End to end encryption (E2EE) with AWS Fargate

Are you using AWS Fargate and end-to-end encryption but terminating TLS on the load balancer?
Perhaps you are using a self-signed encryption certificate on the container, stored in your code repository alongside your Dockerfile and infrasructure code, with the certificate being copied to the container instance when it's spun up.

While this may seem like a quick and easy solution to meet compliance, it's not ideal for a number of reasons:

1. new instances of the container will use the same certificate, which can be compromised if a single container is breached.
2. Additionally, storing sensitive information, such as passwords or private keys, in repositories is not a recommended best practice.
   

openssl req -nodes -x509 -newkey rsa:2048 -keyout ./src/key.pem -out ./src/cert.pem -days 365 -subj "/C=GB/ST=YourRegionName/L=CityName/O=CompanyName/OU=UnitName/CN=localhost"

Benefits of this method:

• The certificate exists only for the life of the container instance.
• No need to store certificates in the repo.
• Certificates are unique, so if one becomes compromised no need to replace all.
• All the above mean less maintenance whilst remaining compliant with your organisations E2EE policy.