30

Say I have a few EC2 instances in an AWS VPC network, each assigned its own private address for the subnet at creation. Say one of them is a DB, and another one some kind of web app talking to the DB. The DB makes sure to authorize only a certain segment of IPs on that subnet.

How critical is it that the communication within this subnetwork is encrypted with SSL? If eavesdropping occurs then you should be able to see the password get transmitted over cleartext.

Assuming, for the sake of argument, that there aren't exploits in AWS, how possible is it to either eavesdrop on the communication to the database instance, or to even MITM it?

When you run your own physical datacenter, you can be relatively confident that your data won't be snooped on internally, but how does cloud hosting alter this approach? I imagine the trust levels are a lot lower.

glitch
  • 529
  • 4
  • 5

1 Answers1

25

Amazon claims that AWS VPC is "logically isolated" from the other AWS instances, and from the Internet. "Logically" means that it is done in software, not with dedicated hardware system. An AWS VPC can be connected to your VPN and it will use IPsec for that external connection, but this does not mean that internally IPsec is used. In fact, how the "isolation" is really enforced is not documented, so that's a big unknown.

Assuming that Amazon is not hostile to you (in which case you would be doomed anyway), and that furthermore they do their job properly, then your communications between your systems should be safe from eavesdropping or interception by third parties. However, you can botch it if your servers reference each other by name and you let your internal DNS be poisoned externally. I suggest you use explicit /etc/hosts files so that your servers may not be convinced to use wrong IP addresses, letting the data escape into the Wild Internet.

Using SSL anyway would make things easier if you decide, in the future, to migrate your servers into some other cloud provider, or if you cease to be so trustful in Amazon's competence against network attacks. After all, IT security is known to be hard.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • 7
    To add to this answer, I would recommend AWS's Route53 Private Zones to manage internal DNS that's isolated within a VPC, instead of using /etc/hosts, especially if you have more than a couple of servers. Ref: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html The cost ($0.50 per month) should be minimal to save time. – martian111 Sep 03 '15 at 08:12