Kentaro Matsumoto for AWS Community Builders

Posted on Mar 22

Trying Out AWS VPC Encryption Control

#aws #vpc

1. Introduction

While reviewing recent AWS feature updates, I came across an article about "VPC Encryption Control." It was released in November 2025 and is set to become a paid feature starting March 2026.
I was curious about how exactly it "enforces" encryption, so I decided to test its behavior myself.

Initially, I wondered: "Does this mean all traffic within the VPC must be encrypted? Will it detect if I'm using SSH/HTTPS (OK) versus Telnet/HTTP (NG) by inspecting packets?"
As it turns out, that’s not quite how it works. Instead, it monitors or enforces whether resources within the VPC are using Nitro-based EC2 instances or RDS that support transparent encryption at the AWS infrastructure layer.

Created a VPC with VPC Encryption Control enabled (Monitor mode).
Set up VPC Flow Logs with specific fields required to identify whether traffic is encrypted.
Verified how the following traffic patterns are judged by Encryption Control:

#	SRC	DST	Protocol
1	Local PC	nginx(t3.micro)	http
2	Local PC	nginx(m7i.large)	http
3	Local PC	nginx(t3.micro)	https
4	Local PC	nginx(m7i.large)	https
5	in-VPC curl client(t3.micro)	nginx(t3.micro)	http
6	in-VPC curl client(m7i.large)	nginx(m7i.large)	http
7	in-VPC curl client(t3.micro)	nginx(t3.micro)	https
8	in-VPC curl client(m7i.large)	nginx(m7i.large)	https

Create a VPC with VPC Encryption Control enabled (start with Monitor mode). This can be specified simply during the VPC creation process.
Confirm that the created VPC has an Encryption Control ID and is set to Monitor mode.

Launch two instances with nginx installed (t3.micro and m7i.large).
Configure nginx with a server certificate to accept HTTPS (Reference: "Automatic SSL Certificate Renewal on EC2 using ACM Exported Certificates(in Japanese)").
Launch two instances for the curl client (t3.micro and m7i.large).
Note: Not all Nitro-based instances support automatic encryption. There is a specific list of supported instance types. For example, while t3 is Nitro-based, it is not supported for this feature.

To determine if the traffic is judged as "encrypted," configure VPC Flow Logs using a custom format that includes the ${encryption-status} field.

Run curl from the local PC and the in-VPC instances to the nginx servers.
Example commands:

> curl http://x.x.x.x
> curl -k https://x.x.x.x (using -k to skip certificate validation when accessing via IP)

Results for the encryption-status field:
- 0: Not encrypted at the infrastructure layer.
- 1: Encrypted by the Nitro hardware.

#	SRC	DST	Protocol	Result
1	Local PC	nginx(t3.micro)	http	0
2	Local PC	nginx(m7i.large)	http	0
3	Local PC	nginx(t3.micro)	https	0
4	Local PC	nginx(m7i.large)	https	0
5	in-VPC curl client(t3.micro)	nginx(t3.micro)	http	0
6	in-VPC curl client(m7i.large)	nginx(m7i.large)	http	1
7	in-VPC curl client(t3.micro)	nginx(t3.micro)	https	0
8	in-VPC curl client(m7i.large)	nginx(m7i.large)	https	1

Key Takeaway:
- Only traffic between two supported Nitro instances is flagged as 1.
- Even if you use HTTPS, if the underlying infrastructure doesn't support the Nitro-level encryption, the VPC Encryption Control check does not consider it "encrypted."

To switch to Enforce mode, you must address any non-compliant resources. This includes the Internet Gateway and any non-compatible ENIs (like those belonging to the t3.micro).
By upgrading instances to m7i.large and setting exclusion rules for the Internet Gateway, you can successfully enable Enforce mode.

Deep Dive Verification: An article exploring what happens when you switch from Monitor to Enforce mode (in Japanese).

While I don't see myself using this for my current systems anytime soon, I was impressed by the Nitro system's ability to transparently encrypt all inter-instance traffic. It's a powerful tool for high-compliance environments.