6.1.3. Inter-Resource Encryption in Transit
First Principle: Modern distributed systems communicate between nodes within clusters — map-reduce jobs, Kubernetes pods, training nodes, container tasks. This inter-resource traffic is often unencrypted by default, creating a vulnerability within otherwise secure environments.
This is new content for the SCS-C03 — no C02 equivalent exists.
Amazon EMR Inter-Node Encryption:
- Enable in-transit encryption for data moving between EMR nodes (map-reduce shuffles, HDFS transfers)
- Uses TLS certificates (AWS Certificate Manager or custom)
- Required for compliance frameworks that mandate encryption of ALL data in transit
Amazon EKS Pod-to-Pod Encryption:
- Service mesh solutions (App Mesh, Istio) provide mTLS between pods
- EKS supports encryption in transit for Kubernetes API server communication
- Network policies control which pods can communicate, but don't encrypt — mTLS adds encryption
SageMaker AI Inter-Container Encryption:
- Enable inter-container encryption for distributed training jobs
- Encrypts traffic between training instances in a training cluster
- Adds latency overhead but required for sensitive ML workloads (healthcare, financial)
AWS Nitro System Encryption:
- Nitro-based instances support hardware-level encryption of data between instances
- Encrypts traffic at the network interface level — transparent to applications
- No application changes required, no performance overhead on supported instance types
| Service | Inter-Resource Encryption | How to Enable |
|---|---|---|
| EMR | TLS between nodes | Security configuration: in-transit encryption |
| EKS | mTLS between pods | Service mesh (App Mesh/Istio) |
| SageMaker AI | Between training containers | EnableInterContainerTrafficEncryption: true |
| EC2 (Nitro) | Between instances | Supported on specific instance types |
⚠️ Exam Trap: Nitro encryption is hardware-level and transparent to applications. Service mesh mTLS requires configuration. If a question asks about encrypting inter-instance traffic without application changes, Nitro encryption is the answer.
Scenario: A financial services company runs distributed SageMaker training jobs on sensitive customer data. Compliance requires ALL data — including shuffled training data between containers — to be encrypted. You enable EnableInterContainerTrafficEncryption on the training job configuration.
Reflection Question: Why does the SCS-C03 add inter-resource encryption as a separate skill, and what attack vector does it address that traditional client-server TLS doesn't?
