6.1.1. Encryption Requirements for Resource Connections

First Principle: TLS must be enforced — not just available — for all connections carrying sensitive data. An HTTPS endpoint that also accepts HTTP provides zero protection when a client accidentally connects over HTTP.

Elastic Load Balancing Security Policies:

• Listener configuration: HTTPS listeners terminate TLS and require an SSL/TLS certificate (ACM or imported)
• Security policies: Define which TLS versions and cipher suites are allowed (e.g., ELBSecurityPolicy-TLS13-1-2-2021-06 for TLS 1.3)
• HTTP-to-HTTPS redirect: Configure the ALB to automatically redirect HTTP (port 80) requests to HTTPS (port 443)
• Backend encryption: Optionally encrypt traffic between the load balancer and targets (end-to-end encryption)

Enforcing TLS Configurations:

S3 HTTPS Enforcement Example:

A bucket policy condition "aws:SecureTransport": "false" with Effect: Deny rejects any request made over HTTP, ensuring all data access uses TLS.

⚠️ Exam Trap: S3 bucket policies with aws:SecureTransport enforce HTTPS for API access. But S3 static website hosting endpoints DON'T support HTTPS natively — you need CloudFront in front of S3 for HTTPS on static websites.

Scenario: A security scan reveals that an RDS MySQL instance accepts unencrypted connections. You enable rds.force_ssl = 1 in the parameter group, rotate the instance, and verify that all application connection strings include ssl-mode=VERIFY_FULL.

Reflection Question: Why is enforcing TLS through infrastructure configuration (security policies, bucket policies, parameter groups) more reliable than trusting applications to always use HTTPS?