If I have an application running on EC2, say a container that was spinned off. Now if the application inside the container is accessing RDS database I am assuming both the components are within AWS Data Center. Is it recommended to encrypt the data in transit between container and RDS?
2 Answers
"recommended" – it just depends on your needs, some compliance needs require ‘end-to-end’ encryption – then you would do it. Some compliance needs just state ‘encryption when travelling public networks" – you may not. Some would just say encrypt all the time – what is there to lose, yes you have to lose – performance, encryption is an expensive operation.
I am assuming both the components are within AWS Data Center.
If you are using a VPC service endpoint for the RDS service, then the traffic flows only inside your VPC network.
If you use a public RDS endpoint to address the RDS, then the traffic goes between the public IP of your EC2 instance and the RDS public endpoint. So make sure you use the internal RDS endpoint (IMHO for DB you should not create any public endpoint by default).
Is it recommended to encrypt the data in transit between container and RDS?
Depends – as already answered, there are cases when the encryption is required even on the internal traffic, based on the compliance rules you are bound to. Some databases will require SSL connection anyway (MySQL). IMHO you should use TLS/SSL if available even on internal networks, it provides a way to ensure the endpoint identity.
encryption is an expensive operation
That’s not really true. What is expensive is setting up a new TLS/SSL connection. So if you can pool the database connections, the encryption itself has very little performance overhead.
From the main AWS page on security (aws.amazon.com/security) they do say this: "All data flowing across the AWS global network that interconnects our datacenters and regions is automatically encrypted at the physical layer before it leaves our secured facilities."
The other question to ask is why are you encrypting? That’s not rhetorical. What is the motivation? If it is to comply with a policy or regulation, just do it. It isn’t being done for you across the VPC (only between facilities) so you have to do it. If you’re concerned about authenticity (e.g., only connecting to servers that present a valid X.509 identity certificate) then you have to install approved TLS certificates on all the instances and do a lot of work to do certificate verification. Failures in certificate verification can cause systems to refuse to talk to each other for bureaucratic reasons when, technically, they’re communicating just fine. Finally, you might be encrypting because you’re worried about eavesdropping (i.e., keeping your data confidential). You have to consider the possibility that someone eavesdrops on the network and can capture and exfiltrate your network communications. I think that’s the least likely scenario in the VPC. It’s hard to imagine an adversary who has that kind of access and who can single out one customer’s traffic across the vast Amazon network. We never do security controls except to address a security threat. And so asking abstract questions like "should I encrypt" don’t make sense unless you enumerate a threat that would succeed, except it fails because the data is encrypted.