AWS Step-by-Step

Getting Started with VPC Encryption Enforcement, Part 1

• By Brien Posey
• 12/18/2025

Given today's regulatory climate, it is becoming increasingly important to ensure that networks handling sensitive data are encrypted at every level. In the past, ensuring the encryption of all resources within an AWS VPC (Virtual Private Cloud) was challenging, particularly as the VPC scales. The reason for this is that each resource had to be encrypted individually, and there was no mechanism for overseeing the encryption process.

Recently however, Amazon has introduced a new feature called an encryption control that can make it a lot easier to ensure that all of your VPC's network traffic is being encrypted. The first thing that you need to know about VPC encryption controls is that the encryption controls do not actually encrypt network traffic. You still have to handle encryption in the same way that you always have in the past. However, this does not mean that encryption controls are pointless. On the contrary. There are at least four ways in which encryption controls can be beneficial to you.

The first thing that encryption controls do for you is that they identify any resources within your VPC that are not configured to encrypt network traffic. This can be super helpful if you have concerns that some resources within a VPC might be violating your compliance mandates.

A second way in which encryption controls are beneficial is that they allow for policy enabled enforcement of network traffic encryption. In other words, encryption controls provide a setting that, when enabled, makes it so that all network traffic within the VPC must be encrypted. Remember, the encryption controls do not actually encrypt the traffic, they just make it so that if someone were to modify a resource in a way that disables encryption, then that resource will not be allowed to communicate within the VPC unless it happens to appear on an exceptions list.

The third thing that encryption controls do for you is that they can be used to ensure that no unencrypted resources are created within the VPC. That way, you don't have to worry about someone adding an unencrypted resource to the VPC later on.

Finally, the fourth way that encryption controls can benefit you is by simplifying compliance audits. A centralized console makes it easy to prove to auditors that all of the resources within a VPC are encrypting network traffic.

So now that I have talked a bit about what encryption controls are and how they can be beneficial to an organization, I want to take some time to discuss a few things that you need to know before you begin implementing encryption controls in your own environment.

The first thing that you need to know about encryption controls is that there is a cost associated with them. This cost is over and beyond the cost associated with normal VPC operations. The cost varies by region, but as of the time of writing, the cost associated with the US East region was $0.15 per hour. The full pricing details are here. Interestingly, Amazon is making encryption controls available for free during an introductory period that ends Feb. 28, 2026.

The next thing that you need to know about encryption controls is that these controls can operate in two different modes. The first option is called Monitor Mode. Monitor Mode is useful for identifying resources that are not currently configured to encrypt network traffic.

The other mode is called Enforce Mode. Enforce Mode requires all network traffic within the VPC to be encrypted. If a resource is modified in a way that removes network traffic encryption, then that resource will not be able to communicate within the VPC. Similarly, Enforce Mode prevents any new resources from being created within the VPC unless those resources are configured to encrypt network traffic. Because Enforce Mode has the potential to disrupt communications within a VPC, Amazon recommends that you initially use Monitor Mode and only switch to Enforce Mode once you are sure that the resources within your VPC are properly configured.

The last thing that I wanted to mention is that Amazon provides an exceptions list. If you have a resource for which encryption simply cannot be enabled for some reason, you can add it to the exceptions list, which allows that resource to continue to be used within the VPC. It is worth noting however, that you can't create an exception for every resource type.

Now that you are familiar with the encryption control basics, I want to show you how to set up encryption controls. I will walk you through the process in Part 2.