Securing the Network

AWS Security Best Practices

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Defense in depth, a layering approach to security, can help you ensure that the following are all in place:
• All interconnected systems only communicate through approved information flow policies
• All interconnected systems can only communicate through essential capabilities, based on functions, ports,
protocols, and services as defined in the configuration management policy

This module will explore a variety of AWS network-based protective and detective features. The module will
also cover specific AWS services customers can take advantage to enhance protection from, and detection of,
threats in their environments.
 Module 2
Objectives Agenda
By the end of this module, you will be This module is organized into the
able to: following sections:
• Design a network for flexibility and security. • Flexible and secure
• Implement network security by controlling • Security inside the VPC
traffic at all layers and automating network • Security services
protection.
• Third-party security solutions
• Select AWS services to secure network traffic
and combat common security threats.
• Understand the benefits of third-party
solutions offered through AWS Marketplace.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
2

In this module, we will explore layering native security mechanisms and services in your network to protect
your workloads.
By the end of this module, you will be able to do the following:
• Design a network for flexibility and security.
• Implement network security by controlling traffic at all layers and automating network protection.
• Select AWS services to secure network traffic and combat common security threats.
• Understand the benefits of third-party solutions offered through AWS Marketplace.
 Flexible and secure
Section 1 of 4

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Organizations are building complex environments on-premises and in the cloud, where workloads can have a
variety of security requirements. Using security best practices, organizations should strive to design and apply
security at every layer within their workload. A logical starting point in this endeavor is the virtual network and
corresponding infrastructure. Securing this layer generally benefits from segmentation, enforcing security
boundaries, and monitoring of traffic to detect potential anomalies or threats. In this section, you will explore
the design and implementation of your network, with best practice recommendations in mind.
 Starting with the Virtual Private Cloud (VPC)
Network architecture is your foundation.

A sound strategy for designing, building, and

maintaining the network architecture provides the
best foundation for scaling and security.
• A good design builds in security.
• Customers have full control over their VPC.
• Stakeholder input helps develop the strategy.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
4

In security, there is no single perfect answer. The answer is usually: “It depends.” Every company is different, so
understanding the options, benefits, and risks will help you select the right method to build, scale, and secure
your cloud environment.
 Security inside your VPC
Best practices
• Use subnets to isolate the tiers of your application (for
example, web, application, and database) within a single
VPC.
• Avoid opening Secure Shell (SSH) or Remote Desktop
Protocol (RDP) between or within instances of the
production environment whenever possible.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
5

With Amazon Virtual Private Cloud, you can build a virtual network in the AWS Cloud without having to worry
about physical connectivity. You can define your own network space and control how the network and
resources inside your network are connected.
 Designing a network

Monitor at boundaries Subnet to create isolation Connect externally

through protective devices

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
6

Proper design and deployment of networking infrastructure is key to creating a solid foundation for securing
your cloud workload. The key design concepts for designing a network are as follows:
• Monitoring and controlling communications at key boundaries
• Implementing subnetworks to create workload isolation
• Connecting to external networks or systems only through monitored interfaces consisting of protection
devices such as firewalls
 Network segmentation
Advantages of using subnets for network segmentation include the
following:
• Limiting the spread and damage of potential attacks by creating smaller
impact areas
• Improving visibility and control over traffic movement, device access, and
external access
• Reducing the scope when auditing for specific requirements

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
7

A network design must be both flexible and secure. Meeting business objectives includes ensuring
confidentiality, integrity, and availability commensurate with the workload. In the past, many organizations
opted for a flat network, which means that all (or a large number) of resources shared a common broadcast
domain. This was a means of lowering hardware costs and simplifying configuration and maintenance in an on-
premises environment.

In a physical network, this would mean a pool of resources is connected to a single switching plane. In the
cloud, a flat network would be one that uses one (or few) VPCs and subnets to contain many resources without
regard to differentiated connectivity or security needs. Although a flat network is simple to create, it amplifies
risk for an organization. Network segmentation plays a significant role in security. Not only is it a best practice
recommendation, but it is a compliance requirement for most regulated industries.
 VPC and subnet strategy

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
8

When you create a VPC, you will need to choose an address range. This sounds simple, but selecting the right IP
addressing strategy based on your organizational needs can be tricky. You must consider things from an overall
perspective and keep growth in mind. Reconfiguring hundreds of assets within a VPC because of overlaps or IP
address exhaustion can be avoided with thorough planning. Let's examine some basic principles and
considerations for planning and connecting your network.

Larger VPCs and subnets are more flexible. However, they are harder to scale and manage, and they make it
more difficult to maintain access controls. Smaller VPCs, and possibly subnets, are simpler to secure effectively,
but may prove less efficient for some business use cases.

Choosing a VPC address range includes considering all of the following:

• Every VPC has a private IP address space (by default).
• The VPC Classless Inter-Domain Routing (CIDR) block size can be from /16 to /28.
• You can associate additional (secondary) IPv4 address blocks.
• You can associate IPv6 address blocks.

Selecting an IP addressing strategy includes considering all of the following:

• Primary VPC CIDR blocks cannot be modified after they are created, additional space can be added.
• Consider address overlaps and shortages before committing to a CIDR (with on-premises or existing VPCs).
• Do not waste address space, but be careful not to constrain future growth.

