AWS has recently introduced VPC encryption controls, allowing customers to validate whether traffic within and between VPCs is encrypted and to require encryption where supported. The feature provides visibility into unencrypted traffic, supports enforcement using compatible Nitro-based infrastructure, and allows exclusions for resources that cannot encrypt traffic.
According to the cloud provider, the new feature helps organizations apply consistent encryption standards across their AWS environments and demonstrate compliance with regulatory frameworks such as HIPAA, PCI DSS, and FedRAMP, which require comprehensive encryption. Sébastien Stormacq, principal developer advocate at AWS, explains:
Organizations across financial services, healthcare, government, and retail face significant operational complexity in maintaining encryption compliance across their cloud infrastructure. Traditional approaches require piecing together multiple solutions and managing complex public key infrastructure (PKI), while manually tracking encryption across different network paths using spreadsheets.
While the community reaction has been mostly positive, many initially expressed confusion about the pricing approach or questioned why a security control should be paid for at all. User kei_ichi writes:
That feature should be enabled by default and free.
Administrators can enable the feature for existing VPCs to monitor the encryption status of traffic flows and identify VPC resources that unintentionally allow plaintext traffic. Chris Farris, cloud security consultant and AWS Security Hero, writes in his re:Invent recap:
Let’s start with why you should avoid this – $110 per month per non-empty VPC. This is absolutely worth it if you need “To meet stringent compliance standards like HIPAA and PCI DSS” and “demonstrate compliance with encryption standards.”
VPC encryption controls are available in two operational modes: monitor and enforce. After activation, enforce mode ensures that all new resources are created only on compatible Nitro instances, and that any unencrypted traffic is dropped when incorrect protocols or ports are detected.
Source: AWS blog
Administrators can enable enforce mode only after all resources are migrated to encryption-compliant infrastructure. Farris notes:
You cannot enable enforce mode if you have non-encrypted-in-transit resources in your VPC. The migration effort here will be great, but if your auditors are making you do the work by hand, this is worth the cost.
This requires upgrading to supported hardware and communication protocols first. Specific exclusions can be configured for resources such as internet or NAT gateways that do not support encryption because their traffic leaves the AWS network. In the “Understanding VPC Encryption in Transit for Modern Cloud Security” article, Anish Kumar adds:
For your cloud security posture, you can answer the question: “Is all traffic in my VPC estate encrypted in transit?” with confidence and evidence. And from a compliance audit perspective, you can show the encryption-status in your flow logs and exclusions list.
The new feature is currently available in a subset of AWS regions, including Northern Virginia, Ireland, London, and Singapore. VPC encryption controls will be free to use until March 1, after which a fixed hourly fee will apply for each non-empty VPC, starting at 0.15 USD per hour.
