VPC Encryption Controls

VPC Encryption Controls is a security and compliance feature that gives you visibility into the encryption status of your traffic flows and the resources allowing cleartext traffic within your VPC and enables you to authoritatively enforce encryption in transit within and across your VPCs in a region.

VPC Encryption Controls uses both application-layer encryption and built-in encryption in transit capability of AWS nitro system hardware to ensure encryption enforcement. This feature also extends the native hardware-layer encryption beyond the modern Nitro instances to other AWS services including Fargate, Application Load Balancer, Transit Gateways and many others.

Monitor Mode: Monitor mode provides visibility into the encryption status of traffic flows between your AWS resources inside and across VPCs in a region. The encryption status of all traffic is monitored and logged using VPC Flow logs.

Enforce Mode: Enforce mode prevents the creation of resources inside the VPC that do not enforce encryption in transit. This applies to creation of older EC2 instances that don’t support native built in encryption. It also applies to internet gateways, virtual private gateways or NAT gateways - these resources help you route your traffic outside AWS boundaries, and you are responsible for ensuring encryption there. To run these services in your encryption-enforced VPCs, you must create resource exclusions (exclusions are only available for certain resource types).