# SEC 9  How do you protect your data in transit? Protect your data in transit by implementing multiple controls to reduce the risk of unauthorized access or loss. **Topics** + [ # SEC09-BP01 Implement secure key and certificate management ](sec_protect_data_transit_key_cert_mgmt.md) + [ # SEC09-BP02 Enforce encryption in transit ](sec_protect_data_transit_encrypt.md) + [ # SEC09-BP03 Automate detection of unintended data access ](sec_protect_data_transit_auto_unintended_access.md) + [ # SEC09-BP04 Authenticate network communications ](sec_protect_data_transit_authentication.md) # SEC09-BP01 Implement secure key and certificate management SEC09-BP01 Implement secure key and certificate management Store encryption keys and certificates securely and rotate them at appropriate time intervals with strict access control. The best way to accomplish this is to use a managed service, such as [AWS Certificate Manager (ACM)](http://aws.amazon.com/certificate-manager). It lets you easily provision, manage, and deploy public and private Transport Layer Security (TLS) certificates for use with AWS services and your internal connected resources. TLS certificates are used to secure network communications and establish the identity of websites over the internet as well as resources on private networks. ACM integrates with AWS resources, such as Elastic Load Balancers (ELBs), AWS distributions, and APIs on API Gateway, also handling automatic certificate renewals. If you use ACM to deploy a private root CA, both certificates and private keys can be provided by it for use in Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and so on. **Level of risk exposed if this best practice is not established:** High ## Implementation guidance Implementation guidance + Implement secure key and certificate management: Implement your defined secure key and certificate management solution. + [AWS Certificate Manager ](https://aws.amazon.com/certificate-manager/) + [ How to host and manage an entire private certificate infrastructure in AWS](https://aws.amazon.com/blogs/security/how-to-host-and-manage-an-entire-private-certificate-infrastructure-in-aws/) + Implement secure protocols: Use secure protocols that offer authentication and confidentiality, such as Transport Layer Security (TLS) or IPsec, to reduce the risk of data tampering or loss. Check the AWS documentation for the protocols and security relevant to the services that you are using. ## Resources Resources **Related documents:** + [AWS Documentation ](https://docs.aws.amazon.com/) # SEC09-BP02 Enforce encryption in transit SEC09-BP02 Enforce encryption in transit Enforce your defined encryption requirements based on appropriate standards and recommendations to help you meet your organizational, legal, and compliance requirements. AWS services provide HTTPS endpoints using TLS for communication, thus providing encryption in transit when communicating with the AWS APIs. Insecure protocols, such as HTTP, can be audited and blocked in a VPC through the use of security groups. HTTP requests can also be [automatically redirected to HTTPS](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html) in Amazon CloudFront or on an [Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#redirect-actions). You have full control over your computing resources to implement encryption in transit across your services. Additionally, you can use VPN connectivity into your VPC from an external network to facilitate encryption of traffic. Third-party solutions are available in the AWS Marketplace, if you have special requirements. **Level of risk exposed if this best practice is not established:** High ## Implementation guidance Implementation guidance + Enforce encryption in transit: Your defined encryption requirements should be based on the latest standards and best practices and only allow secure protocols. For example, only configure a security group to allow HTTPS protocol to an application load balancer or Amazon Elastic Compute Cloud (Amazon EC2) instance. + Configure secure protocols in edge services: Configure HTTPS with Amazon CloudFront and required ciphers. + [ Using HTTPS with CloudFront ](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html) + Use a VPN for external connectivity: Consider using an IPsec virtual private network (VPN) for securing point-to-point or network-to-network connections to provide both data privacy and integrity. + [ VPN connections ](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpn-connections.html) + Configure secure protocols in load balancers: Enable HTTPS listener for securing connections to load balancers. + [ HTTPS listeners for your application load balancer ](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html) + Configure secure protocols for instances: Consider configuring HTTPS encryption on instances. + [ Tutorial: Configure Apache web server on Amazon Linux 2 to use SSL/TLS ](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html) + Configure secure protocols in Amazon Relational Database Service (Amazon RDS): Use secure socket layer (SSL) or transport layer security (TLS) to encrypt connection to database instances. + [ Using SSL to encrypt a connection to a DB Instance ](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) + Configure secure protocols in Amazon Redshift: Configure your cluster to require an secure socket layer (SSL) or transport layer security (TLS) connection. + [ Configure security options for connections ](https://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html) + Configure secure protocols in additional AWS services For the AWS services you use, determine the encryption-in-transit capabilities. ## Resources Resources **Related documents:** + [AWS documentation ](https://docs.aws.amazon.com/index.html) # SEC09-BP03 Automate detection of unintended data access SEC09-BP03 Automate detection of unintended data access Use tools such as Amazon GuardDuty to automatically detect suspicious activity or attempts to move data outside of defined boundaries. For example, GuardDuty can detect Amazon Simple Storage Service (Amazon S3) read activity that is unusual with the [Exfiltration:S3/AnomalousBehavior finding](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-objectreadunusual). In addition to GuardDuty, [Amazon VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html), which capture network traffic information, can be used with Amazon EventBridge to trigger detection of abnormal connections–both successful and denied. [Amazon S3 Access Analyzer](http://aws.amazon.com/blogs/storage/protect-amazon-s3-buckets-using-access-analyzer-for-s3) can help assess what data is accessible to who in your Amazon S3 buckets. **Level of risk exposed if this best practice is not established:** Medium ## Implementation guidance Implementation guidance + Automate detection of unintended data access: Use a tool or detection mechanism to automatically detect attempts to move data outside of defined boundaries, for example, to detect a database system that is copying data to an unrecognized host. + [ VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) + Consider Amazon Macie: Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. + [ Amazon Macie ](https://aws.amazon.com/macie/) ## Resources Resources **Related documents:** + [ VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) + [ Amazon Macie ](https://aws.amazon.com/macie/) # SEC09-BP04 Authenticate network communications SEC09-BP04 Authenticate network communications Verify the identity of communications by using protocols that support authentication, such as Transport Layer Security (TLS) or IPsec. Using network protocols that support authentication, allows for trust to be established between the parties. This adds to the encryption used in the protocol to reduce the risk of communications being altered or intercepted. Common protocols that implement authentication include Transport Layer Security (TLS), which is used in many AWS services, and IPsec, which is used in [AWS Virtual Private Network (Site-to-Site VPN)](http://aws.amazon.com/vpn). **Level of risk exposed if this best practice is not established:** Low ## Implementation guidance Implementation guidance + Implement secure protocols: Use secure protocols that offer authentication and confidentiality, such as TLS or IPsec, to reduce the risk of data tampering or loss. Check the [AWS documentation](https://docs.aws.amazon.com/) for the protocols and security relevant to the services you are using. ## Resources Resources **Related documents:** + [AWS Documentation](https://docs.aws.amazon.com/)