8_Securing Your AWS Network Environment

Securing Network Resources

Key principle: Apply security at all layers.

• Network Level:
  • Network Access Control List (Network ACL)
• Instance Level:
  • Security Groups

Using both Network ACLs and Security Groups:

• Reduces the risk of exposing resources to unwanted traffic.

Network ACLs vs. Security Groups

Analogy: VPC subnet as an apartment building, resources as apartments.

• Network ACL: Like a doorman (controls access to the building/subnet).
• Security Group: Like a lock on an apartment door (controls access to the resource).
• Security groups protect resources. Network ACLs protect subnets.

Security Groups

• Stateful firewalls: If an inbound request is allowed, the outbound response is automatically allowed.
• Default security group: Created with the VPC.
  • No inbound rules by default (no inbound traffic allowed).
  • All outbound traffic allowed by default.
• Rules:
  • Can add rules for both inbound and outbound traffic.
  • Only allow rules are possible (no deny rules).
• Scope:
  • Can span multiple availability zones.
• Relationships:
  • You can define relationships between security groups.
  • Example: Business applications in instances one and two are in the same security group.
  • The security group allows inbound HTTPS traffic.

Network ACLs

• Stateless: Every inbound and outbound request is evaluated independently.
• Rules:
  • Can allow or deny traffic.
  • Numbered and evaluated from lowest to highest until a match is found.
• Association:
  • Each subnet in a VPC must be associated with a network ACL.
• Default ACL:
  • Comes with your VPC.
  • Allows all inbound and outbound traffic by default.
  • Includes an inbound and outbound rule numbered with an asterisk that denies all traffic (evaluated last).
• Example:
  • Inbound HTTPS traffic from a specific IP on port 443 is allowed.
  • Outbound HTTPS traffic on the same port is also allowed.
  • Any other inbound or outbound traffic will be denied.

Key Differences

• Security Groups:
  • Stateful
  • Operate at the instance level
  • Support only "allow" rules
• Network ACLs:
  • Stateless
  • Operate at the subnet level
  • Support both "allow" and "deny" rules

AWS Network Firewall

• For VPC subnets receiving external traffic.
• Adds an extra layer of protection.
• Stateful, managed network firewall for Amazon VPC.
• Includes intrusion detection and prevention.
• Deployment:
  • Deployed in a firewall subnet.
  • Inspects all incoming VPC traffic.
  • External traffic is routed to the firewall subnet.
  • The route table for the private subnet accepts traffic only from the firewall subnet.