Profile Applicability:

  • Level 1

Description:
In order to secure communications between applications and clients, it is essential to encrypt data in transit. This helps prevent unauthorized access and ensures that sensitive information is protected from being intercepted or tampered with. Encryption protocols such as TLS (Transport Layer Security) or SSL (Secure Sockets Layer) should be implemented to secure the communication channels. This is particularly important for protecting user data, authentication credentials, and other sensitive information transmitted over the network.

Rationale:
Encrypted communications are vital for ensuring the confidentiality and integrity of data transmitted between applications and clients. Without encryption, sensitive information is exposed to potential attackers, increasing the risk of data breaches and unauthorized access.
 Key Risks:

  • Data interception: Unencrypted data is susceptible to interception and eavesdropping by attackers, especially on untrusted networks.

  • Data tampering: Without encryption, transmitted data can be altered by unauthorized entities before reaching its intended destination.

  • Non-compliance: Many regulatory frameworks such as GDPR, HIPAA, and PCI-DSS mandate encryption of sensitive data during transmission.

Impact:
 Pros:

  • Ensures confidentiality and integrity of transmitted data.

  • Reduces the risk of data breaches and unauthorized access.

  • Helps comply with industry regulations and standards.

  • Builds trust with users by demonstrating a commitment to security.

Cons:

  • May introduce performance overhead due to the encryption and decryption processes.

  • Requires proper key management practices to prevent unauthorized access to encrypted data.

  • Needs regular updates and monitoring to ensure encryption standards remain up to date.

Default Value:
 By default, many modern applications may not enforce encrypted communications, leaving data exposed. Encryption needs to be explicitly configured to ensure all communications are securely transmitted.

Pre-requisites:

  • Ensure your applications support encryption protocols such as TLS or SSL.

  • Obtain and manage digital certificates from trusted Certificate Authorities (CAs).

  • Configure web servers, APIs, and application frameworks to enforce encryption during communication.

Remediation:

Test Plan:
 Using AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to the EC2 Console and review the configuration of your web server or API gateway.

  3. Ensure SSL/TLS certificates are configured and enforced.

  4. Test secure connections by accessing your application using https:// URLs.

  5. Verify the SSL/TLS connection status in the browser to ensure encryption is active (look for a padlock icon).

Using AWS CLI:

  1. Use the following AWS CLI command to check if SSL/TLS is configured for your load balancer or API Gateway:

    aws elb describe-load-balancers --query "LoadBalancerDescriptions[*].{DNSName:DNSName,SSL:Listeners[0].Protocol}"

  2. If SSL/TLS is not configured, use the following command to configure a listener for HTTPS on your Elastic Load Balancer (ELB):

    aws elb create-load-balancer-listeners --load-balancer-name <your-lb-name> --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=<your-ssl-cert-id>

Implementation Plan:

 Using AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to EC2 or API Gateway depending on your application's configuration.

  3. For web applications, ensure that an SSL/TLS certificate is associated with your domain name (via ACM or a third-party provider).

  4. For API communications, enforce HTTPS endpoints and redirect any HTTP traffic to HTTPS.

  5. Ensure that all sensitive communications are routed through encrypted channels, both on client-to-server and server-to-server communications.

Using AWS CLI:

  1. To enable SSL/TLS for your API Gateway, use the following command:

    aws apigateway update-domain-name --domain-name <your-domain-name> --patch-operations op=replace,path=/certificateArn,value=<ssl-certificate-arn>

  2. To enable HTTPS on your ELB, run the following command:

    aws elb create-listener --load-balancer-name <load-balancer-name> --protocol HTTPS --port 443 --ssl-certificate-id <ssl-certificate-id>


Backout Plan:

 Using AWS Console:
 If the implementation of encryption causes issues, you can remove the SSL/TLS configuration by following these steps:

  1. Log in to the AWS Console.

  2. Navigate to your EC2 or API Gateway settings.

  3. Remove the SSL/TLS certificate or disable the HTTPS listener.

  4. Ensure the application reverts to HTTP communication if needed (although this should only be done as a temporary solution).

Using AWS CLI:

  1. To remove SSL/TLS from your API Gateway, use the following command:

    aws apigateway update-domain-name --domain-name <your-domain-name> --patch-operations op=remove,path=/certificateArn

  2. To remove the HTTPS listener from your ELB, run:

    aws elb delete-listener --load-balancer-name <load-balancer-name> --load-balancer-port 443

References:

  • AWS EC2: Configuring SSL/TLS

  • AWS API Gateway: Secure Your API with SSL

  • AWS CLI: SSL/TLS Commands for Load Balancers and API Gateway

CIS Controls:

Version

Control ID

Control Description

v8

13.1

Ensure that communications between applications and clients are encrypted to prevent unauthorized access to sensitive information during transmission.

v7

13.2

Implement strong encryption methods such as TLS/SSL to protect data in transit across all systems, applications, and networks.