Introduction
Note: One of the key aspects of AWS security is infrastructure protection. It involves applying security controls at different layers of your AWS environment. Having knowledge in infrastructure protection can assist you in designing and implementing secure network architectures using AWS services and features. In this blog post, we will explore below points in the context of infrastructure protection:
- What is infrastructure protection?
- What infrastructure protection includes?
- Network Protection Approaches
- Compute Protection Approaches
- What are the common mistakes & corresponding best practices?
Please note: Security requirements vary depending on the project. You should only use these best practices as a reference. They are only meant to guide you. Please do not treat them as a perfect fit to your project.
Target audience
The intended audience for this article is:
- For people who are curious to learn about security in AWS.
- For people who wants to know about AWS Security Services & its best practices to protect their infrastructure workload.
- For people who wants to know common mistakes in infrastructure protection.
What is infrastructure protection?
Infrastructure protection is a key aspect of information security, especially in the cloud environment where threats and vulnerabilities are constantly evolving. It protects your cloud resources against unintended and unauthorized access. Protecting the infrastructure is the most important goal for any organization.
Security approaches to protect Infrastructure
According to AWS Well Architected Framework, there are a number of approaches to infrastructure protection. In ifrastructure protection, we mainly focus on two types of protections: Network Protection and Compute Protection.
-
Network Protection
It involves :- Creating network layers. Securing the communication channels between different components placed in those different network layers.
- Controlling the traffic flow and filtering out unwanted or malicious packets.
-
Compute Protection
It involves :- Vulnerability Management.
- Reduce attack surface.
- Defence in depth.
- Automation of configuration & Operations etc.
AWS provides various services and features that enable customers to protect their network resources and compute resources.
Network Protection Approach
Let's explore some of the network protection approaches using AWS services.
-
Create network layers.
- When architecting network topology, examine the connectivity requirements of each component. Group components that share common reachability requirements into layers. Creating layers helps you in organizing the components and reduce the attack surface. A sample of an layered architecture is shown below:
- Useful AWS Services for creating n/w layers.
- VPC
- Internet Gateway (IGW)
- Subnets
- Routing Tables
- VPC
-
Securing the communication channels between different components placed in different network layers.
- Connectivity inside AWS
- VPC peering
- PrivateLink
- Transit Gateway
- Connectivity outside AWS
- AWS VPN
- AWS DIrect Connect
- Transit Gateway
- Connectivity inside AWS
-
To control traffic flow, you must know inbound & outbound requirements of each component. Implement traffic control at each layer of the architecture. A sample is shown below:
Reference: DDoS attack traffic control
Reference: VPC traffic control
- Useful AWS Services for traffic controlling:
- Control traffic at the edge network
- AWS Route53
- AWS WAF
- AWS Cloudfront
- AWS Shield
- Control network traffic in a VPC
- Configure NACL(Network Access Control List) at subnet level
- Configure Security Group at Instance level
- Use VPC Endpoint to make secure communication between two AWS services(For example, application deployed on EC2 or lamda, needs to access file stored on S3 service.
- Manage traffic control/rules centrally across multiple accounts
- AWS Network Firewall : Centrally manage security policies across existing accounts and VPCs.
- AWS Firewall Manager : Centrally configure and manage firewall rules accross multiple accounts.
- Control traffic at the edge network
Compute Protection Approach
Let's explore some of the compute protection approaches using AWS services.
-
Vulnerability Management.
- Vulnerabilities are weaknesses or flaws that can be exploited by attackers to compromise your systems or data.
- Vulnerability management is the process of identifying, assessing, prioritizing, and remediating vulnerabilities in your compute resources.
- Customers(We) are responsible for patching resources like:
- EC2
- AMI etc.
- AWS tools and services that can help you perform vulnerability management:
- AWS Systems Manager Patch Manager: This service allows you to automate the process of applying patches to your EC2 instances and on-premises servers. You can define patch baselines, schedules, compliance rules, and notifications for your patching operations.
- Amazon Inspector: This service helps you assess the security posture of your EC2 instances by running automated security assessments. You can use predefined rules packages or create your own custom rules to check for common vulnerabilities and best practices.
-
Reduce attack surface.
- Resources that are exposed to the internet are more vulnerable to attacks. Objective is to limit the options an attacker has to target your application.
- Harden operating system
- Disable unnecessary services
- Removing unnecessary softwares
- Configure firewalls etc.
- Develop a process of building secure AMIs with EC2 Image Builder.
- Use third-party static code analysis tools which helps you in identifying security issues and common vulnerabilities and exposures (CVEs).
-
Automation of configuration & Operations etc.
- Use configuration management service/tool.
- AWS CloudFormation
- AWS Systems Manager
- AWS Systems Manager Patch Manager
- Implement an intrusion detection and prevention tool to monitor and stop malicious activity on instances.
- Use configuration management service/tool.
Common Mistakes and Corresponding Best Practices
| Mistake | Best Practice |
|---|---|
| Placing AWS resources in a public subnet. For example, Database, Web Server | Use private subnets for web servers & database servers with load balancers and NAT gateways |
| Use Bastion host server in public subnet for server access. | Use Session Manager in AWS System Manager. |
| Not enabling VPC Flow logs. | Use VPC Flow Logs to monitor the IP traffic going to and from a VPC, subnet, or network interface. |
| VPC resources communicate AWS services using public end-point. For example S3. | Use AWS PrivateLink that establishes private connectivity between VPC and supported AWS services. |
| In Security Group outbound, Allow 0.0.0.0/0 on all port. | Not only inbound, also restrict outbound access to required IP address(es) by port. |
| Serving public S3 objects directly. | Serving S3 objects through Cloudfront is more secure, fast, and cost-efficient way. |
| Not applying patches to EC2 servers. | Use AWS System Manager Patch manager & define patch baseline & Schedule it. |
In this post, I explained infrastructure protection in AWS. We hope that our readers will find this article helpful when building and maintaining AWS infrastructure.
Keep Learning and Keep Practicing.
Thank you
References
AWS White Papers
AWS Skill Builder Courses