1

It is AWS tutorial: https://aws.amazon.com/ru/serverless/use-sqs-as-an-event-source-for-lambda-tutorial/ The implementation scenario is build on a principle that all data are mandatory encrypted based on the sensitive nature of the application.

My application architecture is: Frontend(443)->AWS Lambda-> SNS -> SQS -> AWS Lambda.

Incoming data from outside into AWS Lambda is encrypted by https protocol. Do I need to use encryption in Lambda->SNS->SQS->Lambda processing?

Is internal network of AWS unsafety?

Improve this question
2
  • 1
    I would encrypt it always if it is sensitive data. Imagine anybody else gains access to your SQS where payloads are not encrypted. Other possibility sharing account with other applications and they could compromise your resources by attaching to them and dump sensitive data. Commented Aug 19, 2020 at 12:29
  • @TraychoIvanov Thank you for your comment. Indeed, you have cleared one more reason to encrypt it. Sure, reasonable IAM policies protect in this case, however human factor has always to be under consideration. Commented Aug 19, 2020 at 12:50

1 Answer 1

Reset to default
2

You don't need to but it just enhances the security that your application is already using.

However, regarding AWS services network transit unless you're using VPC endpoints communication from your application to that service will traverse the internet.

AWS actively encourages you to encrypt communication where possible, although it is considered fine between the ELB and the target assuming you have locked down network access.

The internal network of AWS is built for security, but this does not prevent someone gaining access to the network you've setup in AWS if there are any backdoors. By having HTTPS at least you can ensure that traffic between is encrypted in transit.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for your response. You have written that someone could gain access to the network "you've setup in AWS" but it is not fully clear for me. 1. AWS doesn't use my network - looks like it is their responsible to build network for SQS->Lambda and so on. I don't create this network and have no any attitude to it. 2. Your answer has cleared for me that AWS could traverse the internet processing SQS requests. But doesn't AWS think about building secure networking for their needs?
Yes they are responsible for building their network, I was trying to imply any parts of the VPCs in your account you are responsible. The Lambda to SQS connection may use the AWS backbone for networking, however if it was in a different region then it might differ (this would be only AWS who know how they've setup their networking). AWS may well be using private networking to communicate to each service, but its important to remember that each team is independent and requires communications and work to establish a private connection between services so they may not all be private yet :(

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.