I'm reviewing the GovCloud notes, in particular AWS's "Elastic Load Balancer" and in their ITAR statement they mention (source: http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-elb.html):
Encryption must be used both between clients and the load balancer and between the load balancer and registered instances
Assuming the servers are web servers with http traffic --
To me, that sounds like we still need TLS/SSL encryption (and certificates) on all the servers connecting to the load balancer, and possibly a different set of TLS/SSL certificates from the load balancer to the external clients/consumers.
I'm looking for expertise if this is a common practice, as I may mis-understand around using SSL-terminators to minimize CPU usage on the servers, but in a high-security scenario (ITAR/FISMA/GovCloud) maybe it is expected to pay the cost?
Thanks for any expert feedback! -D
