Amazon Web Services – AWS Security Best Practices August 2016 Page 56 of 74 Strengthening Network Security Following the shared responsibility model, AWS configures infrastructure components such as data center networks, routers, switches, and firewalls in a secure fashion. You are responsible for controlling access to your systems in the cloud and for configuring network security within your Amazon VPC, as well as secure inbound and outbound network traffic. While applying authentication and authorization for resource access is essential, it doesn’t prevent adversaries from acquiring network-level access and trying to impersonate authorized users. Controlling access to applications and services based on network locations of the user provides an additional layer of security. For example, a web-based application with strong user authentication could also benefit from an IP-address based firewall that limits source traffic to a specific range of IP addresses, and an intrusion prevention system to limit security exposure and minimize the potential attack surface for the application. Best practices for network security in the AWS cloud include the following: • Always use security groups: They provide stateful firewalls for Amazon EC2 instances at the hypervisor level. You can apply multiple security groups to a single instance, and to a single ENI. • Augment security groups with Network ACLs: They are stateless but they provide fast and efficient controls. Network ACLs are not instance- specific so they can provide another layer of control in addition to security groups. You can apply separation of duties to ACLs management and security group management. • Use IPSec or AWS Direct Connect for trusted connections to other sites. Use Virtual Gateway (VGW) where Amazon VPC-based resources require remote network connectivity. • Protect data in transit to ensure the confidentiality and integrity of data, as well as the identities of the communicating parties. • For large-scale deployments, design network security in layers. Instead of creating a single layer of network security protection, apply network security at external, DMZ, and internal layers.
Amazon Web Services – AWS Security Best Practices August 2016 Page 57 of 74 • VPC Flow Logs provides further visibility as it enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Many of the AWS service endpoints that you interact with do not provide for native firewall functionality or access control lists. AWS monitors and protects these endpoints with state-of-the-art network and application level control systems. You can use IAM policies to restrict access to your resources based on the source IP address of the request. Securing Periphery Systems: User Repositories, DNS, NTP Overlay security controls are effective only on top of a secure infrastructure. DNS query traffic is a good example of this type of control. When DNS systems are not properly secured, DNS client traffic can be intercepted and DNS names in queries and responses can be spoofed. Spoofing is a simple but efficient attack
You've reached the end of your free preview.
Want to read all 79 pages?
- Spring '17
- Amazon Web Services, AWS, Amazon Elastic Compute Cloud, AWS Security Best