SEC 5: How do you protect your network resources?
Any workload that has some form of network connectivity, whether it’s the internet or a private network, requires multiple layers of defense to help protect from external and internal network-based threats.
Create network layers: Group components that share reachability requirements into layers. For example, a database cluster in a VPC with no need for internet access should be placed in subnets with no route to or from the internet. In a serverless workload operating without a VPC, similar layering and segmentation with microservices can achieve the same goal.
Control traffic at all layers: Apply controls with a defense in depth approach for both inbound and outbound traffic. For example, for Amazon Virtual Private Cloud (VPC) this includes security groups, Network ACLs, and subnets. For AWS Lambda, consider running in your private VPC with VPC-based controls.
Automate network protection: Automate protection mechanisms to provide a self-defending network based on threat intelligence and anomaly detection. For example, intrusion detection and prevention tools that can pro-actively adapt to current threats and reduce their impact.
Implement inspection and protection: Inspect and filter your traffic at each layer. For example, use a web application firewall to help protect against inadvertent access at the application network layer. For Lambda functions, third-party tools can add application-layer firewalling to your runtime environment.
Create network layers
VPCs and subnets
Control traffic at all layers
Amazon VPC security
Lab: Automated Deployment of VPC
Amazon VPC security group
Amazon CloudFront use cases
AWS Global Accelerator
AWS Web Application Firewall (AWS WAF)
Amazon Route 53
Amazon VPC Ingress Routing
Amazon VPC Peering
Amazon VPC Endpoint Services (AWS PrivateLink)
Amazon VPC Transit Gateway
AWS Direct Connect
AWS Site-to-Site VPN
AWS Client VPN
Amazon S3 Access Points
Automate network protection
AWS WAF security automations
Implement inspection and protection
Lab: Automated Deployment of Detective Controls
VPC traffic mirroring