Note: When using a default VPC, your default VPC CIDR is 172.31. 0.0/1, and your default subnets will be
created as /20 subnets.
 Design best practices
• Inside the VPC:
• Plan for unique CIDR for each VPC.
• Use RFC 1918 addressing (class A/B/C).
• Plan for growth and reserve spare IP ranges.

• Inside the Availability Zone:

• Use role-based addressing schemes.
• Implement Route summarization.
• Use separate route tables (based on subnet or security segments).

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9

Inside the VPC:

• Plan for unique Classless Inter-Domain Routing, or CIDR, for each VPC.
• Use RFC 1918 addressing (class A/B/C).
• Plan for growth and reserve spare IP ranges.

Inside the Availability Zone:

• Role-based addressing scheme (Role-based addressing uses subnets, or specific numbering schemes within
them, to indicate functions, organization, or role of the resource assigned an IP).
• Route summarization
• Using separate route tables (based on subnet or security segments)

As you work on designing a network or network segment, best practices can be categorized into activities
concerning a VPC and activities concerning an Availability Zone.

Designing an IP scheme is important but difficult. This can be one of the first-step items that are implemented.
Generally the rest of an enterprise’s IT cloud infrastructure will depend on it. The design strategy used should be
based on the organization’s current requirements as well as possible future requirements. Although no one can
predict future requirements with certainty, always build a growth plan into a design. It is much better to have
IPs and not need them than to come up short! References for setting up your VPC can be found
at https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html

Additional considerations when designing your environment include:

• Private IP blocks are only reachable by the virtual private gateway. They cannot be accessed over the internet
through the internet gateway.
• AWS does not advertise customer-owned IP address blocks to the internet by default.
• You can allocate an Amazon-provided IPv6 CIDR block to a VPC.
 Discussion
Scenario: Ransomware infiltrates your cloud network through the
upload of a compromised file to an EC2 instance.
How does network segmentation (or lack of it) impact an event
like a ransomware infection?

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.

If malicious code infiltrates your network, threats like ransomware can ravage your critical systems. Network
segmentation is one important way to keep infections from spreading from one system to another. Using
segmentation and enforcing security boundaries can significantly limit the impact if a threat takes hold in your
cloud environment.
 DNS operations and security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.

A Domain Name System (DNS) service must be highly available and DDoS resilient. AWS offers a DNS service
called Amazon Route 53, but many organizations manage their own DNS services. You can use Route 53 for
DNS, or you run your own DNS service on an Amazon Elastic Compute Cloud (Amazon EC2) instance. Either way,
you should be aware of capabilities, concerns, and best practices for mitigating security threats.
 Amazon Route 53 using DNSSEC
• Domain Name Security Extensions (DNSSEC) helps prevent DNS
attacks like DNS cache poisoning and DNS spoofing.

Store private keys in AWS KMS

Sign public hosted zones or use Use a single key across

DNSSEC validation multiple public hosted zones

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
12

Domain Name System Security Extensions or DNSSEC is a feature of DNS that can be used to strengthen the
security of the protocol by providing authentication using digital signatures (based on public key cryptography).
Route 53 supports DNSSEC signing for your public hosted zones or DNSSEC validation for an Amazon Route 53
Resolver.

If you choose to use DNSSEC signing on your public hosted zones, you will need to consider the storage of
private keys in AWS Key Management Service (AWS KMS) and using the instances of the keys to sign your DNS
zones. You can also use a single customer-managed AWS KMS key across multiple public hosted zones to help
cut down on the management of multiple keys.
 Route 53 Resolver DNS Firewall
• Define domain name filtering rules to control access to sites and block DNS-
level threats
• Customize the responses for blocked DNS queries
• Filter on a domain names only (not an IP address)
• Filters User Datagram Protocol DNS traffic (not HTTPS, TLS, SSH or, other
protocols)
• Centralize management with AWS Firewall Manager

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
13

Route 53 Resolver DNS Firewall provides protection for outbound DNS requests from your VPCs. You can define
domain name filtering rules in rule groups to control access to sites and block DNS-level threats. You can also
customize the responses for the DNS queries that you block.
 Self-Managed DNS Solution

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
14

Customers with self-managed DNS can use AWS Global Accelerator and AWS Shield Advanced to incorporate
some of the same techniques used by Amazon Route 53.

This type of solution includes a DNS canary, which uses Route 53 health checks and Amazon CloudWatch to
monitor if DNS servers and applications stop responding to queries.

1. To begin, create an accelerator and add your existing (customer-managed) DNS servers as endpoints. The
newly created accelerator will receive queries and forward them to your DNS service.
2. Using Amazon CloudWatch, update the status of a Route 53 health check in case your self-managed DNS
service stops responding to queries.
3. Protect your accelerator with Shield Advanced and monitor the health of your application using Amazon
Route 53 health checks (DNS canary).
 Security inside the VPC
Section 2 of 4

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Flexibility is important, but so is security! Amazon VPC is a mature product with numerous features and services
that you can use to improve operations and security inside your environment. We will explore implementation
of some of these security features in more depth to include:

• Network access control lists or ACLs operate as virtual, horizontally scalable, stateless packet filtering devices
at the subnet level.
• Security groups act as virtual firewalls at the instance level, allowing stateful traffic filtering.

