AWS Infrastructure Protection
Protection via Isolation
Infrastructure protection ensures that systems and resources within your workloads are protected against unintended and unauthorized access and other potential vulnerabilities.
Amazon Virtual Private Cloud (Amazon VPC) allows you to isolate your AWS sources in the cloud. A VPC enables you to launch resources into a virtual network that you’ve defined and that closely resembles a traditional network that you’d operate in your own data center.
The most common VPC features provide a defense-in-depth approach for your resources:
Subnet Routing:
Subnets enable you to group instances and AWS resources based on your security and operational needs. You can have all instances launched in a subnet receive a public IPv4 address, or an IPv6 address, or both. A subnet also allows you to configure routing for your network. With routing, you can specify targets for your resources and whether they can be reached through the internet.
Network ACLs:
To further add a layer of security within your VPC, you can configure network ACLs. A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic at the subnet level. Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IP traffic. To control traffic, you need to add ALLOW and DENY rules for specific IP addresses, protocols, and ports.
Security Group:
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you must specify security groups for the instance. For each security group, you add one set of rules that control the inbound traffic to instances and a separate set of rules that control the outbound traffic. Security groups are stateful: responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa. No inbound traffic is allowed until you configure inbound rules to your desired security group. Traffic can be restricted by IP protocol, service port, and source/destination IP address.
Application and OS Security
Securing your network and making sure that all your servers are hardened and properly patched are some of the tasks required in infrastructure security. AWS Systems Manager includes capabilities that help you automate management tasks such as collecting system inventory, applying operating system patches, maintaining up-to-date anti-virus definitions, and configuring operating systems and applications at scale. Systems Manager helps keep your systems compliant with your defined configuration policies.
AWS System Manager Features
AWS Systems Manager provides a tool to help with automating operations with things like patch deployment, deploying automation scripts to your instances, and a lot more. With Systems Manager, you can push patches and scripts to be run on an instance, or group of instances, in an automated fashion to avoid logging directly into a production box to make those changes.
Automation:
Safely automate common and repetitive IT operations and management tasks across AWS resources.
Inventory:
Collect information about your instances and the software installed on them, helping you understand your system configurations and installed applications. Collected data includes applications, files, network configurations, updates, and any other system properties.
Patch Manager:
Deploy software patches automatically across large groups of Amazon EC2 or on-premises instances.
Parameter Store:
A centralized store to manage your configuration data, whether plaintext data such as database strings or secrets such as passwords. This allows you to separate your secrets and configuration data from your code.
Run Command:
Manage instances remotely at scale without logging into your servers. It provides a simple way of automating common administrative tasks across groups of instances such as registry edits, user management, and software and patch installations.
Session Manager:
Manage Windows and Linux EC2 instances via a browser-based interactive shell or CLI, without the need to open inbound ports, manage SSH keys, or use bastion hosts.
For the complete list of features, click here.
Additional AWS Services for Infrastructure Protection
AWS Firewall Manager:
AWS Firewall Manager is a security management service that allows you to centrally configure and manage AWS WAF rules across your accounts and applications. Firewall Manager can bring new applications and resources into compliance with a common set of security rules from the start.
AWS Direct Connect:
AWS Direct Connect is a cloud service solution that is used to establish a dedicated and secure network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your data center, office, or colocation environment. In many cases, this can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.
AWS CloudFormation
AWS CloudFormation automates and simplifies the task of repeatedly creating and consistently deploying AWS resources. With AWS CloudFormation, you can ensure that all of your security and compliance controls are deployed along with your new environment.
AWS Service Spotlight
Amazon Inspector
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.
Using Amazon Inspector with AWS Lambda allows you to automate certain security tasks. Combining these capabilities allows you to build event-driven security automation to help better secure your AWS environment in near real-time. The diagram above illustrates a solution that automatically remediates findings generated by Amazon Inspector. Click here for more information on this specific use case.
Sources:
https://d1.awsstatic.com/whitepapers/Security/Networking_Security_Whitepaper.pdf
More content at plainenglish.io
