SEC 5: How do you protect your network resources?

Any workload that has some form of network connectivity, whether it’s the internet or a private network, requires multiple layers of defense to help protect from external and internal network-based threats.

Resources

Application Acceleration and Protection with Amazon CloudFront, AWS WAF, and AWS Shield
AWS Transit Gateway reference architectures for many VPCs"
Amazon VPC Security
Getting started with AWS WAF
AWS Firewall Manager
Amazon Inspector
Lab: Automated Deployment of VPC

Best Practices:

Improvement Plan

Create network layers

  • Create subnets in VPC: Create subnets for each layer (in groups that include multiple availability zones), and associate route tables to control routing.
    VPCs and subnets
    Route tables
  • Control traffic at all layers

  • Control network traffic in a VPC: Implement VPC best practices to control traffic
    Amazon VPC security
    Lab: Automated Deployment of VPC
    VPC endpoints
    Amazon VPC security group
    Network ACLs
  • Control traffic at the edge: Implement edge services, such as Amazon CloudFront, to provide an additional layer of protection and other features.
    Amazon CloudFront use cases
    AWS Global Accelerator
    AWS Web Application Firewall (AWS WAF)
    Amazon Route 53
    Amazon VPC Ingress Routing
  • Control private network traffic: Implement services that protect your private traffic for your workload.
    Amazon VPC Peering
    Amazon VPC Endpoint Services (AWS PrivateLink)
    Amazon VPC Transit Gateway
    AWS Direct Connect
    AWS Site-to-Site VPN
    AWS Client VPN
    Amazon S3 Access Points
  • Automate network protection

  • Automate protection for web-based traffic: AWS offers a solution that uses AWS CloudFormation to automatically deploy a set of AWS WAF rules designed to filter common web-based attacks. Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL).
    AWS WAF security automations
  • Consider APN Partner solutions: APN Partners offer hundreds of industry-leading products that are equivalent, identical to, or integrate with existing controls in your on-premises environments. These products complement the existing AWS services to enable you to deploy a comprehensive security architecture and a more seamless experience across your cloud and on-premises environments.
    Infrastructure security
  • Implement inspection and protection

  • Configure Amazon GuardDuty: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. Enable GuardDuty and configure automated alerts.
    Amazon GuardDuty
    Lab: Automated Deployment of Detective Controls
  • Configure VPC Flow Logs: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs and Amazon S3. After you've created a flow log, you can retrieve and view its data in the chosen destination.
  • Consider VPC traffic mirroring: Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon EC2 instances and then send it to out-of-band security and monitoring appliances for content inspection, threat monitoring, and troubleshooting.
    VPC traffic mirroring