amazon-web-servicesamazon-vpcaws-application-load-balanceraws-alb

AWS ALB SSL/TLS offloading security


AWS ALBs allow one to configure an SSL/TLS certificate for encrypting traffic between the client and the LB. Traffic between the LB and the target can be protected with a certificate, but target certificates are not validated... as outlined here: https://github.com/aws-quickstart/quickstart-compliance-hipaa/issues/9#issuecomment-693746199

Question: Does traffic within a VPC require additional measures to secure and prevent unauthorized access? Does AWS VPC have additional security mechanisms to prevent snooping, or unauthorized access to unencrypted traffic flowing within a VPC? Are their any tangible benefits to applying a certificate to the LB target in the above scenario considering that the certificate will not be validated?


Solution

  • The link you provided explains this pretty well. Traffic within VPC happens exclusivity within AWS internal network, not over the Internet. As such, its AWS responsibility to ensure its security based on AWS shared responsibility model.

    If you believe that AWS is incapable of security its networks and infrastructure, then it does not really matter much if your traffic from LB to targets is encrypted or not. A rough employee, or a random thief, may as well get direct access to your instances, EBS volumes, KMS keys or S3 storage. SSL encryption will not prevent this.

    Thus, SSL between LB and targets is generally not applied, unless due to some external requirements which you have no control over. Also take into account that AWS is over a decade old, and so far there hasn't been any publicized security breaches regarding AWS part of shared security model.