Encryption in transit
Amazon encrypts all data in transit between Amazon internal systems and other Amazon services. Amazon Systems Manager gathers telemetry data from customer-owned EC2 instances it sends to Amazon over a Transport Layer Security (TLS)-protected channel for assessment. Amazon ECR and Amazon Lambda function scan findings that are sent to Security Hub are encrypted using a TLS-protected channel. For more information, see Data Protection in Systems Manager to understand how SSM encrypts data in transit.