Introduction to AWS Security Services – Microsoft AWS

Data in transit encryption

Data in transit encryption is a non-negotiable requirement for securing microservices communication, both synchronous and asynchronous. It plays a pivotal role in ensuring that the data packets transmitted between services are encrypted, thereby safeguarding them from unauthorized interception or tampering. This is especially crucial in a distributed architecture where services are often decoupled and may reside in different network zones.

Transport layer security (TLS)

TLS is a widely adopted protocol for encrypting data in transit. While AWS services such as SQS, SNS, and API Gateway natively enforce TLS, it is important to note that TLS must also be explicitly configured when you are implementing custom data flows between microservices that don’t rely on AWS-managed services for communication. This may involve configuring your code to initiate and accept TLS-encrypted connections, which often require additional libraries and dependencies.

While standard TLS provides data encryption with server-side authentication, mutual TLS (mTLS) takes it a step further by requiring both the client and the server to authenticate each other. This is particularly useful in scenarios where you need to ensure that both parties in the communication are trustworthy. AWS services such as API Gateway offer native mTLS support, allowing you to enforce strict security policies that require both client and server-side X.509 certificates.

Certificate management

In the context of TLS, managing certificates becomes a critical aspect of security. Certificates are used to authenticate the services and encrypt data in transit. Here are some of the methods used for certificate management in AWS:

• AWS certificate manager (ACM): ACM is a convenient tool for provisioning, managing, and deploying TLS certificates. It offers seamless integration with various AWS services, simplifying the process of setting up and managing certificates for your microservices.
• ACM private CA: This is ideal for microservices that require secure communication but are not exposed to the public internet; ACM Private CA allows for the issuance and management of private certificates. These certificates are trusted within your organization, enhancing the security of internal communications.
• Self-managed alternative: For organizations with specific compliance requirements, managing their own public key infrastructure (PKI) can be a viable option. This approach includes establishing your own CA, issuing certificates, and handling renewals. While it provides greater control, it also involves significant operational overhead, encompassing tasks such as certificate rotation, revocation, and secure storage.