End to End encryption question
My customer wants to implement a quickstart template to comply with HITRUST requirements. https://aws.amazon.com/quickstart/architecture/compliance-hitrust/
This quickstart guide says that
A Secure SocketsLayer (SSL) certificate managed by AWS Certificate Manager (ACM) on the load balancer to encrypt all traffic between the internet and the load balancer. Separateself-signed certificatesaregenerated on the EC2 instancesto encrypt traffic between the load balancer and the application instances.
My customer wants to know how is traffic encrypted between ELB and the application?
Also, does the traffic being encrypted between ELB and EC2 mean that the traffic from ELB to the application is encrypted? How can you achieve end-to-end encryption between ELB and the application?
From a quick peek at the CloudFormation templates for this quick start, I can see that the ELB Template sets up a target group to communicate with the application EC2 instances on port 443 via the HTTPS Protocol (TLS). I can see in the Application Template that a launch configuration is created for the application associated with the ELB target group mentioned above. The launch configuration uses an AMI with a user data script to generate a self-signed X509 certificate using openssl. The launch config also installs Apache and configures it to use the instances' self-signed certificate on port 443 as a webserver for WordPress on the same instance.
So, consistent with the above text, it seems to me that the load balancer encrypts its connection to the web/app server EC2 instances via HTTPS with a self-signed certificate. I would qualify that as end-to-end encryption between the ELB and the Application. Does that address your question?
Relevant content
- asked 7 months ago
- asked 3 years ago
- Accepted Answerasked 3 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
