Where you cant avoid using less secure protocols and services introduce

Where you cant avoid using less secure protocols and

This preview shows page 55 - 57 out of 79 pages.

rather than insecure protocols like FTP. Where you can’t avoid using less secure protocols and services, introduce additional security layers around them, such as IPSec or other virtual private network (VPN) technologies to protect the communications channel at the network layer, or GSS-API, Kerberos, SSL or TLS to protect network traffic at the application layer. While security governance is important for all organizations, it is a best practice to enforce security policies. Wherever possible, configure your system security parameters to comply with your security policies and guidelines to prevent misuse. For administrative access to systems and applications, encrypt all non-console administrative access using strong cryptographic mechanisms. Use technologies such as SSH, user and site-to-site IPSec VPNs, or SSL/TLS to further secure remote system management. Secure Your Infrastructure This section provides recommendations for securing infrastructure services on the AWS platform. Using Amazon Virtual Private Cloud (VPC) With Amazon Virtual Private Cloud (VPC) you can create private clouds within the AWS public cloud. Each customer Amazon VPC uses IP address space, allocated by customer. You can use private IP addresses (as recommended by RFC 1918) for your Amazon VPCs, building private clouds and associated networks in the cloud that are not directly routable to the Internet. Amazon VPC provides not only isolation from other customers in the private cloud, it provides layer 3 (Network Layer IP routing) isolation from the Internet as well. Table 20 lists options for protecting your applications in Amazon VPC:
Image of page 55
Amazon Web Services – AWS Security Best Practices August 2016 Page 51 of 74 Concern Description Recommended Protection Approach Internet-only The Amazon VPC is not connected to any of your infrastructure on premises or elsewhere. You might or might not have additional infrastructure residing on premises, or elsewhere. If you need to accept connections from Internet users, you can provide inbound access by allocating elastic IP addresses (EIPs) to only those Amazon VPC instances that need them. You can further limit inbound connections by using security groups or NACLs for only specific ports and source IP address ranges. If you can balance the load of traffic inbound from the Internet, you don t need EIPs. You can place instances behind Elastic Load Balancing. For outbound (to the Internet) access, for example to fetch software updates or to access data on AWS public services, such as Amazon S3, you can use a NAT instance to provide masquerading for outgoing connections. No EIPs are required. Encrypt application and administrative traffic using SSL/TLS, or build custom user VPN solutions. Carefully plan routing and server placement in public and private subnets.
Image of page 56
Image of page 57

You've reached the end of your free preview.

Want to read all 79 pages?

  • Spring '17
  • Amazon Web Services, AWS, Amazon Elastic Compute Cloud, AWS Security Best

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask You can ask (will expire )
Answers in as fast as 15 minutes