cloud career

AWS VPC Security Best Practices

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

In today`s article, we’ll discuss different measures for AWS VPC security best practices. Security is different layers of protection in order not to get hacked. 

I want to begin with routing, because if you can’t reach something and you don’t have access to it, it’s going to be near impossible to attack. So, if we begin with routing and limit who has access to the systems, it will become much harder for others to attack it.

  • Virtualized Local Area Networks (VLANs): -Virtualization of switches whereby one logically separates a switch into different parts. Each logically separated VLAN will be placed in a separate subnet. Routing information will be provided to the subnets that need cloud access.  This will limit cloud access to only those people and their systems to reach the subnets necessary to perform their roles.  See, if you can’t reach a subnet then you can’t hack it, so this is first-line security.  This type of network security can significantly increase an organization’s security posture and no cost.

 

  • FIREWALL: This is a device or software that builds a strongly secure perimeter around the edge of the network, it blocks all incoming traffic by default, and allows specific traffic that is permitted by using a firewall policy. And there are some phenomenal commercial firewalls that you can use with your VPC; Cisco, Palo Alto, Fortinet, etc. But these are very strong firewalls, they not only block traffic out, but they’re adaptive. This means they can look at the traffic that doesn’t make sense and generate rules on-demand to block things that they find to be dangerous. So, commercial firewalls, are a great option.

In firewalls, you can create a policy to allow in only what needs to come in; TCP port 179 for BGP routing, and whatever ports are necessary for your systems, whether they be HTTPS or SSH or whatever’s necessary for the organization. The firewall is stateful, which means once it allows inbound traffic, the corresponding outbound traffic is allowed.

AWS also has a proprietary firewall is called Web Application Firewall (WAF) which is a placed on the Content Delivery Network (CDN), Amazon API gateway, a rest API, or even an application load balancer. In AWS, WAF is configured alongside CloudWatch to monitor the traffic metrics. One can set up alerts and create a rule to notify systems administrators.

 

  • NETWORK ACCESS CONTROL LISTS: This is a virtual router function that blocks traffic in and out of the subnets. It is stateless, that is both the inbound and outbound traffic must be stated. More so, the virtual device is stateless because it does not watch the way the traffic is coming, it’s only creating some packet inspection rules that allow or deny. All network ACLs have a default policy, which is to deny all traffic. As a result, when building policies, one must specify the source and the destination address (allowed before the deny policy). There can be some wildcards in there as well, the protocol and the port number.

 

  • SECURITY GROUP: This is a virtual firewall that keeps traffic out of the Instance (Virtual machine), or service it is stateful: that is once it allows inbound traffic, the corresponding outbound traffic is allowed.

 

  • HOST-BASED FIREWALL: This is an additional layer of protection on the operating system that may not have been caught by network security. These firewalls can protect the system, at least for a period, or maybe completely thwart the attack.

 

  • ANTI-MALWARE PROTECTION: All servers should have anti-malware protection for protection of worms and viruses.

 

  • AWS SHIELD: This is Distributed Denial of Service (DDoS) protection, it minimizes application downtime and latency. And there are two versions. There’s the standard version, which is free to organizations that are using WAF, and there’s the Shield Advance, and this provides protection to a lot of things. EC2 instances, load balancers, CloudFront distributions, Route 53, and global accelerators.

 

  • INTRUSION PREVENTION /INTRUSION DETECTION SYSTEM IPS/IDS: is a device or software application that monitors a network or systems for malicious activity or policy violations. They can look at behaviors, and they adapt and stop the activity as needed. It will create rules on demand. It is very useful to have intrusion detection, intrusion prevention in your systems.

 

  • Identity and Access Management (IAM): It is essential to identify who is the user, what the user can do on the systems, and then tracking the user’s access. This is performed with Identity and access management.  Identity and access management can be summarized below:
    • Authentication – Identification of the user (Who are you?)
    • Authorization – What can you access
    • Accounting – What have you done

Identity and access management gives us the ability to provide the right level of access to our users.  What is the right level of access?  The minimal amount of access necessary for people to perform their jobs.

 

  • Encryption – Encryption is another component of security. Encryption is a means of securing data by encoding the data in a manner that it can only be read, or decrypted, by those with the correct key. Encryption processes translate data using an algorithm that makes the original information unreadable except for authorized users.  Encryption should be used for stored data (Encryption at rest) and during transition (Encryption in transit)

In conclusion security takes a layered approach.  Each layer works together to provide a cohesive security solution!

About Our Founder

Hello! My name is Michael Gibbs, CEO and Founder of Go Cloud Careers. I’ve been working in technology for well over 25 years. We are dedicated to helping our clients build elite cloud computing careers. I’ve been working in technology for over 25 years, and I’ve spent 20 years of my career coaching or mentoring others to get their first tech job.

In my 25-tech career, I have worked in:

  • Networking
  • Security
  • Cloud computing
  • Teaching
  • Coaching
  • Mentoring

How Can We Help You Reach Your Dream Career?

Career Development Programs

At Go Cloud Careers our goal is to improve the cloud computing community as a whole, by developing individuals to succeed in their roles. Our Career Development Programs are designed to help you get the best career at the fastest speed possible. These programs not only provide technical training, but also the much-overlooked soft skills and emotional intelligence that determine whether an individual can reach that dream career. In these group training programs, we provide a combination of live group training sessions, on-demand web-based content, and extensive labs. We also provide server access to our students, to build their own cloud architectures from the ground up. You can find more information on the programs by clicking the button below.

Cloud Architect Career Development Program

Our FREE Offerings Every Week

Free Webinars

Go Cloud Careers offers the “How to get your first cloud architect job webinar each week on Thursday. You can register for the next webinar here. We conduct a presentation in the beginning and afterward, participants can ask any questions they want. We will even help build a career plan LIVE on these free calls. We will talk about:

  • What employers desire
  • How to build a perfect resume
  • How to get your name out to the community
  • How to get hired
  • Things to do on your interview

Register for the How to Get Your First Cloud Job Webinar

With Our Compliments

Go Cloud Careers is truly excited to offer multiple FREE resources for AWS Certification training. These include:

We look forward to you joining our Go Cloud Careers community!

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

AWS

AWS VPC Security Best Practices

In today`s article, we’ll discuss different measures for AWS VPC security best practices. Security is different layers of protection in order not to get hacked. 

Do You Want To Get Cloud Hired or Cloud Promoted

Take A Look at Our Training Programs

FREE Azure BootcampRegister Now

Register Now for this FREE Azure Solutions Architect Expert Bootcamp, June 14 - 18.

%d bloggers like this: