This content is outdated. This version of the Well-Architected Framework is now found at: https://docs.aws.amazon.com/en_us/wellarchitected/2022-03-31/framework/security.html

SEC 5: How do you protect your network resources?

Any workload that has some form of network connectivity, whether it’s the internet or a private network, requires multiple layers of defense to help protect from external and internal network-based threats.

Resources

Application Acceleration and Protection with Amazon CloudFront, AWS WAF, and AWS Shield
AWS Transit Gateway reference architectures for many VPCs"
Amazon VPC Security
Getting started with AWS WAF
AWS Firewall Manager
Amazon Inspector
Lab: Automated Deployment of VPC

Best Practices:

Create network layers: Group components that share reachability requirements into layers. For example, a database cluster in a VPC with no need for internet access should be placed in subnets with no route to or from the internet. In a serverless workload operating without a VPC, similar layering and segmentation with microservices can achieve the same goal.
Control traffic at all layers: Apply controls with a defense in depth approach for both inbound and outbound traffic. For example, for Amazon Virtual Private Cloud (VPC) this includes security groups, Network ACLs, and subnets. For AWS Lambda, consider running in your private VPC with VPC-based controls.
Automate network protection: Automate protection mechanisms to provide a self-defending network based on threat intelligence and anomaly detection. For example, intrusion detection and prevention tools that can pro-actively adapt to current threats and reduce their impact.
Implement inspection and protection: Inspect and filter your traffic at each layer. For example, use a web application firewall to help protect against inadvertent access at the application network layer. For Lambda functions, third-party tools can add application-layer firewalling to your runtime environment.

Improvement Plan

Create network layers

Create subnets in VPC: Create subnets for each layer (in groups that include multiple availability zones), and associate route tables to control routing.
VPCs and subnets
Route tables

Control traffic at all layers

Control network traffic in a VPC: Implement VPC best practices to control traffic
Amazon VPC security
Lab: Automated Deployment of VPC
VPC endpoints
Amazon VPC security group
Network ACLs

Control traffic at the edge: Implement edge services, such as Amazon CloudFront, to provide an additional layer of protection and other features.
Amazon CloudFront use cases
AWS Global Accelerator
AWS Web Application Firewall (AWS WAF)
Amazon Route 53
Amazon VPC Ingress Routing

Control private network traffic: Implement services that protect your private traffic for your workload.
Amazon VPC Peering
Amazon VPC Endpoint Services (AWS PrivateLink)
Amazon VPC Transit Gateway
AWS Direct Connect
AWS Site-to-Site VPN
AWS Client VPN
Amazon S3 Access Points

Automate network protection

Automate protection for web-based traffic: AWS offers a solution that uses AWS CloudFormation to automatically deploy a set of AWS WAF rules designed to filter common web-based attacks. Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL).
AWS WAF security automations

Consider APN Partner solutions: APN Partners offer hundreds of industry-leading products that are equivalent, identical to, or integrate with existing controls in your on-premises environments. These products complement the existing AWS services to enable you to deploy a comprehensive security architecture and a more seamless experience across your cloud and on-premises environments.
Infrastructure security

Implement inspection and protection

Configure Amazon GuardDuty: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. Enable GuardDuty and configure automated alerts.
Amazon GuardDuty
Lab: Automated Deployment of Detective Controls

Configure VPC Flow Logs: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs and Amazon S3. After you've created a flow log, you can retrieve and view its data in the chosen destination.

Consider VPC traffic mirroring: Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon EC2 instances and then send it to out-of-band security and monitoring appliances for content inspection, threat monitoring, and troubleshooting.
VPC traffic mirroring