In this section, you will learn about ways that you can filter traffic, ensure availability of your resources, and
monitor traffic of interest for potential malicious activity. Filtering methods are based on the best practice
recommendation of using network ACLs and Security Groups for filtering. You will also cover using AWS Global
infrastructure and load balancing for high availability.
 Overall network security guidance
Best practices
• Layer security groups and network ACLs together.
• Use multiple Availability Zone deployments and Elastic
Load Balancing (ELB) for high availability.
• Use out-of-band management whenever possible.
• Use Amazon CloudWatch to monitor your VPC
components (covered in module 4).
• Use flow logs to capture information about traffic in
your VPC (covered in module 4).
• Always use Identity and Access Management (IAM) to
limit access to your resources, including the VPC and
related components.
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 16

Some of the best practices for overall network security are as follows:
• Layer the security groups and network ACLs together. Use security groups as the primary mechanism for
controlling network access to VPCs. When necessary, use network ACLs sparingly to provide stateless, coarse-
grain network control. Security groups are more versatile than network ACLs because of their ability to
perform stateful packet filtering and create rules that reference other security groups. However, network
ACLs can be effective as a secondary control for denying a specific subset of traffic or providing high-level
subnet guard rails. Also, because network ACLs apply to an entire subnet, they can be used as defense-in-
depth in case an instance is ever launched unintentionally without a correct security group.
• Use multiple Availability Zone deployments and Elastic Load Balancing or ELB for high availability.
• Use out-of-band management whenever possible.
• Use Amazon CloudWatch to monitor your VPC components (covered in module 4).
• Use flow logs to capture information about traffic in your VPC (covered in module 4).
• Always use Identity and Access Management (IAM) to limit access to your resources, including the VPC and
related components.
 Network filtering methods
Stateless Stateful
• Focus on the content of individual • Track and filter all traffic that is part
packets of a stateful associated (for example
• Generally use information from in the same TCP session)
headers (IP source or destination, • Can identify TCP connection stages,
protocol, and so on) for filtering packet state, and other key statuses
• Generally fast and has no issue with • Includes security groups and firewalls
heavy traffic loads
• Includes network access control lists

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
17

Incoming traffic destined for your network is filtered by network ACLs before it is filtered by security groups.
This means that traffic that is permitted by a network ACL can then be filtered by a security group, but traffic
stopped by a network ACL never makes it any further. The opposite is true for outgoing traffic; it is first filtered
by the security group, and if permitted, it will be processed again by the network ACL. Based on the order of
processing, one example for implementing network ACLs and security groups together is using broad rules in
network ACLs and fine-grained rules with security groups. First, you will explore network ACLs, followed by
security groups.
 Network ACL review
• Provide stateless filtering for subnets
• Apply to one or more subnets
• Sequentially process rules
• Specify a traffic source with inbound rules
• Specify a destination with outbound rules
• Create rules using increments

Default mode: explicit deny and implicit allow

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
18

In AWS, a network ACL controls traffic to or from a subnet. This is accomplished with a set of inbound and
outbound rules in a numbered list. The rules are evaluated in order, starting with the lowest numbered rule.
When a match to the criteria in the rule is made, the list stops processing and determines the actions for the
matching traffic based on the matched rule.

Because network ACLs function at the subnet level of a VPC, each network ACL can be applied to one or more
subnets, but each subnet is required to be associated with only one network ACL. When a VPC is created, AWS
automatically creates a default network ACL for it. You can add and remove rules from the default network ACL,
but you cannot delete the network ACL itself. A custom network ACL can replace the default network ACL and
provide stateless filtering specific to subnets.

The following are some recommendations and considerations when using network ACLs:
• Configure the network ACL to narrow the scope of traffic permitted between layers (define both inbound and
outbound rules).
• Inbound rules can only specify a traffic source (it is implied that the destination is within the VPC or subnet
behind the network ACL).
• Outbound rules have a source and destination (they can apply to one or many IPs destined to broad or
specific destinations).
• Create rules using increments (for example, increments of 10 or 100) so that you can insert new rules where
you need to later.
 Using Network ACLs in your VPC
Best practices
• Remember the default network ACL.
• Monitor and audit network ACLs for ineffective “deny”
rules.
• Consider limitations.
• Do not ignore outbound rules on network ACLs.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 19

Some of the best practices for network access control lists are as follows:
• VPCs come with a default Network ACL that allows all inbound and outbound rules. For custom network
ACLs, both inbound and outbound rules are denied. Remember that if you have not created a custom
network ACL, any resources in the VPC will be associated with the default network ACL. This will allow all
traffic to into and out of the network, which is often overly permissive.
• Rules meant to deny traffic that are either misconfigured or ineffectual inadvertently promote overly-
permissive access to a VPC. Be mindful of the order of the deny rules within your network ACLs as they are
evaluated in order.
• Know the limitations of applying network ACLs before configuring them. For example, there is a default limit
of 20 rules per list for both inbound and outbound network ACLs. AWS can provide additional rules on
request, but the absolute maximum is 40.
• Configure outbound rules to limit access to the required ports or port ranges.
 Test yourself: inbound access
Requirements:

• The DNS queries, HTTPS and SMTP traffic sourced from your on-premises network
192.0.2.0/28 are allowed to reach subnet A in your VPC.
• All other inbound traffic should be denied.

