrypted. You decide whether that happens at a load balancer, the instance, or both.

Pattern 1: Terminate at LB Only

Client connects with HTTPS to ALB/NLB, which decrypts and sends HTTP to EC2. This is simple and centralized but leaves backend traffic unencrypted.

Pattern 2: End-to-End Encryption

Client uses HTTPS to ALB, and ALB re-encrypts with HTTPS to EC2. This keeps traffic encrypted across the VPC at the cost of more complexity.

Pattern 3: NLB Pass-Through

With NLB in TCP mode, TLS is terminated on the instance; in TLS mode, NLB terminates. Use this for non-HTTP encrypted protocols.

Exam Decision Hints

Look for phrases like "minimize overhead" (LB-only) vs "encrypt all traffic, including internal" (end-to-end) or "non-HTTP protocol" (NLB).

Worked Scenarios: Choosing HTTPS Termination

Scenario 1: Moderate Requirements

Public web app, HTTPS required, instances in private subnets, minimal cert work. Use ALB with ACM cert, HTTPS from client, HTTP to EC2.

Why Scenario 1 Works

Client-to-ALB is encrypted, internal traffic stays in private subnets, and certificates are centralized in ACM. Many orgs accept this as "encrypted in transit".

Scenario 2: Strict Compliance

Healthcare app with PHI and a rule: "All data must be encrypted in transit, including within the VPC." Security wants strict TLS control.

Design for Scenario 2

Use ALB with HTTPS from clients, and HTTPS from ALB to EC2 using internal certs. Enforce TLS 1.2+ on both sides to meet strong policies.

Exam Reading Skill

Phrases about internal encryption and minimizing operations point directly to which termination pattern you should choose on multiple-choice questions.

Encrypting Client-to-Service Traffic: S3, RDS, and API Gateway

S3 Over HTTPS

Use HTTPS with S3. Enforce it by adding a bucket policy that denies requests when `aws:SecureTransport` is false, blocking plain HTTP.

RDS and TLS

Connect to RDS databases using SSL/TLS. Configure clients to require TLS and, where possible, force SSL at the database level.

Exam Hint: DB Traffic

If a question says database traffic or credentials must never be sent unencrypted, you should enable and enforce SSL/TLS for RDS.

API Gateway Encryption

API Gateway public endpoints are HTTPS-only. You can attach custom domains with ACM certs and use private APIs with VPC endpoints.

Beyond Browsers

Encryption in transit applies to all clients: apps talking to S3, RDS, DynamoDB, or APIs should always use TLS, often enforced via policies.

Private Connectivity vs Public Internet: VPC Endpoints, VPN, Direct Connect

Why Private Connectivity?

Some requirements add "must not traverse the public internet" on top of encryption. Then you need private connectivity, not just TLS.

Gateway Endpoints

Use VPC Gateway Endpoints for S3 and DynamoDB so traffic stays on the AWS network, using private routes plus HTTPS encryption.

Interface Endpoints (PrivateLink)

Interface Endpoints create ENIs in your subnets for many AWS services and partner services, keeping traffic inside AWS and under SG control.

VPN and Direct Connect

Site-to-Site VPN encrypts over the internet. Direct Connect is private but not encrypted by default; combine VPN over DX when needed.

Exam Clues

Look for "no public internet" (VPC endpoints/PrivateLink) vs "on-prem to AWS with encryption" (VPN) vs "high bandwidth, low latency" (Direct Connect).

Identity Federation and Short-Lived Credentials for Secure Access

Why Identity Matters for Transit

Security in transit is not only about encryption, but also about avoiding long-lived secrets being sent or stored where they can be stolen.

Identity Federation Basics

Users authenticate with an external IdP. The IdP issues a token, which AWS STS exchanges for temporary credentials via role assumption.

Short-Lived STS Credentials

STS returns an access key, secret key, and session token valid for a short time. If exposed, the attack window is limited.

