I see that ephemeral drives are now encrypted but is network communications between containers encrypted, say for HIPAA compliance. Looking specifically at Serverless Fargate with Kubernetes pods. A google of "fargate kubernetes network encryption" did not seem return relevant results, it was all about the ephemeral drives. If it is not, is there a way to do it?
Update:
I just found something that said you can set up a CNI but it wasn't 100% clear to me that that's possible with Fargate EKS.
Container to Container traffic is not encrypted by default in AWS ECS, Fargate or AWS EKS. Typically an add-on called a service mesh is responsible for this part of a cluster. The most famous service mesh implementation is Istio but Amazon has its manages service AWS App Mesh.
That said, a service mesh is an abstract name that does not mean much, so not all service mesh implementation does have support for encrypted traffic.
I don't have extensive experience with AWS Fargate. But it looks like AWS App Mesh support Fargate and AWS App Mesh have support for Transport Layer Security and in preview channel also mutual TLS authentication and this is both encrypted traffic with authentication and you can typically configure authorization as well (e.g. what app is allowed to communicate with what app).
AWS communications are generally not encrypted at the network level. I have a vague recollection there are a few exception for sound multi-region services. My understanding is container traffic is not encrypted at the network level.
The easiest option is usually application level encryption, but perhaps you need a VPN on each container? That's a bit of an overhead.
I believe many AWS services are PCI / HIPPA compliant. This page outlines compliance by service. ECS and EKS are currently HIPPA compliant but VPC is not, but VPC is PCI compliant for example.
