CodeX
Published in

CodeX

How to Secure your AWS infrastructure?

You might be able to build, scale, automate and make your AWS infrastructure reliable but, securing it is the most important thing to be considered first. Keeping your infrastructure in Cloud means keeping it in a public place, so how do you secure it? how will you make sure not all publics can see or use it? In this article let us look into the AW Security services that should be used to make your infrastructure secure.

AWS IAM Policies

Manage and restrict access to your AWS resources using IAM Policies. A Policy is an object in AWS that, when associated with an identity (users, groups, or roles)or resource, defines its permissions. Policies can be defined to say what a user can do in his/her account and what all services he/she can access.

Different IAM policies are - Identity-based policies, Resource-based policies, Permissions boundaries, Organizations SCPs, Access control lists (ACLs), and Session policies.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

AWS Data encryption while Data-at-Rest and Data-in-Transit

Data encryption is one of the key services that AWS recommends to secure your data.

AWS KMS Key Management Service provides you centralized control over the cryptographic keys used to protect your data.

https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/data-encryption.html

AWS VPC - Virtual Private Cloud

AWS VPC is a logically isolated network in the Cloud. Place your resources in VPC and get complete control over resources inside it. You can restrict access to your VPC resources from outside and allow only to trusted entities.

Key security concepts in VPC are -

  1. Internet Gateway - A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet.
  2. Route Table - A set of rules, called routes, that are used to determine where network traffic is directed.
  3. Subnet - A range of IP addresses in your VPC.
  4. NACL - Network Access Control Layer is the firewall at your subnet level. NACL is stateless i.e. any change made at the inbound rule will not affect the outbound rule. The maximum number of rules that exist per NACL is 20.
  5. Security group - These are the firewall at the EC2 instance level. Security groups are stateful i.e. any change made at the inbound rule will automatically reflect in the outbound rule. The maximum number of rules that can exist per Security Group is 50.

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html

AWS VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. After you’ve created a flow log, you can retrieve and view its data in the chosen destination.

VPC Flow Logs can be enabled at ENI (Elastic Network Interface) level, Subnet level, or at the VPC level, and this granularity helps you in troubleshooting network issues at various stages with clarity.

https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

AWS Guard Duty

Amazon GuardDuty is an intelligent threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.

https://aws.amazon.com/guardduty/

AWS Direct Connect

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you create a private connection between AWS and your data center, office, or colocation environment. This can increase bandwidth throughput and provide a more consistent network experience than internet-based connections.

AWS Direct Connect is compatible with all AWS services accessible over the internet and is available in speeds starting at 50 Mbps and scaling up to 100 Gbps.

AWS VPC endpoints

A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink is a technology that enables you to privately access services by using private IP addresses.

VPC endpoints are of two types

  1. Gateway endpoint - It supports S3 and DynamoDB. You need to specify the Gateway endpoint as a Route table target for traffic that is destined for the supported AWS services.
  2. Interface endpoint - Interface endpoints are powered by AWS PrivateLink. Here, communication happens through Elastic Network Interface with a private IP address from the IP address range of your subnet. It serves as an entry point for traffic destined to a supported AWS service or a VPC endpoint service.

Conclusion

No matter what services you use how scalable and reliable your infrastructure is you always have to make sure your data is encrypted, restricted with access, and secure from attacks. The use of VPC keeps your infrastructure isolated in the cloud, VPC Flow logs and Guard duty protects your VPC from trespassers. Encryption service makes sure your data is not understandable or exposed to unknown resources, Direct connect and Endpoints are always a safe pipeline for your data transmission.

Knowledge Credits - AWS Oficial website

— — — — — — — — — — — — — — — — — — — — — — — -

DON'T STOP WHEN YOU ARE TIRED. STOP WHEN YOU ARE DONE.

Would love to hear your thoughts and requirement in our coming articles.

Thank you.

--

--

--

Everything connected with Tech & Code. Follow to join our 900K+ monthly readers

Recommended from Medium

We are Playing a Dangerous Game with the Future of the Internet

EchelonDAO: Smart Contract Audit Report

Cybersecurity Lessons, Hints and Tips.

We’ve Moved — Check Out Our New Digs!

ICS security — The 5 key benefits of having a network map

(Video) Rally Community Call, January 22, 2021- With Special Guest Seed Club’s Jess Sloss

Introducing Staking Vaults — the easiest way to get more $LTT!

3 Essential Capabilities You Need to Modernize Your ERP Data Security and Compliance

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yogendra H J

Yogendra H J

Learning and Sharing knowledge || Cloud Computing evangelist || @medium.com || AWS CSAA || Azure Admin || Exploring DevOps

More from Medium

AWS Diagram Security Groups

Access AWS S3 Buckets without Internet Connection

AWS VPC Gateway Endpoints and NACLs

How to use AWS Configure in Terraform