Cognito and Web Identity

Mobile or web apps sign users in with social IdPs. Amazon Cognito then gets temporary AWS credentials for a role, all over TLS.

Exam Contrast

Federation with STS and short-lived credentials is preferred over embedding long-term IAM user access keys in application code or config.

Design Challenge: Putting the Pieces Together

Use this thought exercise to integrate TLS, private connectivity, and identity.

Scenario

You are designing an internal analytics dashboard hosted on EC2, accessed only by employees from your corporate network. It pulls data from:

  • An internal REST API built on API Gateway.
  • An RDS PostgreSQL database.
  • S3 buckets with sensitive financial reports.

Requirements:

  1. All data must be encrypted in transit.
  2. Traffic between AWS and your data center must be encrypted.
  3. Access to S3, RDS, and API Gateway must not traverse the public internet.
  4. Employees must use corporate SSO, and no long-term AWS access keys may be stored on laptops.

Your task

  1. On paper (or in your notes), sketch the architecture and label:
  • Where TLS terminates for each connection.
  • Which private connectivity options you use.
  1. For each requirement, list the specific AWS features you would choose. For example, would you use:
  • Site-to-Site VPN, Direct Connect, or both?
  • VPC Gateway or Interface Endpoints for each service?
  • SAML federation, Cognito, or IAM users?
  1. After you decide, check yourself:
  • Did you avoid sending unencrypted traffic anywhere?
  • Did you minimize public internet exposure?
  • Did you rely on short-lived credentials instead of long-lived keys?

Pause here for 3–4 minutes and actually design it. This style of reasoning is exactly what the exam expects in scenario questions.

Quiz 1: TLS Termination and Service Encryption

Answer this question to check your understanding of TLS termination and encryption in transit for managed services.

A company hosts a web application on EC2 instances in private subnets behind an Application Load Balancer. Compliance states: "All external client connections must use HTTPS. Traffic within the VPC may be unencrypted." The team wants to minimize certificate management overhead. Which design best meets these requirements?

  1. Use an ALB with an ACM certificate for HTTPS from clients, and forward traffic as HTTP from the ALB to EC2 instances.
  2. Install certificates on every EC2 instance and use an NLB in TCP mode so TLS terminates only on the instances.
  3. Use an ALB with HTTPS from clients to ALB, and HTTPS from ALB to EC2 instances with instance-managed certificates.
  4. Use HTTP from clients to ALB and rely on security groups to protect the traffic.
Show Answer

Answer: A) Use an ALB with an ACM certificate for HTTPS from clients, and forward traffic as HTTP from the ALB to EC2 instances.

The requirement only mandates HTTPS for external client connections; internal VPC traffic may be unencrypted. Minimizing certificate management overhead points to centralizing TLS at the ALB with an ACM certificate and using HTTP to the instances. End-to-end HTTPS (option 3) adds unnecessary complexity. NLB with instance certificates (option 2) increases management overhead and is not needed. Plain HTTP from clients (option 4) violates the compliance requirement.

Quiz 2: Private Connectivity and Identity Federation

Test your understanding of private connectivity and short-lived credentials.

An enterprise needs on-premises applications to read from an S3 bucket containing sensitive logs. Requirements: (1) Data must be encrypted in transit, (2) traffic must not traverse the public internet, and (3) on-premises users must authenticate with corporate SAML SSO and must not use long-term IAM user access keys. Which combination is MOST appropriate?

  1. Use S3 public endpoints over HTTPS, IAM users with access keys stored in application configs, and a security group to restrict access.
  2. Create a Site-to-Site VPN between on-premises and AWS, use a VPC Gateway Endpoint for S3, and configure SAML federation to assume an IAM role with STS temporary credentials.
  3. Provision AWS Direct Connect only, access S3 over public endpoints with HTTP, and create IAM users with static keys for each application.
  4. Use API Gateway in front of S3 with HTTP, and authenticate using long-lived access keys stored in AWS Secrets Manager.
Show Answer

Answer: B) Create a Site-to-Site VPN between on-premises and AWS, use a VPC Gateway Endpoint for S3, and configure SAML federation to assume an IAM role with STS temporary credentials.

