VPC is your own virtual, secured, scalable network in the AWS cloud that contains your AWS resources. Let us look at the VPC security best practices:
- Create custom VPC: It is recommended to create your own VPC and not use the default VPC as it has default settings to allow unrestricted inbound and outbound traffic.
- Monitor VPC activity: Create VPC flow logs to monitor flow of all IP traffic in your VPC from network resources to identify and restrict any unwanted activity.
- Use Network Address Translation (NAT): Keep all your resources that do not need access to the internet in a private subnet. Use a NAT device, such as a NAT instance or NAT gateway to allow internet access to resources in a private subnet.
- Control access: Use IAM to control access to the VPC and resources that are part of the VPC. You can create a fine grained access control using IAM for resources in your VPC.
- Use NACL: Configure NACLs to define which traffic is allowed and denied for your VPC through the subnet. Control inbound and outbound traffic for your VPC. Use NACL to block traffic from specific IPs or range of IPs by blacklisting them.
- Implement IDS/IPS: Use AWS solutions for Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) or reach out to AWS partners at the AWS marketplace to secure your VPC through one of these systems.
- Isolate VPCs: Create separate VPCs as per your use cases to reduce the blast radius in the event of an incident. For example, create separate VPCs for your development, testing, and production environments.
- Secure VPC: Utilize the web application firewall, firewall virtual appliance, and firewall solutions from the AWS marketplace to secure your VPC. Configure site to site VPN for securely transferring data between your on-premise data center and the AWS VPC. Use the VPC peering feature to enable communication between two VPCs in the same region. Place ELB in a public subnet and all other EC2 instances in a private subnet unless they need to access the internet by these instances.
- Tier security groups: Use different security groups for various tiers of your architecture. For example, have a security group for your web servers and have another one for database servers. Use security groups for allowing access instead of hard coded IP ranges while configuring security groups.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.