Rule # Type Protocol Port range Source Allow / Deny

/ ICMP Type
10 UDP ALL ALL 192.0.2.0/28 ALLOW
How can you fix
20 TCP HTTPS 443 10.0.0.0/17 ALLOW
this network ACL?
30 TCP SMTP 25 10.0.0.0/17 ALLOW
* All IPv4 ALL ALL 0.0.0.0/0 DENY
Traffic
• VPC subnet A—10.0.0.0/17
• VPC subnet B—10.0.128.0/17
• On-premises network: 192.0.2.0/28
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
20

Issue:
The network access list is configured, but you have been notified that subnet A in your VPC is ONLY receiving
DNS traffic from the on-premise network. You must determine why HTTPS and SMTP are not being received and
how to resolve this issue.

Consider network ACL sources for inbound traffic (from the on-premise network, destined to the VPC), and try
to determine what change can be made to correct this issue. When ready, move on to see the solution.
Solution: source address misconfiguration

In this scenario, the network ACL is inbound, meaning that the source of
traffic is outside the subnet.
• Rules 20 and 30 have the correct protocol, port number, and action, but
their source network was mistakenly set to 10.0.0.0/17. This is
the destination for traffic inbound to the subnet; the source in the on-
premise network at 192.0.2.0/28.

Rule # Type Protocol Port range Source Allow / Deny

/ ICMP Type
10 UDP ALL ALL 192.0.2.0/28 ALLOW
20 TCP HTTPS 443 192.0.2.0/28 ALLOW
30 TCP SMTP 25 192.0.2.0/28 ALLOW
* All IPv4 ALL ALL 0.0.0.0/0 DENY
Traffic

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
21
 Test Yourself: outbound access
Requirements:

• SSH and RDP traffic sourced from your VPC must be DENIED to the on-premises network of
192.0.2.0/24.

• All other traffic from your VPC should be permitted through.

Rule # Type Protocol Port range Destination Allow / Deny
/ ICMP Type
10 All IPv4 ALL ALL 192.0.2.0/28 ALLOW
Traffic
How can you fix
20 TCP RDP 3389 192.0.2.0/28 DENY this network ACL?
30 TCP SSH 22 192.0.2.0/28 DENY
* All IPv4 ALL ALL 0.0.0.0/0 DENY
Traffic

• VPC subnet A—10.0.0.0/17

• VPC subnet B—10.0.128.0/17
• On-premises network: 192.0.2.0/28

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
22

Issue:
The network access list is configured, but you have been notified that your on-premise network can still receive
SSH and RDP traffic from both subnets A and B in your AWS VPC. You must determine why this traffic is still
allowed and how to resolve this issue.

Consider network ACL processing order, and try to determine what change can be made to correct this issue.
When ready, move on to see the solution.
Solution: rule order and processing

In this scenario, the first rule (10) allows all traffic, on all ports and protocols from your VPC
outbound to the on-premise network. All traffic (including RDP and SSH) will match the first
rule here, so rules 20 and 30 will not be processed and have no effect.

• You must first deny the specific traffic types you want to stop from reaching the on-
premise network before allowing all other traffic.

Rule # Type Protocol Port range Destination Allow / Deny

/ ICMP Type
10 All IPv4 ALL ALL 0.0.0.0/0 ALLOW
Traffic
20 TCP RDP 3389 192.0.2.0/28 DENY
30 TCP SSH 22 192.0.2.0/28 DENY
40 All IPv4 ALL ALL 192.0.2.0/28 ALLOW
Traffic
* All IPv4 ALL ALL 0.0.0.0/0 DENY
Traffic
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
23
 Security group review
Default security group Custom security group
• Permits all inbound traffic from • Permits no inbound traffic (no rule
members of the same security present)
group (rule present) • Permits all outbound traffic (rule
• Permits all outbound traffic (rule present)
present)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
24

Essentially, a security group is a stateful firewall configuration for your Amazon Elastic Compute Cloud or
Amazon EC2 instances. Because security groups function at the instance level of a VPC, each security group can
be applied to one or more instances, even across subnets. Each instance is required to be associated with one
or more security groups.

Security groups define which ports on the machine are reachable for incoming traffic (and if configured, what
traffic is permitted outbound from the instance). Much like with network ACLs, when you create a VPC, AWS
automatically creates a default security group for it. Instances are associated with a default security group if you
do not create and select a custom security group for it. You can add and remove rules from a default security
group, but you cannot delete the default security group itself. Security groups only support allow. Many filtering
systems have deny rules or options; security groups block everything unless there is a rule specifically allowing
it through. The default mode for a security groups is explicit allow and implicit deny.

Note: A security group is associated with a network interface that is attached to an instance, but we don’t
discuss that detail for simplicity.

