Most of the web applications that are hosted on AWS will be sending data over the internet and it is imperative to protect data in transit. This transit will involve network traffic between clients and servers, and network traffic between servers. So data in transit needs to be protected at the network layer and the session layer.
AWS services provide IPSec and SSL/TLS support for securing data in transit. An IPSec protocol extends the IP protocol stack primarily for the network layer and allows applications on the upper layers to communicate securely without modification. The SSL/TLS, however, operates at the session layer.
The Transport Layer Security (TLS) is a standard set of protocols for securing communications over a network. TLS has evolved from Secure Sockets Layer (SSL) and is considered to be a more refined system.
Let us look at options to secure network traffic in AWS for various AWS services.
The AWS S3 supports the SSL/TLS protocol for encrypting data in transit by default. All data requests in AWS S3 is accessed using HTTPS. This includes AWS S3 service management requests such as saving an object to an S3 bucket, user payload such as content and the metadata of objects saved, modified, or fetched from S3 buckets.
You can access S3 using either the AWS Management Console or through S3 APIs.
When you access S3 through AWS Management Console, a secure SSL/TLS connection is established between the service console endpoint and the client browser. This connection secures all subsequent traffic for this session.
When you access S3 through S3 APIs that is through programs, an SSL/TLS connection is established between the AWS S3 endpoint and client. This secure connection then encapsulates all requests and responses within this session.
You have an option to connect to the AWS RDS service through your AWS EC2 instance within the same region. If you use this option, you can use the existing security of the AWS network and rely on it. However, if you are connecting to AWS RDS using the internet, you'll need additional protection in the form of TLS/SSL.
As of now SSL/TLS is currently supported by AWS RDS MySQL and Microsoft SQL instance connections only.
AWS RDS for Oracle native network encryption encrypts the data in transit. It helps you to encrypt network traffic traveling over Oracle Net services.
You can connect to AWS DynamoDB using other AWS services in the same region and while doing so, you can use the existing security of AWS network and rely on it. However, while accessing AWS DynamoDB from the internet, you might want to use HTTP over SSL/TLS (HTTPS) for enhanced security. AWS advises users to avoid HTTP access for all connections over the internet for AWS DynamoDB and other AWS services.
Amazon EMR offers several encryption options for securing data in transit. These options are open source features, application specific, and vary by EMR version.
For traffic between Hadoop nodes, no additional security is usually required as all nodes reside in the same availability zone for Amazon EMR. These nodes are secured by the AWS standard security measures at the physical and infrastructure layer.
For traffic between Hadoop cluster and Amazon S3, Amazon EMR uses HTTPS for sending data between EC2 and S3. It uses HTTPS by default for sending data between the Hadoop cluster and the Amazon DynamoDB as well.
For traffic between users or applications interacting with the Hadoop cluster, it is advisable to use SSH or REST protocols for interactive access to applications. You can also use Thrift or Avro protocols along with SSL/TLS.
For managing a Hadoop cluster, you would need to access the EMR master node. You should use SSH to access the EMR master node for administrative tasks and for managing the Hadoop cluster.