How to Secure your AWS infrastructure?

You might be able to build, scale, automate and make your AWS infrastructure reliable but, securing it is the most important thing to be considered first. Keeping your infrastructure in Cloud means keeping it in a public place, so how do you secure it? how will you make sure not all publics can see or use it? In this article let us look into the AW Security services that should be used to make your infrastructure secure.

AWS IAM Policies

Manage and restrict access to your AWS resources using IAM Policies. A Policy is an object in AWS that, when associated with an identity (users, groups, or roles)or resource, defines its permissions. Policies can be defined to say what a user can do in his/her account and what all services he/she can access.

Different IAM policies are - Identity-based policies, Resource-based policies, Permissions boundaries, Organizations SCPs, Access control lists (ACLs), and Session policies.

Policies and permissions in IAM

I found a very detailed explanation of IAM have a look at it here.

AWS IAM Policies : Best Practices & How to Create an IAM Policy

AWS Data encryption while Data-at-Rest and Data-in-Transit

Data encryption is one of the key services that AWS recommends to secure your data.

AWS KMS Key Management Service provides you centralized control over the cryptographic keys used to protect your data.

https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/data-encryption.html

AWS VPC - Virtual Private Cloud

AWS VPC is a logically isolated network in the Cloud. Place your resources in VPC and get complete control over resources inside it. You can restrict access to your VPC resources from outside and allow only to trusted entities.

Key security concepts in VPC are -

1. Internet Gateway - A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet.
2. Route Table - A set of rules, called routes, that are used to determine where network traffic is directed.
3. Subnet - A range of IP addresses in your VPC.
4. NACL - Network Access Control Layer is the firewall at your subnet level. NACL is stateless i.e. any change made at the inbound rule will not affect the outbound rule. The maximum number of rules that exist per NACL is 20.
5. Security group - These are the firewall at the EC2 instance level. Security groups are stateful i.e. any change made at the inbound rule will automatically reflect in the outbound rule. The maximum number of rules that can exist per Security Group is 50.

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html

AWS VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. After you’ve created a flow log, you can retrieve and view its data in the chosen destination.

VPC Flow Logs can be enabled at ENI (Elastic Network Interface) level, Subnet level, or at the VPC level, and this granularity helps you in troubleshooting network issues at various stages with clarity.

https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

AWS Guard Duty

Amazon GuardDuty is an intelligent threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.

https://aws.amazon.com/guardduty/

AWS Direct Connect

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you create a private connection between AWS and your data center, office, or colocation environment. This can increase bandwidth throughput and provide a more consistent network experience than internet-based connections.

AWS Direct Connect is compatible with all AWS services accessible over the internet and is available in speeds starting at 50 Mbps and scaling up to 100 Gbps.

AWS Direct Connect | Hybrid Cloud Networking | AWS

AWS VPC endpoints

A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink is a technology that enables you to privately access services by using private IP addresses.

VPC endpoints are of two types

1. Gateway endpoint - It supports S3 and DynamoDB. You need to specify the Gateway endpoint as a Route table target for traffic that is destined for the supported AWS services.
2. Interface endpoint - Interface endpoints are powered by AWS PrivateLink. Here, communication happens through Elastic Network Interface with a private IP address from the IP address range of your subnet. It serves as an entry point for traffic destined to a supported AWS service or a VPC endpoint service.

VPC endpoints

Conclusion

No matter what services you use how scalable and reliable your infrastructure is you always have to make sure your data is encrypted, restricted with access, and secure from attacks. The use of VPC keeps your infrastructure isolated in the cloud, VPC Flow logs and Guard duty protects your VPC from trespassers. Encryption service makes sure your data is not understandable or exposed to unknown resources, Direct connect and Endpoints are always a safe pipeline for your data transmission.

Knowledge Credits - AWS Oficial website

— — — — — — — — — — — — — — — — — — — — — — — -

DON'T STOP WHEN YOU ARE TIRED. STOP WHEN YOU ARE DONE.

Would love to hear your thoughts and requirement in our coming articles.

Thank you.