The default state for the default security group is as follows:

• Permits all inbound traffic from members of the same security group (rule present)
• Permits all outbound traffic (rule present)
• Default mode is explicit allow and implicit deny

The default state for a custom security group is as follows:

• Permits no inbound traffic (no rule present)
• Permits all outbound traffic (rule present)
• Security groups only support allow
 Using security groups in your VPC
Best practices
• Never keep unattached security groups.
• Track rate of change in production environments.
• Ensure that security groups do not have a large range of
ports open.
• Use elastic load balancers with security groups to restrict
access to the internet.
• Limit modifications to only certain IAM roles.
• Do not ignore outbound rules of security groups.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25

Some of the best practices for security groups are as follows:

• Never keep unattached security group. Unattached security groups could be applied unnoticed or
inadvertently, resulting in security concerns such as an EC2 instance being exposed to the internet.
• Track the rate of change in security groups creation in production environments—security groups that are
created and deleted quickly might indicate suspicious activity. This is something that can be accomplished
with AWS Config, for example.
• Security groups with large ranges of open ports expose resources and may result in exploitation. They also
make attacks on exposed vulnerabilities very difficult to investigate.
• Use elastic load balancers to receive all incoming traffic from the Internet and forward it to your web servers
(or other internet-facing resource), then limit incoming traffic for those web servers (or other resources) to
allow only ELB traffic.
• Limit active security group modifications to only certain IAM roles. You should only authorize specific users to
modify resource-specific security groups according to the principle of least privilege.
• Do not forget about outbound rules of security group; set restrictions. Security groups attached to resource
within a particular layer of your architecture should only allow egress connections to the layers where
connectivity is needed.
 Layering security groups: example topology
(Assume inbound filtering only)
1. Bastion instance must connect to
AWS Cloud web and app instances on port 22
(Secure Shell SSH)
Availability Zone
VPC
3. App instances must connect to
Private subnet Private subnet
database instance on port 3306
(Structure Query Language MySQL)
VPC CIDR: 10.0.0.0/16

WEB APP DB

Bastion

APP 2. Web instances must connect to app

instances on port 8080 (Hypertext
Transfer Protocol HTTP)

10.0.32.0/20 10.0.0.0/19

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
26

In this example topology, instances in the private and sensitive subnets will have multiple security groups
applied to them. For simplicity, this example is only discussing and depicting inbound rules for the security
groups.

1. For the first security group, the requirement is that the bastion instance can connect to web and app
instances on port 22. See Security Group 1.
2. For the second security group, the requirement is that web instances can connect to app instances on port
8080. See Security Group 2.
3. For the third security group, the requirement is that app instances must connect to database instances on
port 3306. See Security Group 3.
 Service highlight: AWS Network Firewall is a managed
AWS Network network protection service that provides
Firewall the following:
• Stateful firewall
• Web filtering
• Intrusion protection
• Central management and visibility
• Rule management and customization
• Partner integrations

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
27

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of
your Amazon Virtual Private Clouds or VPCs. The service can be quickly set up and scales automatically with
your network traffic. You can define firewall rules that give you fine-grained control over network traffic, or
import rules you’ve already written in common open-source rule formats. There are numerous integrations
available that provide managed intelligence feeds sourced by AWS partners. AWS Network Firewall works
together with AWS Firewall Manager for centralized control and visibility, so you can build and apply policies
across your VPCs and accounts.

AWS Network Firewall provides stateful filtering which can incorporate context from traffic flows, like tracking
connections and protocol identification, to enforce policies such as preventing your VPCs from accessing
domains using an unauthorized protocol. It also includes an intrusion prevention system or IPS for active traffic
flow inspection, so you can identify and block vulnerability exploits using signature-based detection. Finally, it
can provide web filtering that stops traffic to known bad URLs and monitor fully qualified domain names.
 Building for availability
Availability is an important part of the C-I-A triad.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.

While it is important that unauthorized users are restricted from your data and systems, systems should be
available to authorized users whenever they require them. Availability is often an overlooked component of
security. Amazon's vast cloud network provides a solid foundation on which you can build a stable and secure
environment. Using a global infrastructure, you can build a highly reliable and available environment to support
your workload.
 Global availability
Regions and Availability Zones
• AWS Global Infrastructure spans
84 Availability Zones within 26
geographic regions around the
world.
• Announced Regions include the
following:
o Australia, India, Indonesia, Israel,
New Zealand, Spain, Switzerland,
and United Arab Emirates (UAE)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
29

The AWS Global Cloud Infrastructure is the most secure, extensive, and reliable public cloud platform available,
offering over 200 fully featured services from data centers globally. AWS customers are in 245 countries and
territories. Additionally, services like Amazon CloudFront and Amazon Route 53 are offered at AWS Edge
locations to help keep your resources available. Building a highly available and resilient workload is an
important part of security that is often overlooked.

(Data as of 1 February 2022)

 VPC and AZ availability
Elastic Load Balancing (ELB)
• ELB distributes traffic over a group of resources
in one or more Availability Zone.
• Deploy ELB with AWS Application Auto Scaling,
AWS Auto Scaling, or Amazon EC2 Auto Scaling.
• Choose the type of load balancing device you
need.
• (Best practice) Use security groups to protect
ELB.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
30

It is important that data and services are available when they are needed. Load balancing is another way you
can help to keep resources available during high-demand periods and during distributed denial of service or
DDoS attacks. AWS Elastic Load Balancing or ELB is used with a VPC, distributing traffic over a group of resources
in one or more Availability Zone.
 Management traffic best practices
• Use additional security groups or network interfaces to control
Amazon EC2 instance management traffic separately from regular
application traffic.
• Implement special IAM policies for change control and auditing.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
31

