In part 1 of our AWS security best practices series, we discussed about IAM & EC2 Key-Pairs security do’s and don’ts. In this post we are following up with discussion about the next major AWS security threat landscape: network security. We will talk about some of the most important best practices you must follow to ensure network security of your AWS resources.
Network security refers to all activities intended to safeguard your network against possible threats. Effective network security not only protects your network and contained resources but stops the threats from entering your network. Exclusively, these activities defend the usability, consistency, integrity, and protection of your network and data.
As part 2 of AWS security best practices series, we will discuss how an effective network security can be accomplished on your AWS infrastructure.
With network security in place, your cloud infrastructure will have many business benefits. As your network is protected against interferences, you can have your operations running smoothly. Network security helps your infrastructure meet compulsory regulatory compliance. Since network security helps in protecting your customers’ data, it minimizes the risk of legal actions from data theft.
Eventually, network security facilitates protecting your business’s reputation, which is one of your most significant assets.
Let’s see and analyze different network security components under AWS:
Amazon EC2 Security Group
Security Group is a significant feature of Amazon EC2. The security group works like a firewall enabling you to securely select protocols, ports and IP addresses that are open to computers over the internet. To use a security group, you insert the inbound rules to manage incoming traffic to your instance, and outbound rules to manage the outgoing traffic from your instance. You can opt to make use of the default security group and then modify it according to your requirements, or you can generate your own security group.
The default security group might bring a little confusion. Sometimes with it, everything appears to be wide open whereas in reality, everything is closed. The default security group, automatically, unlocks all ports and protocols simply to computers that are members of the default group. That’s why it is always recommended to customize the security groups to open only few required protocols and ports to the outside world.
Since the advent of VPC on AWS, VPC Networking has emerged as a core cloud security feature. Amazon Virtual Private Cloud (Amazon VPC) allows you to launch Amazon Web Services (AWS) resources into a virtual network defined by you. This virtual network very much looks like a conventional network that you already operate in your own data centre. But it is with the added benefits of using the scalable infrastructure of AWS.
Below are the building blocks of VPC Networking:
Elastic Network Interface
It is a virtual network interface that can be attached to an instance in a VPC. ENIs are accessible just for instances running in a VPC.
They act as your own separate logical network on cloud completely isolated from the outside world.
Network access control list (NACL)
It is an optional layer of security to give additional safety. It operates as a firewall for controlling traffic in and out of a subnet.
These help in directing network traffic between instances inside a subnet.
It serves as a medium to connect resources within a VPC to the Internet.
AWS Web Application Firewall (WAF)
AWS WAF is a web application firewall that helps in protecting your web applications from frequent web interruptions. These interruptions could adversely affect application accessibility, compromise security of your application, or consume too many resources. With AWS WAF, you have a control over which traffic to let or block to your web applications. This can be done by defining customized web security rules. You can use AWS WAF to generate conventional rules that block regular attack patterns, such as SQL injection or cross-site scripting, and rules that can be considered specifically for your application.
These multiple business-oriented Network Security measures can be used to keep your information and data safe in your cloud infrastructure. Here are some AWS security best practices which you can follow for better network security management:
Network Security Do’s
Restricted access of instances
Keep only those instances in public subnet which needs to be accessed directly from internet. You must create several subnets as per your architecture and ensure that only those instances which needs to be accessed from outside world are kept inside a public subnet.
Use a bastion host to access private machines within your VPC
Access private machines within your VPC from outside via a bastion host. It is also recommended to install host based intrusion detection system in such a host. You may look at using OSSEC, which is an open source host-based IDS.
Limited access to ports
Provide limited access to common administrative ports to only a small subset of IP addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNC). Also provide limited access to common database ports.
Open only specific ports
It is recommended to add Security Group rules only for specific ports rather than adding rules for a range of ports.
Use non-standard ports for your internal applications
Try to use non-standard ports for your internal applications. This would add an extra layer of defense as the attacked would not be able to guess the service from the port number. For example if you are using MySQL, set it up to a custom port rather than to the default 3306.
ELB listener security
Instead of having HTTPS/SSL termination in your instances, it is recommended to have it at your ELB level itself.
Enable VPC flow logs
It is recommended to enable VPC flow logs. You can configure it to capture both accept as well as reject entries. These logs can be powerful in keeping track of all the packet movements across your VPC network.
Network Security Don’ts
Never create security group rules like 0.0.0.0/0
You need to follow the rule of least privilege here as well. It is important not to open the port 22 for everyone. Do not fall for the default security group while launching and instance. Make sure to customize it.
Do not allow UDP / ICMP on private instances
It is recommended not to open allow UDP/ICMP ports for private instances in Security Groups.
Do not use IPs to allow intra-instance network access
Instead of using IPs to allow intra-instance network access, use security groups to allow network access. This ensures that even if the IPs change you do not lose your security to someone who may now have your previous IP!
Following these simple practices you can ensure that your business does not face network downtime. These steps will help you in ensuring your network and your AWS infrastructure’s internet connection are safely up and running.
Efficient network security enables your business to have a smooth functioning. You should take a proactive approach and safeguard your data to ensure your business remains up and running when it needs to be.
We hope that with this post, we can help you in reinforcing your AWS cloud infrastructure’s security. We would love to listen your feedbacks and suggestions. Tweet to Us and reach out to us in case of any queries.
It is recommended to perform a regular AWS security audit to ensure that all the AWS security best practices are being followed in your AWS environment. But performing such an extensive audit manually on regular periods, even once a day is really difficult. Botmetric’s thorough AWS security audit helps you discover AWS security best practices violations within minutes. It also allows to automate security audit of your infrastructure and deliver results to your inbox automatically.
If you aren’t using Botmetric yet, sign up for a 14-day trial and find out how secure your AWS cloud infrastructure is.
Next in our AWS security best practices series, we will talk about another major threat landscape: data security.