2018 AWS sys op: offload ssl certs

ok I am confused:  
if I put the SSL cert in the load ballancer, is the traffic going from the load ballancer to the EC2 instance unencrypted?

Big "IF" i have another ec2 instance
 and "IF" that was compromized 
and "IF" someone got wireshark running on that instance"
Would the the packets in wireshark be encrypted?

Yes there are bigger issues, but my infosec guy is going to go there.
  • post-author-pic
    Adrian C
    10-05-2018

    If you use SSL offload yes, the SSL connection is terminated on the load balancer and the connection between the LB and EC2 is unencrypted. Using wireshark on the exploited instance, they would see plaintext data unlless you utilised something like field level encryption (google it & cloudfront)

  • post-author-pic
    Adrian C
    10-05-2018

    you can use SSL between the LB and EC2 - but thats not 'offloading' and you don't get the benefit of offloading (reduced CPU on instances & easier management)

  • post-author-pic
    Peter C
    10-05-2018

    so I know the un-encrypted traffic would not exist out of my vpc.  ' If I have internet gateway sending trafic to an an ELB (off loadind SSL) and round the requests to two  EC2 web app servers on a different private subnets.  


    Can wire shark in one subnet see the LB traffic for the other subnet?

  • post-author-pic
    Adrian C
    10-05-2018

    A wireshark install on an EC2 instance can only see traffic destined TO / FROM that EC2 instance. The network interfaces on EC2 cannot function in a true promiscous mode - they only themselves see traffic where they are the SRC/DEST. So wireshark cannot see traffic in its own subnet, nevermind another.

Looking For Team Training?

Learn More