AuditRubric
pr-ds-2 critical Protect / Data Security

The confidentiality, integrity, and availability of data-in-transit are protected

Data moving between a browser and your server, between microservices, or between your systems and third-party APIs can be intercepted if transmitted without encryption. TLS is the baseline control. Failing to enforce it, or using outdated versions with known weaknesses, exposes sensitive data to network-level attackers.

Estimated effort: 4h
tlsencryptiondata-in-transitcertificates

Implementation steps

  1. 1

    Enforce TLS on all public-facing endpoints

    Every public API, web application, and service endpoint must use HTTPS. Redirect HTTP to HTTPS automatically. Use a modern TLS version (1.2 minimum, 1.3 preferred). Obtain certificates from a trusted CA and set up auto-renewal.

    lets-encryptcertbotaws-acmcloudflare
  2. 2

    Enforce TLS for all internal service-to-service communication

    Internal traffic between microservices, databases, and internal APIs should also be encrypted. Use a service mesh or mutual TLS (mTLS) for zero-trust internal communication. Do not assume internal network traffic is safe.

    istiolinkerdconsulcertmanager
  3. 3

    Disable weak cipher suites and old TLS versions

    Remove support for TLS 1.0 and 1.1, SSL 2 and 3, and weak cipher suites like RC4 and 3DES. Configure your load balancers, web servers, and API gateways to only negotiate modern, strong ciphers.

    aws-albcloudflarenginxhaproxy
  4. 4

    Scan for certificate expiry and misconfigurations

    Run regular scans to detect expiring certificates, self-signed certificates on production endpoints, or misconfigured TLS settings. Automate certificate renewal so expired certificates cannot cause outages or degrade security.

    ssl-labscertspotteraws-acmdatadog

Evidence required

TLS configuration evidence

Evidence that all public endpoints use TLS with modern versions and cipher suites.

  • · SSL Labs scan results showing A or A+ rating for public domains
  • · Load balancer TLS policy configuration screenshot
  • · Cloudflare SSL/TLS configuration showing minimum TLS version

Internal encryption configuration

Evidence that internal service-to-service communication is encrypted.

  • · Service mesh mTLS configuration (Istio, Linkerd)
  • · Database connection string or configuration showing SSL required
  • · VPN or private link configuration for internal traffic

Certificate management process

Evidence of automated certificate renewal and monitoring for expiry.

  • · AWS ACM managed certificate list showing auto-renewal
  • · Certbot renewal cron job or systemd timer configuration
  • · Certificate monitoring alert configuration

Related controls

pr-ds-1 critical

The confidentiality, integrity, and availability of data-at-rest are protected

Data Security
pr-ds-3 medium

Data are destroyed according to policy when no longer needed

Data Security
pr-ds-4 critical

Backups of data are created, protected, maintained, and tested

Data Security
pr-aa-3 critical

Users, services, and hardware are authenticated

Identity Management, Authentication, and Access Control