Depending on an organization's requirements and resources, there might be situations when an out-of-
band management network is required. Management traffic is sensitive and should be separated from
production or development traffic whenever possible.
This means a network dedicated to traffic used to connect, access, and manage devices or systems. This can
include the following:
• Remote access from or through on-premises connected devices
• Managing network and security appliances (such as third-party or Partner solutions)
• Creating dual-homed instances with workloads and roles in distinct subnets

Consider using additional security groups or network interfaces to control and audit Amazon EC2 instance
management traffic separately from regular application traffic. This approach allows customers to implement
special IAM policies for change control, making it easier to audit changes to security group rules or automated
rule-verification scripts. Multiple network interfaces also provide additional options for controlling network
traffic, including the ability to create host-based routing policies or use different VPC subnet routing rules based
on network interfaces assigned to a subnet.
Security services
Section 3 of 4

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Threat highlight: Distributed Denial of Service attack

DDoS are most common at the

following Open Systems
Interconnection (OSI) model layers:

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
33

A DDoS attack is a malicious attempt to affect the availability of a targeted system, such as a website or
application, to legitimate end users. Typically, attackers generate large volumes of packets or requests,
ultimately overwhelming the target system. In a DDoS attack, the attacker uses multiple compromised or
controlled sources to generate the attack. DDoS attacks can be segregated by which layer of the OSI model they
attack. DDoS are most common at the following Open Systems Interconnection (OSI) model layers:
• Network (layer 3)
• Transport (layer 4)
• Presentation (layer 6)
• Application (layer 7)
 AWS Shield

Standard Protection Advanced Protection

• Available to all AWS Customers at • Paid service that provides additional
no additional cost protection, features, and benefits.
• Automatic detection and mitigation • Includes Shield Response Team
• Protection from most common (SRT), AWS WAF for layer 7 DDoS
DDoS attacks (SYN/UDP Floods, attack mitigation, and AWS Firewall
Reflection Attacks, etc.) Manager
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
34

AWS Shield Standard protects against DDoS attacks at layers 3 and 4 which are typically categorized as
infrastructure layer attacks. These are the most common type of DDoS attack, but fortunately, these attacks also
have clear signatures and are easy to detect. AWS Shield Standard provides the following protections:
• Provides always-on network flow monitoring
• Inspects traffic using traffic signatures, anomaly algorithms, and other analysis techniques
• Defends against common, frequently occurring infrastructure attacks
• Provided to all AWS customers at no additional charge

AWS Shield Advanced includes the standard features of AWS Shield, with the addition of tailored detection
based on application traffic patterns, health-based detection, advanced attack mitigation, visibility and attack
notification, DDoS cost protection, and proactive event response. Shield Advanced provides globally available,
centralized protection management and specialized support. In addition to standard protection from L3 and L4
attacks, Shield Advanced protection provides specific monitoring and protection for any of the following
resource types:
• Amazon CloudFront distributions
• Amazon Route 53 hosted zones
• AWS Global Accelerator
• Application Load Balancing
• ELB load balancers
• Amazon EC2 Elastic IP addresses

Protecting Network Load Balancers: You cannot directly attach an AWS Shield Advanced protection to a
Network Load Balancer, but you can protect a Network Load Balancer by first associating an Amazon EC2 Elastic
IP address to it and then adding the Elastic IP as a Shield Advanced protected resource.

For resources protected using Shield Advanced, customers get AWS WAF and AWS Firewall Manager, a security
management service, at no additional cost. This combination of services can provide considerable value to you.
 Shield Response Team (SRT)
• Shield Advanced includes the option to
receive proactive support from the Shield
Response Team (SRT).
• During a DDoS attack, the SRT will provide
resolution support if necessary.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
35

One of the benefits of Shield Advanced is the option to receive proactive support from the Shield Response
Team (SRT). If you experience a potential DDoS attack, you can contact the AWS Support Center. The support
center can escalate your issue to the SRT if necessary.

On contact, the SRT will help you analyze the suspicious activity you are experiencing and assist in mitigating the
issue. This mitigation often involves creating or updating AWS WAF classic rules and web ACLs in your account.
The SRT can inspect your AWS WAF configuration and create or update AWS WAF rules and web ACLs for you,
but the team needs your authorization to do so. We recommend that as part of setting up Shield Advanced, you
proactively provide the SRT with the necessary authorization. Providing authorization ahead of time helps
prevent mitigation delays in the event of an actual attack.
 AWS Web AWS WAF filters traffic for your web
applications based on the following criteria:
Application • IP address origin of the request
Firewall (WAF) • Country of origin of the request
• String match or regular expression (regex)
match in a part of the request
• Size of a particular part of the request
• Malicious SQL code or scripting
This service is provided to customers using
AWS Shield Advanced for no additional cost
and adds additional DDoS protection

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
36

DDoS attacks also occur at layers 6 and 7, and although less common than infrastructure DDoS attacks, they
tend to be more sophisticated. This is just one type of attack that the AWS WAF can hep you mitigate. You can
use custom or managed rules to block or count web requests that not only meet the specified conditions, but
also exceed a specified number of requests in any 5-minute period. Although there are many managed rules
available, it is up to you to determine the custom or managed rules you will use and associate them to the
appropriate Web Access Control List.

