1

AWS Elastic Beanstalk service routes traffic back to its EC2 instances through HTTP by default. I know this can be configured to achieve end to end encryption by adding SSL encryption from the load balancer back to its EC2 instance(s). I also know that by default everything created by Elastic Beanstalk is inside a VPC.

Is the default configuration (ELB <-- HTTP --> EC2) secure?

flizana
  • 113
  • 3
  • Hi fizana. Welcome. Please look at other posts here to understand when I say that your question currently has no answer. It is secure enough for some purposes, and not secure enough for others. You need to articulate your risk model. – Rory Alsop Sep 22 '18 at 18:00

1 Answers1

1

It depends on your risk model. Unencrypted communication between two servers in the Amazon cloud is 100% visible to Amazon, for instance. It is also visible (and modifiable) to anyone, be they disgruntled employee or successful attacker, that has administrative privileges on anything in between those two servers. If that is worrisome in your context, then it's not sufficiently secure for you.

Thanks to Amazon's security, it is substantially more secure against everyone else than the general internet, but it is also extremely vulnerable against Amazon.

TBridges42
  • 243
  • 2
  • 11
  • I'm looking to handle credit card information (just handle it, not store it). Thanks for your response TBridges42, I think I need to add end to end encryption just to be sure. – flizana Sep 26 '18 at 14:28
  • Definitely. The best way to handle credit card information is to not. The security standard to follow even if credit card information is just passing through your system is PCI-DSS. https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard – TBridges42 Sep 26 '18 at 23:36
  • But I would strongly, strongly encourage you to investigate using a third-party payment processor so you don't have to deal with them yourself. – TBridges42 Sep 26 '18 at 23:37