6.1. Data in Transit

Data in transit is vulnerable to interception, modification, and replay attacks every time it crosses a network boundary — between clients and servers, between AWS services, between Regions, and between AWS and on-premises environments. Without transit encryption, a compromised network path exposes all data flowing through it in plaintext. Think of unencrypted data in transit like sending postcards instead of sealed letters: anyone along the delivery route can read the contents. The SCS-C03 expands transit protection to include inter-resource encryption — encrypting traffic between nodes within a cluster or service, not just client-to-server traffic. What breaks when transit encryption has gaps? An attacker with network access (compromised VPC, misconfigured security group, or man-in-the-middle position) can read sensitive API responses, steal session tokens, or modify data in flight.

This section covers enforcing encryption for resource connections, secure private access mechanisms, and the new inter-resource encryption requirements.

Scenario: A healthcare application transmits patient data between microservices within a VPC. The team argues encryption isn't needed because "it's all internal traffic." A compromised EC2 instance in the same VPC proves them wrong by sniffing inter-service traffic.

Reflection Question: Why is encrypting internal (east-west) traffic just as important as encrypting external (north-south) traffic in a zero-trust architecture?