Note: AWS WAF is included with AWS Shield Advanced.

 AWS WAF rules and rule groups

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
37

Managed rules are a set of rules written, curated, and managed by AWS and AWS Marketplace Sellers that can
be used to quickly get started protecting your web application or APIs against common threats. Managed rules
can be used alone, or along with your custom AWS WAF rules. You can create custom rules, use rules
individually or use multiple rules in reusable rule groups. AWS Managed Rules rule groups are available for free
to AWS WAF customers, while AWS Marketplace managed rule groups are available by subscription through
AWS Marketplace.

The example on the slide shows a web ACL containing two custom rules that allow you to manually insert IP
addresses that you want to block (deny list) or allow (allow list). It also contains a managed rule group made of
two rules. The “HTTP flood” rule protects against attacks that consist of many requests from a particular IP
address, such as a web-layer DDoS attack or a brute-force login attempt. The “SQL injection” rule is designed to
protect against common SQL injection patterns in the Uniform Request Identifier or URI, query string, or body of
a request.
 AWS WAF AWS WAF supports many filtering options for
stopping malicious http requests from reaching
your resources. The lack of a User-Agent header in
a request may indicate a bot or API based request.

Demo Opportunity • Task:

• Create a rule that will block web requests using regex, or
size constraint.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
38

By default, AWS WAF filters don't check if HTTP request parameters are present or not. However, you can create
a rule with conditions to check for those parameters.

Using AWS WAF, you may choose one of the two following options to block requests without a User-Agent set
in the header:
• Create a rule with a regex pattern set.
• Create a rule with a size constraint condition.
 AWS Firewall Manager—benefits

Management Compliance Visibility

• Integrated with AWS • Ensure that the entire Across the Organization:
Organizations organization adheres to • Central visibility of AWS
a mandatory set of WAF threats
• Centrally managed rules
global rules and • Consolidated AWS WAF
• Apply protection, even operations
account-specific rules when new accounts or • Compliance dashboard for
resources are created auditing
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
39

If you are using multiple AWS accounts and use AWS Organizations, AWS Firewall Manager can be used. This can
streamline and standardize security across your accounts. Firewall Manager is used when you have AWS
Organizations to manage AWS WAF rules, Shield Advanced protections, VPC security groups, AWS Network
Firewalls, and Route 53 Resolver DNS Firewall rules across multiple AWS accounts. Using Firewall Manager also
ensures that new accounts or resources are protected from the time they are created. A best practice
recommendation when implementing AWS Firewall Manager is to locate it in a management account which the
security team has access to, as opposed to a production account.

Firewall Manager is an important feature when managing an entire organization that must adhere to mandatory
rules (such as compliance or regulatory requirements). It includes a Compliance Dashboard where you can view
the compliance status for accounts and resources that are in the scope of a security policy.
 Example solution integration

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
40

Follow the diagram to explore the steps in this solution to route Amazon GuardDuty matched events to AWS
Lambda, which then performs updates to AWS WAF and VPC network ACLs with protection against new
threats.

1. A GuardDuty finding is raised with suspected malicious activity.

2. A CloudWatch Event is configured to filter for GuardDuty finding type.
3. An AWS Lambda function is invoked by the CloudWatch Event. Lambda parses the GuardDuty finding.
4. State data for blocked hosts is stored in an Amazon DynamoDB table. The Lambda function checks the state
table for existing host entry.
5. The Lambda function creates a rule inside AWS WAF and in a VPC network ACL.
6. A notification email is sent through Amazon Simple Notification Service (Amazon SNS).

Service Notes:
• GuardDuty provides threat detection service that monitors for malicious activity and unauthorized behavior
to protect accounts, workloads, and data stored in Amazon Simple Storage Service or Amazon S3. GuardDuty
analyzes events across multiple AWS data sources, such as AWS CloudTrail Event logs, Amazon VPC flow log,
and DNS logs.
• CloudWatch Events deliver a near-real-time stream of system events that describe changes in AWS
resources.
• GuardDuty sends notifications based on CloudWatch Events when any change in the findings takes place.
"We saved about a million dollars
per year in triage time for security
operations, staffing, and licensing
costs.”
Mark Dorsi
Director of Security, HelloSign

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Use case—HelloSign
The security benefits realized include the following:
• Averted 12 DDoS security events
• Saved roughly 120 hours of work time per week through automation
• Gained visibility into security posture
• Implemented security best practices
• Customized security tools
• Automated security features within 3 months

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
42

Cloud-based file storage and smart workspaces company Dropbox acquired the electronic signature and storage
solution, HelloSign, in 2019. HelloSign grew quickly to more than 80,000 customers in 2021, and recognized the
importance of protecting its customers’ personally identifying information or PII and payment card information
data. The company wanted to make its service both secure and highly available, which required protecting its
services from DDoS attacks and other security events.

