# Encryption in transit
<a name="encryption-transit"></a>

 Amazon encrypts all data in transit between Amazon internal systems and other Amazon services. Amazon Systems Manager gathers telemetry data from customer-owned EC2 instances it sends to Amazon over a Transport Layer Security (TLS)-protected channel for assessment. Amazon ECR and Amazon Lambda function scan findings that are sent to Security Hub CSPM are encrypted using a TLS-protected channel. For more information, see [Data Protection in Systems Manager](https://docs.amazonaws.cn/systems-manager/latest/userguide/data-protection.html) to understand how SSM encrypts data in transit.