Protect your workloads by using cloud security services for VPC isolation and firewall rules
This Guidance helps you design and implement security policies and controls across different levels of the networking stack to protect your resources from external or internal threats. Protecting your resources in this way helps you ensure their confidentiality, availability, integrity, and usability. This Guidance also demonstrates how to prevent, detect, and block anomalous network traffic based on monitoring of ingress or egress and lateral data movement.
Please note: [Disclaimer]
Architecture Diagram
[text]
Step 1
Expand your networks across AWS Regions and accounts that can be divided into isolated networks with segments. Each network segment will represent a routing domain, where you can provide additional security layers at the perimeter of each segment. External calls to the application destined for the web layer would come through the perimeter and must pass through a security device and access control list (ACL).
Step 2
Enforce strong security policies to encrypt data and preserve its integrity, accountability, and authenticity across your entire network.
Step 3
Inspect north (ingress)-south (egress) traffic, such as internet connectivity. You may also require inspection of east-west traffic, such as internal cross application or location. Visualize and analyze traffic with Amazon QuickSight dashboards.
Step 4
Set up AWS Firewall Manager rules for different environments to filter traffic at the perimeter using a Layer 3/4 firewall appliance.
Step 5
Protect access to your Amazon Virtual Private Clouds (Amazon VPCs) by creating VPC endpoints. These endpoints allow you to apply identity-based controls to your network resources and allow connectivity between workloads and networks. You can send your request and data through the internet without leaving the AWS network.
Step 6
Amazon GuardDuty analyzes your network logs through intelligent threat detection.
Step 1
Expand your networks across AWS Regions and accounts that can be divided into isolated networks with segments. Each network segment will represent a routing domain, where you can provide additional security layers at the perimeter of each segment. External calls to the application destined for the web layer would come through the perimeter and must pass through a security device and access control list (ACL).
Step 2
Enforce strong security policies to encrypt data and preserve its integrity, accountability, and authenticity across your entire network.
Step 3
Inspect north (ingress)-south (egress) traffic, such as internet connectivity. You may also require inspection of east-west traffic, such as internal cross application or location. Visualize and analyze traffic with Amazon QuickSight dashboards.
Step 4
Set up AWS Firewall Manager rules for different environments to filter traffic at the perimeter using a Layer 3/4 firewall appliance.
Step 5
Protect access to your Amazon Virtual Private Clouds (Amazon VPCs) by creating VPC endpoints. These endpoints allow you to apply identity-based controls to your network resources and allow connectivity between workloads and networks. You can send your request and data through the internet without leaving the AWS network.
Step 6
Amazon GuardDuty analyzes your network logs through intelligent threat detection.
Additional Considerations
-
Management and Governance
Building secure networks in the cloud is fundamentally different from building them in a private, on-premises environment. With secure networks in the cloud, the cloud provider handles certain tasks on your behalf, such as the management and governance of physical devices, their environment, or the security controls that surround them. You build and secure your network within a virtual environment and use identity and access controls that may span multiple workload boundaries to administer and secure access to your network.
As such, it is important that organizational stakeholders who hold responsibility for your network security are familiar with the shared responsibility model between you and your cloud provider for securing your cloud environment. These stakeholders should know best practices for providing identity and access in addition to granting least privilege permissions across relevant workloads that your networks span.
-
Security and Compliance
There are many cloud-native and third-party tools available to help you secure your network. Every organization's security requirements and level of compliance will differ. It is important to establish your security requirements and implement a baseline of controls across your networks as you consider which security tools to implement in your cloud environment. Requirements and compliance will also differ per application, so you must be able to add enhanced security controls on a case-by-case basis.
-
Traffic Flow
You should account for traffic flow between your applications and clients and how your requirements will change based on locations between the clients. Consider how traffic should flow into the network, either through the internet, a virtual private network (VPN), or a dedicated connection. You must also determine how application layers will communicate with each other and other external dependencies, how traffic will egress from your network externally, and most importantly, how all these traffic flows need to be inspected and secured. Understanding your security responsibilities and requirements is critical for establishing your network security best practices and workflows in the cloud.
Related Content
- Stakeholders: Networking (primary), Security, Central IT
- Supporting Capabilities: Network Connectivity, Threat & Vulnerability Management, Security Incident Response
- For additional information on this capability, read the whitepaper.
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.
References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.