HelloSign used many AWS security devices including Shield Advanced, AWS WAF, and GuardDuty. Learn more
about this example at https://aws.amazon.com/solutions/case-studies/dropbox-hellosign-security/
Third-party security solutions
Section 4 of 4

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 AWS Marketplace enterprise solutions
Solution categories include the following:
• Network firewalls
• Protection solutions from software as a service (SaaS) or cloud delivery network
providers
• Network IDS solutions

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
44

AWS Marketplace is a curated digital catalog that makes it easy to find, test, buy, and deploy the third-party
software you want, with the simplified procurement and controls you need. AWS Marketplace includes
numerous solutions that can strengthen your network security. This service also makes it easy to find a solution
and pay licensing based on use or use the Bring Your Own License model or BYOL.

Considerations
• Consider the threat and risks to individual workloads.
• Search APN security competency to shorten your list.
• Remember that existing relationships, operational experience, or licensing can affect vendor preference.
• Remember that rapid implementation is possible through the AWS Marketplace.

Selection Criteria
• Use cloud-aware or host-based solutions when possible.
• Host-based solutions are preferred for scalable applications.
• Test solutions and consider performance impact, then determine operations and support.
• If using in-line vendor solutions, determine where and why.
• Work with vendor to determine performance and high-availability impact.
 Module 2: Remember…
Securing the Control traffic at all layers using the following:

network • Network ACLs, Security Groups, AWS Network Firewall

• Availability is an important part of securing the

VPC.
• AWS services to secure network traffic and
combat common security threats include the
following:
• AWS Shield Standard and Shield Advanced
• AWS WAF
• AWS Firewall Manager

• Third-party solutions offered through AWS

Marketplace are available.
Let’s check our knowledge with a few questions.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 45
Question 1
Which statement is true about security groups?

A. Each subnet is required to be associated with only one security group.

B. A security group can be applied to one or more subnets.
C. Security groups allow for "allow" and "deny" rules.
D. Security groups are stateful.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
46
 Answer 1
Which statement is true about security groups?

A. Each subnet is required to be associated with only one security group.

B. A security group can be applied to one or more subnets.
C. Security groups allow for "allow" and "deny" rules.
D. (Correct) Security groups are stateful.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
47

a. (Incorrect) This is true of network ACLs, not security groups.

b. (Incorrect) This is true of network ACLs, not security groups.
c. (Incorrect) Security groups can only be configured with "allow" rules.
d. (Correct) Security groups are stateful.
Question 2
Which AWS services or features are examples that BEST provide
availability for your resources? (Select TWO.)

A. Regions and Availability Zones

B. Elastic Load Balancing (ELB)
C. Security Groups
D. Traffic mirroring
E. Network access control lists

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
48
 Answer 2
Which AWS services or features are examples that BEST provide
availability for your resources? (Select TWO.)

A. (Correct) Regions and Availability Zones

B. (Correct) Elastic Load Balancing (ELB)
C. Security Groups
D. Traffic mirroring
E. Network access control lists

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
49

a. (Correct) Regions and Availability Zones can be used to span workloads and improve availability.
b. (Correct) ELBs distribute network traffic to improve application scalability and availability.
c. (Incorrect) Security groups are used to filter traffic.
d. (Incorrect) Traffic mirroring supports sending a copy of traffic to a target, but does not provide availability.
e. (Incorrect) Network ACLs are used to filter traffic.
 Lab 1: By the end of this lab, you will be able to do
the following:
Controlling the
• Create a three-security zone network
Network infrastructure
• Implement network segmentation using security
groups, network ACLs, and public and private
subnets
• Monitor network traffic to EC2 instances using
VPC flow logs

Lab duration: 45 minutes

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 50

Overview
You are a network security engineer at AnyCompany. You are responsible for creating a secure network
infrastructure in AWS to prepare for AnyCompany’s upcoming migration to the cloud. AnyCompany currently
has a three-tier network security infrastructure on-premises:
• The Public Access Zone hosts load balancers that serve as the primary connection point to your web servers.
• The Web Server Zone hosts the frontend servers for your website.
• The Database Zone hosts the backend database servers that provide data to your website.

You must ensure that each zone is securely segmented from each other and only certain types of traffic are
allowed to flow between them to support the company’s websites and applications. In this lab, you use public
and private subnets, security groups, and network ACLs to create a three-security zone network infrastructure.
You then use VPC flow logs to monitor the traffic that reaches the resources in each zone to verify only the
required traffic is allowed.

Objectives
By the end of this lab, you will be able to do the following:
• Create a three-security zone network infrastructure
• Implement network segmentation using security groups, network ACLs, and public and private subnets
• Monitor network traffic to EC2 instances using VPC flow logs

Duration
This lab requires approximately 45 minutes to complete.
 Lab Architecture

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
51

Environment overview
The diagram shows the basic architecture of the lab environment.

The following list details the major resources in the diagram:

• A VPC with one public subnet and two private subnets in one Availability Zone, and one public subnet in a
second Availability Zone
• A Network Load Balancer with two nodes, one in each public subnet
• An EC2 instance acting as a web server in the first private subnet
• An EC2 instance acting as a database server in the second subnet
• Two security groups, one for each instance based on its purpose

The network traffic flows from an external user, through an internet gateway, to one of the two Network Load
Balancer nodes, to the web server. If the URL of the WordPress blog site running on the web server is
requested, traffic flows to the database server as well.
 Thank you
Corrections, feedback, or other questions? Contact us at
https://support.aws.amazon.com/#/contacts/aws-training.
All trademarks are the property of their owners.

52 © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.