Not an Ideal Design Recommendation for Encrypting Data in Transit in AWS
Question
Which of the following is not an ideal design recommendation of encrypting data in transit in AWS.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - C.
The following design recommendations from the AWS documentation is present for encrypting data in transit.
1
Limit the number of public subnets.
Public subnets within Amazon VPC are similar to the demilitarized zone (DMZ) referred to in the PCI DSS.
2
Route egress traffic to the Internet through a network address translation (NAT) located in the public subnet and deploy all other hosts in private subnets.
3
Enable source/destination checks at the instance level to provide additional safeguards around isolation of network traffic.
4
Ensure that security groups and NACLs are configured to address the requirements of the PCI DSS.
5
Consider terminating the TLS connections at the front-end ELB layer or the WAF layer in the public subnet of Amazon VPC, and configuring non-TLS connections for traffic between private subnets.
For more information on this please see the below link:
https://aws.amazon.com/blogs/security/how-to-address-the-pci-dss-requirements-for-data-encryption-in-transit-using-amazon-vpc/Answer:
B. Route egress traffic through a NAT instance
Explanation:
Encrypting data in transit is an important security measure in AWS, and it is recommended to use Transport Layer Security (TLS) encryption for all network traffic between clients and servers. To ensure that data is encrypted in transit in AWS, there are several design recommendations to follow, such as:
A. Limit the number of public subnets: It is recommended to limit the number of public subnets used in an AWS infrastructure. Public subnets can expose sensitive data to the public internet, making it more vulnerable to attacks. By limiting the number of public subnets, you can reduce the attack surface of your infrastructure.
B. Route egress traffic through a NAT instance: This is not an ideal design recommendation for encrypting data in transit. Routing egress traffic through a NAT instance does not provide any additional security measures for encrypting data in transit. Instead, it is recommended to use encryption protocols such as TLS for all network traffic.
C. When using ELB terminate the TLS connection at the back end instances: This is an ideal design recommendation for encrypting data in transit. Terminating the TLS connection at the backend instances ensures that all network traffic is encrypted in transit, and it reduces the load on the ELB.
D. Ensure that security groups and NACLs are configured to address the requirements of the PCI DSS: This is an ideal design recommendation for securing sensitive data. PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards that are designed to protect credit card information. Ensuring that security groups and NACLs are configured to meet PCI DSS requirements helps to ensure that sensitive data is protected.
In summary, it is not an ideal design recommendation to route egress traffic through a NAT instance for encrypting data in transit in AWS. Instead, it is recommended to limit the number of public subnets, terminate the TLS connection at the backend instances, and configure security groups and NACLs to meet the requirements of PCI DSS.
