Virtual Private Cloud (VPC)

Network access

AWS supports Network ACLs and Security groups to protect access to resources inside a VPC. Network access to a resource is granted by a combination of the network ACLs on a subnet level with an aggregation of all the security groups, effective on a resource such as a virtual machine (in case several security groups allow different access to a resource such as a virtual machine).

Best practices

  • When creating custom network ACLs, create a final deny rule for both inbound and outbound traffic for better protection.

  • Create subnets according to the resource’s function (for example, public subnets for web servers, private subnets for database servers, and so on).

  • For remote access protocols (SSH/RDP), limit the source IP address (or Classless Inter-Domain Routing (CIDR)) to well-known sources.

  • For file sharing protocols (CIFS/SMB/FTP), limit the source IP address (or CIDR) to well-known sources.

  • Use security groups to control access between public resources (such as load balancers or publicly facing web servers) and private resources (such as databases) and limit the access to the minimum required ports/protocols.

  • Set names and descriptions for security groups to allow a better understanding of any security group’s purpose.

  • Use tagging (also known as labeling) for security groups to allow a better understanding of which security groups belong to which AWS resources.

  • For large-scale environments with multiple AWS accounts, use AWS Firewall Manager to centrally create and enforce VPC security groups.

  • For secure access from resources inside your VPC to AWS Managed Services (such as AWS S3, Amazon RDS and more), and to keep traffic inside the AWS backbone, use AWS PrivateLink, and configure your VPC security groups to allow traffic from your VPC to AWS managed services.

  • To allow outbound access from internal resources inside private subnets to destinations on the internet (based on the IPv4 protocol), use NAT gateways or any self-hosted NAT proxy.

  • To allow outbound access from internal resources inside private subnets to destinations on the internet (based on the IPv6 protocol), use an egress-only internet gateway.

Monitoring

AWS allows for monitoring Amazon VPC using Amazon CloudWatch and VPC Flow Logs.

Best practices

  • Enable CloudWatch Logs to monitor your VPC components’ activity and the traffic between your VPC resources and the VPC endpoint (AWS managed services).

  • Use AWS CloudTrail to monitor VPC configuration.

  • Enable VPC Flow Logs to log and further analyze allowed and denied traffic activity. Combined with Amazon GuardDuty, you will be able to detect anomalous network behaviour, such as interaction with command and control (C&C) networks, malicious IP addresses, and more.

  • Use AWS Config or AWS Security Hub to detect inbound access to resources inside your VPC via unencrypted protocols (such as HTTP instead of HTTPS, or LDAP instead of LDAPS).

  • In case you need to troubleshoot network issues by capturing network traffic without interrupting production systems, use Traffic Mirroring in Amazon VPC to copy live network traffic from a network interface of an Amazon Elastic Compute Cloud (EC2) instance, or from a network load balancer to an out-of-band security appliance.

For large-scale production environments, enable VPC Flow Logs only for short periods of time, for troubleshooting purposes only (due to high storage cost and large amounts of data generated by VPC Flow Logs).