SEC 6: How do you protect your networks?
Public and private networks require multiple layers of defense to help protect from external and internal network-based threats.
Define network protection requirements: Define controls for protection of your networks to meet your organizational, legal, and compliance requirements.
Limit exposure: Limit the exposure of the workload to the internet and internal networks by only allowing minimum required access.
Automate configuration management: Enforce and validate secure configurations automatically by using a configuration management service or tool to reduce human error.
Automate network protection: Automate protection mechanisms to provide a self defending network based on threat intelligence and anomaly detection.
Implement inspection and protection: Inspect and filter your traffic at the application level; for example, by using a web application firewall, to help protect against threats.
Control traffic at all layers: Apply controls for controlling both ingress and egress traffic, including data loss prevention. For Amazon Virtual Private Cloud (VPC) this includes security groups, Network ACLs, and subnets. For AWS Lambda, consider running in your private VPC to control traffic.
Define network protection requirements
Define requirements that will help you protect your networks.
- Identify compliance requirements: Discover the organizational, legal, and compliance requirements your workload needs to comply with.
- Identify AWS compliance resources: Identify resources that AWS has available to assist.
AWS cloud compliance
- Discover security features and useful resources: Research security features, settings, and tools applicable to your workload, including VPC configuration options.
Amazon VPC security capabilities
Amazon VPC security
Control network traffic in a VPC
- Configure VPC subnets: Use subnets in multiple Availability Zones to separate layers of your application.
- Configure VPC security groups: Configure security groups to only allow necessary traffic inbound and outbound.
Security groups for your VPC
- Configure VPC NACLs: Configure NACLs to only allow necessary traffic inbound and outbound.
- Configure VPC endpoints
Control traffic external to a VPC
- Implement Amazon CloudFront: Amazon CloudFront provides global distribution and built-in anti-DDoS protection.
- Implement AWS WAF: Consider implementing AWS WAF or partner solution to provide layer 7 protection.
AWS WAF and AWS Shield
AWS WAF Security Automations: Automated Deployment
- Automate protection: Implement automated protection
AWS WAF Security Automations: AWS Implementation Guide