# Encryption best practices for Amazon ECS [Amazon Elastic Container Service (Amazon ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html) is a fast and scalable container management service that helps you run, stop, and manage containers on a cluster. With Amazon ECS, you can encrypt data in transit by using any of the following approaches: + Create a service mesh. Using AWS App Mesh, configure TLS connections between the deployed [Envoy](https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy.html) proxies and mesh endpoints, such as [virtual nodes](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_nodes.html) or [virtual gateways](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateways.html). You can use TLS certificates from AWS Private Certificate Authority or customer-provided certificates. For more information and walkthroughs, see [Enable traffic encryption between services in AWS App Mesh using AWS Certificate Manager (ACM) or customer-provided certificates](https://aws.amazon.com/blogs/containers/enable-traffic-encryption-between-services-in-aws-app-mesh-using-aws-certificate-manager-or-customer-provided-certificates/) (AWS blog post). + If supported, use [AWS Nitro Enclaves](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html). AWS Nitro Enclaves is an Amazon EC2 feature that allows you to create isolated execution environments, called *enclaves*, from Amazon EC2 instances. They are designed to help protect your most sensitive data. Additionally, [ACM for Nitro Enclaves](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html) allows you to use public and private SSL/TLS certificates with your web applications and web servers running on Amazon EC2 instances with AWS Nitro Enclaves. For more information, see [AWS Nitro Enclaves – Isolated EC2 Environments to Process Confidential Data](https://aws.amazon.com/blogs/aws/aws-nitro-enclaves-isolated-ec2-environments-to-process-confidential-data/) (AWS blog post). + Use Server Name Indication (SNI) protocol with Application Load Balancers. You can deploy multiple applications behind a single HTTPS listener for an Application Load Balancer. Each listener has its own TLS certificate. You can certificates provided by ACM, or you can use self-signed certificates. Both [Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html) and [Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html) support SNI. For more information, see [Application Load Balancers Now Support Multiple TLS Certificates with Smart Selection Using SNI](https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/) (AWS blog post). + For improved security and flexibility, use AWS Private Certificate Authority to deploy a TLS certificate with the Amazon ECS task. For more information, see [Maintaining TLS all the way to your container part 2: Using AWS Private CA](https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/) (AWS blog post). + Implement mutual TLS ([mTLS](https://docs.aws.amazon.com/app-mesh/latest/userguide/mutual-tls.html)) in App Mesh by using [Secret discovery service](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) (Envoy) or certificates [hosted in ACM](https://github.com/aws/aws-app-mesh-examples/tree/main/walkthroughs/howto-mutual-tls-file-provided) (GitHub). Consider the following encryption best practices for this service: + Where technically feasible, for enhanced security, configure [Amazon ECS interface VPC endpoints](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/vpc-endpoints.html) in AWS PrivateLink. Accessing these endpoints over a VPN connection encrypts data in transit. + Store sensitive materials, such as API keys or database credentials, securely. You can store these as encrypted parameters in Parameter Store, a capability of AWS Systems Manager. However, we recommend you use AWS Secrets Manager because this service allows you to automatically rotate secrets, generate random secrets, and share secrets across AWS accounts. + If users or applications in your data center or an external third party on the web are making direct HTTPS API requests to AWS services, sign those requests with temporary security credentials obtained from AWS Security Token Service (AWS STS).