Follow the below AWS network security best practices to improve your network’s security on AWS.
Firstly, AWS provides multiple layers of network security:
- Isolated VPCs with public/private subnets
- Network Access Control Lists
- Security Groups
For beginners looking to maintain a secure cloud network, we recommend starting with default VPC and NACL and controlling access to EC2 and RDS instances via Security Groups.
For large organizations, we recommend using AWS Firewall Manager.
Virtual Private Cloud (VPC)
AWS logically isolates AWS cloud areas where you can launch resources into Virtual Private Cloud (VPC):
- You should create a separate VPC for each solution so even if one VPC is compromised, the attackers have no access to the other VPCs
- For each VPC, you specify the IP address range, subnets, routing tables and network gateways
- Each subnet can be either private or public – you should put the public facing resources into the public subnets and all backend infrastructure into the private subnets
Network Access Control Lists
For each VPC’s subnet, the router checks Network Access Control List (NACL) – the VPC firewall – for stateless rules determining if the access is allowed. The rules are for both allow and deny, and are applied in order of priority.
The rules are stateless, for example if the network request’s incoming port is 443, then it must be explicitly indicated what port would be used for the outgoing response. In other words, both inbound and outbound NACL rules will be evaluated.
Check this AWS information on how to control traffic to subnets using Network ACLs.
Security Groups
Another way to improve your AWS network security is to use Security groups – the EC2 and RDS firewall – rules designed to protect EC2 and RDS instances. Each EC2 or RDS instance can be associated with multiple security groups. The rules are only for allow, and all rules are applied to every request.
The rules are stateful, for example if the network request’s incoming port is 443, then the outgoing response of the request is assumed to be the port 443 which is automatically opened. In other words, there is only one Security Group rule for both incoming and outgoing traffic.
Check this AWS information on how to work with security groups.