AWS Security Blog

Category: Amazon VPC*

How to Automatically Revert and Receive Notifications About Changes to Your Amazon VPC Security Groups

In a previous AWS Security Blog post, Jeff Levine showed how you can monitor changes to your Amazon EC2 security groups. The methods he describes in that post are examples of detective controls, which can help you determine when changes are made to security controls on your AWS resources. In this post, I take that […]

Read More

AWS Earns Department of Defense Impact Level 5 Provisional Authorization

The Defense Information Systems Agency (DISA) has granted the AWS GovCloud (US) Region an Impact Level 5 (IL5) Department of Defense (DoD) Cloud Computing Security Requirements Guide (CC SRG) Provisional Authorization (PA) for six core services. This means that AWS’s DoD customers and partners can now deploy workloads for Controlled Unclassified Information (CUI) exceeding IL4 […]

Read More

How to Record SSH Sessions Established Through a Bastion Host

A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration. For example, you can use a bastion host to mitigate the risk of allowing SSH […]

Read More

How to Set Up DNS Resolution Between On-Premises Networks and AWS by Using Unbound

In previous AWS Security Blog posts, Drew Dennis covered two options for establishing DNS connectivity between your on-premises networks and your Amazon Virtual Private Cloud (Amazon VPC) environments. His first post explained how to use Simple AD to forward DNS requests originating from on-premises networks to an Amazon Route 53 private hosted zone. His second […]

Read More

How to Optimize and Visualize Your Security Groups

Note: On May 3, 2017, we published a related blog post also written by Guy Denney, How to Visualize and Refine Your Network’s Security by Adding Security Group IDs to Your VPC Flow Logs. Many organizations start their journey with AWS by experimenting with existing applications. Those experiments may include trying to move an application to […]

Read More

How to Add DNS Filtering to Your NAT Instance with Squid

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources on a virtual private network that you’ve defined. On an Amazon VPC, network address translation (NAT) instances, and more recently NAT gateways, are commonly used to enable instances in a private subnet to initiate outbound traffic to the Internet, but prevent the instances […]

Read More

How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface

Distributed denial of service (DDoS) attacks are sometimes used by malicious actors in an attempt to flood a network, system, or application with more traffic, connections, or requests than it can handle. Not surprisingly, customers often ask us how we can help them protect their applications against these types of attacks. To help you optimize […]

Read More

How to Address the PCI DSS Requirements for Data Encryption in Transit Using Amazon VPC

The PCI requirements for encryption for data in transit are different for private networks than they are for public networks. When correctly designed, Amazon Virtual Private Cloud (Amazon VPC), a logically isolated portion of the AWS infrastructure that allows you to extend your existing data center network to the cloud, can be considered a private network, […]

Read More

Securely Connect to Linux Instances Running in a Private Amazon VPC

Important note: You should enable SSH agent forwarding with caution. When you set up agent forwarding, a socket file is created on the forwarding host, which is the mechanism by which the key can be forwarded to your destination. Another user on the system with the ability to modify files could potentially use this key […]

Read More