Ensure that Transport Layer Security (TLS) is enabled for all your Amazon App Mesh virtual gateways. An App Mesh virtual gateway allows resources that are outside of your mesh to communicate to resources that are inside of your mesh. The virtual gateway represents an Envoy proxy running within an Amazon ECS service, in a Kubernetes service, or on an Amazon EC2 instance.
The Transport Layer Security (TLS) protocol addresses network security issues such as tampering and eavesdropping between a client and a server. In Amazon App Mesh, TLS encrypts communication between the Envoy proxies deployed on compute resources that are represented in App Mesh by mesh endpoints, such as virtual gateways and virtual nodes. The proxy negotiates and terminates TLS. When the Envoy proxy is deployed with an application, your application code is not responsible for negotiating a TLS session, instead the proxy negotiates TLS on your application's behalf.
Audit
To determine if your Amazon App Mesh virtual gateways are configured to enforce TLS by default, perform the following actions:
Remediation / Resolution
To configure your Amazon App Mesh virtual gateways to communicate with virtual services using Transport Layer Security (TLS) only, perform the following actions:
References
- AWS Documentation
- What Is AWS App Mesh?
- Virtual gateways
- Security in AWS App Mesh
- Transport Layer Security (TLS)
- AWS Command Line Interface (CLI) Documentation
- appmesh
- list-meshes
- list-virtual-gateways
- describe-virtual-gateway
- update-virtual-gateway
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enforce TLS for App Mesh Virtual Gateways
Risk Level: High