AWS Security ChangesHomeSearch

AWS wellarchitected documentation change

Service: wellarchitected · 2025-06-25 · Documentation low

File: wellarchitected/latest/high-performance-computing-lens/data-protection.md

Summary

Restructured data protection section to focus on HPC-specific encryption best practices (HPCSEC02-BP01/BP02), added detailed implementation guidance for encryption at rest/in-transit, and updated security control references.

Security assessment

The changes add documentation about enforcing encryption (both at rest and in-transit) as security best practices for HPC environments, including references to AWS security pillars and implementation details. However, there is no evidence of addressing a specific security vulnerability or incident.

Diff

diff --git a/wellarchitected/latest/high-performance-computing-lens/data-protection.md b/wellarchitected/latest/high-performance-computing-lens/data-protection.md
index 5379b94d8..b6ca63023 100644
--- a//wellarchitected/latest/high-performance-computing-lens/data-protection.md
+++ b//wellarchitected/latest/high-performance-computing-lens/data-protection.md
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](welcome.html)
+[Documentation](/index.html)[AWS Well-Architected](https://aws.amazon.com/architecture/well-architected/)[AWS Well-Architected Framework](high-performance-computing-lens.html)
@@ -5 +5 @@
-# Data Protection
+HPCSEC02-BP01 Enforce encryption at rest in your HPC environmentHPCSEC02-BP02 Enforce encryption in transit in your HPC environment
@@ -7 +7 @@
-Before architecting any system, you must establish foundational security practices. For example, _data classification_ provides a way to categorize organizational data based on levels of sensitivity, and _encryption_ protects data by rendering it unintelligible to unauthorized access. These tools and techniques are important because they support objectives such as preventing data loss or complying with regulatory obligations. 
+# Data protection
@@ -9 +9 @@ Before architecting any system, you must establish foundational security practic
-HPCSEC 3: How does your architecture address data requirements for storage availability and durability through the lifecycle of your results?   
+HPCSEC02: How do you manage data encryption in your HPC cluster?  
@@ -12 +12 @@ HPCSEC 3: How does your architecture address data requirements for storage avail
-In addition to the level of sensitivity and regulatory obligations, HPC data can also be categorized according to when and how the data will next be used. Final results are often retained while intermediate results, which can be recreated if necessary, may not need to be retained. Careful evaluation and categorization of data allows for programmatic data migration of important data to more resilient storage solutions, such as Amazon S3 and Amazon EFS. 
+As described in the [Data Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/data-protection.html) section, classifying and protecting data are foundational practices. The same foundational practices apply to the data related to your HPC workloads, and once the data is classified, there are a few additional HPC consideration for protecting it. 
@@ -14 +14,20 @@ In addition to the level of sensitivity and regulatory obligations, HPC data can
-An understanding of data longevity combined with programmatic handling of the data offers the minimum exposure and maximum protection for a Well-Architected infrastructure. 
+###### Best practices
+
+  * HPCSEC02-BP01 Enforce encryption at rest in your HPC environment
+
+  * HPCSEC02-BP02 Enforce encryption in transit in your HPC environment
+
+
+
+
+## HPCSEC02-BP01 Enforce encryption at rest in your HPC environment
+
+With [SEC08-BP01](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_rest_key_mgmt.html), you securely manage encryption keys to protect data at rest. You also tightly control access through the use of [key policies](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) and IAM policies. AWS HPC products, such as AWS ParallelCluster, configure IAM permissions on different components, such as cluster, queues, and login nodes. Therefore, cluster users can unencrypt data at rest by IAM permissions associated with the cluster or component. If your HPC environment needs further isolation, such as by project or group separation, consider an architecture with multiple clusters for data separation by encryption key. 
+
+## HPCSEC02-BP02 Enforce encryption in transit in your HPC environment
+
+When implementing [SEC09-BP02](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_transit_encrypt.html), you enforce encryption in transit. Tightly coupled HPC applications using EFA bypass the operating system kernel and directly communicate with the EFA device rather than traditional TCP/IP networking. This provides low-latency, reliable communication between cluster instances but introduces additional considerations when enforcing encryption in transit compared to traditional TCP/IP approaches. 
+
+AWS provides secure and private connectivity between EC2 instances of all types. In addition, some instance types use the offload capabilities of the underlying Nitro System hardware to automatically encrypt in-transit traffic between instances. This encryption uses Authenticated Encryption with Associated Data (AEAD) algorithms with 256-bit encryption, which also helps implement [SEC09-BP03](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_data_transit_authentication.html). There is no impact on network performance. 
+
+Therefore, your EFA traffic is automatically encrypted between cluster members with no impact to performance. This automatic encryption is also used with [FSx for Lustre](https://docs.aws.amazon.com/fsx/latest/LustreGuide/encryption-in-transit-fsxl.html) and enforcing encryption in transit between cluster members and an FSx for Lustre filesystem. See [Encryption in transit](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html#encryption-transit) for additional details. 
@@ -22 +41 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Infrastructure Protection
+Infrastructure protection
@@ -24 +43 @@ Infrastructure Protection
-Incident Response
+Resources