Option 2 satisfies all requirements: Site-to-Site VPN encrypts traffic between on-prem and AWS; a VPC Gateway Endpoint keeps S3 traffic on the AWS network instead of the public internet; and SAML federation with STS provides short-lived credentials instead of long-term IAM user keys. The other options either allow public internet paths, use HTTP instead of HTTPS, or rely on long-lived access keys.

Key Term Review: Data in Transit and Identity

Flip through these cards to reinforce critical terms before moving on.

Data in transit
Data that is actively moving between systems, such as across the internet, between VPCs, or between services within a VPC, and must be protected against eavesdropping and tampering.
TLS termination
The point in a network path where encrypted TLS traffic is decrypted, such as at an Application Load Balancer, Network Load Balancer, or application server.
AWS Certificate Manager (ACM)
A managed service that lets you provision, manage, and deploy public and private TLS certificates for use with services like ALB, NLB (TLS), CloudFront, and API Gateway.
VPC Gateway Endpoint
A gateway that you add to your VPC route tables to provide private connectivity to S3 or DynamoDB without using an internet gateway, NAT device, or public IP addresses.
VPC Interface Endpoint (AWS PrivateLink)
An elastic network interface with a private IP in your subnet that serves as an entry point to supported AWS services or your own/partner services, keeping traffic within the AWS network.
Site-to-Site VPN
An IPSec VPN connection between your on-premises network and an AWS VPC that encrypts traffic over the public internet.
AWS Direct Connect
A dedicated network connection from your premises to AWS that provides private connectivity but is not encrypted by default.
Identity federation
A pattern where users authenticate with an external identity provider and then obtain access to AWS by assuming roles, typically via AWS STS, instead of using long-term IAM user credentials.
Short-lived credentials
Temporary security credentials issued by AWS STS (access key, secret key, session token) that expire after a configured duration, reducing risk if compromised.
aws:SecureTransport condition
An S3 bucket policy condition key used to allow or deny requests based on whether they use SSL/TLS (HTTPS). It is commonly used to enforce encryption in transit to S3.

Key Terms

TLS termination
The point in a network path where encrypted TLS traffic is decrypted, such as at an Application Load Balancer, Network Load Balancer, or application server.
data in transit
Data that is actively moving between systems, such as across the internet, between VPCs, or between services within a VPC, and must be protected against eavesdropping and tampering.
Site-to-Site VPN
An IPSec VPN connection between your on-premises network and an AWS VPC that encrypts traffic over the public internet.
AWS Direct Connect
A dedicated network connection from your premises to AWS that provides private connectivity but is not encrypted by default.
aws:SecureTransport
An S3 bucket policy condition key used to allow or deny requests based on whether they use SSL/TLS (HTTPS). It is commonly used to enforce encryption in transit to S3.
identity federation
A pattern where users authenticate with an external identity provider and then obtain access to AWS by assuming roles, typically via AWS STS, instead of using long-term IAM user credentials.
VPC Gateway Endpoint
A gateway that you add to your VPC route tables to provide private connectivity to S3 or DynamoDB without using an internet gateway, NAT device, or public IP addresses.
VPC Interface Endpoint
An elastic network interface with a private IP in your subnet that serves as an entry point to supported AWS services or your own/partner services, keeping traffic within the AWS network.
short-lived credentials
Temporary security credentials issued by AWS STS (access key, secret key, session token) that expire after a configured duration, reducing risk if compromised.
AWS Certificate Manager (ACM)
A managed service that lets you provision, manage, and deploy public and private TLS certificates for use with services like ALB, NLB (TLS), CloudFront, and API Gateway.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself