Protecting infrastructure hosted on AWS is most important part of Information Security Program. It ensures that systems and services within your workload are protected against unauthorised access and possible vulnerabilities.
Below are two key areas of infra protection on AWS.
1. Protecting Network
2. Protecting Compute
We will discuss about approaches to Protect Network in this blog and relevant AWS services. This blog only focusses on protection of resource within VPC.
The workloads that does not operate within VPC e.g. edge services and/or serverless, the best practices are applied differently. Refer to the AWS Well-Architected Serverless Applications Lens for serverless security.
Many resources in workload operate in VPC, so they inherit the security properties e.g. EC2, RDS etc. So, any rule applied at VPC level ( e.g. NACLs ) will be applicable to the resource as well.
Network Layering :
Create public and private subnets from VPC CIDR range. Public subnets have route to or from internet where as private does not have route from internet. So, it is important to decide which resources should be placed in private or public e.g. RDS instance or Database hosted on EC2 may not be required to be publicly accessible, so these resources can be places directly under private subnets.
Such layered approach for the controls mitigates the impact of a single layer misconfiguration, which could allow unintended access.
Control Traffic at all Layers :
Access to resources under AWS VPC is controlled by using NACLs, Route table, Subnets and Security groups.
Each subnet can have an associated route table that defines routing rules for managing the paths that traffic takes within the subnet. You can define route to internet for subnet by having a route that goes to an internet or NAT gateway attached to the VPC, or through another VPC.
VPC endpoints and private links can be used to access the resources like S3, DynamoDB etc.
For outbound internet access for VPC resources — NAT gateway or web proxies are useful.
Implement inspection and protection:
It is important to monitor and filter traffic at each layer. AWS WAF is web application firewall can help in protecting from common attacks like DDOS. WAF can be used with AWS services Amazon API Gateway API, Amazon CloudFront, or an Application Load Balancer.
AWS network firewall is a recently released AWS managed service. It enables customers to easily deploy and manage stateful inspection, intrusion prevention and detection, and web filtering to protect your virtual networks on AWS.
For managing AWS WAF, AWS Shield Advanced protections, and Amazon VPC security groups across AWS Organizations, customers can use AWS Firewall Manager.
Automate network protection:
Yes, it is also possible in AWS to automate network protection base on threat intelligence and anomaly detection. AWS WAF provides such capabilities to automate network protection.
AWS services for Network protection
· AWS WAF
· Network Access Control Lists ( NACLs)
· Security Groups
· AWS Firewall Manager
· AWS PrivateLink
· VPC Endpoints
· Amazon Inspector