This content is part of the Essential Guide: AWS re:Invent 2015: A guide to Amazon's sold-out event

Apply these network security measures to defend an AWS cloud

There is no catch-all for securing a cloud network. Administrators should take a comprehensive approach to protect AWS cloud resources.

Securing applications and data in the AWS cloud is a multifaceted process that includes multiple services and controls. There are a few important network security measures that enterprises must follow when designing an AWS environment, including security groups, subnets and virtual private clouds.

Security groups

Security groups are virtual firewalls that control inbound and outbound traffic to a variety of Amazon Web Services (AWS) resources, including VMs, load balancers and Relational Database Services. A security group is a set of rules on inbound and outbound traffic. For example, to allow a Secure Socket Shell (SSH) connection to a server, a security group on the instance would need a rule allowing inbound and outbound TCP traffic on Port 22. Because most administrators don't want to give anyone the ability to connect via SSH to their servers, security group rules include a specification of allowed source addresses for inbound traffic and destinations for outbound traffic.

AWS security groups determine access at a network's protocol layers. It's best to minimize the number of open ports to only those needed to support applications running on the servers. In fully automated configurations, when an admin shouldn't have to log in to an instance, even Port 22 can be blocked.

Subnets and network access control lists

Subnets are logically distinct subsections of larger networks. In AWS, a subnet is managed as a range of IP addresses and resources located within a single availability zone -- the functional equivalent of a data center. Limiting routes to gateways further controls access to subnets; IP traffic can pass between any two devices within the subnet and can pass to devices outside the subnet if a gateway is available. If a subnet has a route to an Internet gateway, it is considered a public subnet. When traffic routes to a virtual private gateway, it is considered a VPN-only subnet.

Network access control lists (NACLs) provide more granular control. NACLs are firewalls that function similar to AWS security groups, but apply to subnets -- not individual virtual devices. NACLs allow and deny rules. Unlike subnets, which are stateful and allow return traffic automatically, NACLs are stateless and must have rules set to explicitly allow return traffic. The NACL rules of a subnet apply to all instances in the subnet.

Subnets are used to create logical layers, such as DMZ-hosting Internet-accessible Web servers, services subnets that run microservices and data services layers that contain database servers. Subnets and NACLs help to minimize the type of traffic in each layer. For example, traffic from the services subnet to the data subnet might be restricted to TCP traffic on ports the database server uses. 

Because NACLs and security groups provide similar protections, there are times when both could be used to meet the same requirements. If, for example, an enterprise has a small number of application and database servers, a set of security groups might be easier to manage and just as effective as using security groups with NACLs. With NACLs, if someone mistakenly misconfigures an instance in a subnet, the NACL rules will apply traffic to and from that instance.

Virtual private clouds

Another important network security measure in AWS is the use of virtual private clouds (VPCs). One of the most obvious differences between deploying infrastructure for infrastructure as a service (IaaS) and an on-premises data center is that IaaS customers all share the same physical infrastructure. Enterprise customers often require networking abstractions and controls that apply to all resources, including subnets and machine instances. A VPC is a virtual network within a single AWS account that can span multiple availability zones.

VPCs can include multiple subnets and an Internet gateway. The default subnet associated with a VPC has a route to the Internet gateway, but other subnets can be private with no Internet access. VPCs can connect to on-premises infrastructure using an IPsec VPN. A virtual gateway is used on the VPC and a physical device is located at the on-premises data center.

The combination of security groups, subnets, NACLs and VPCs create the building blocks for network security measures in AWS. Security groups function at the level of single machine instances. Network control lists provide a way to define more granular, traffic-control rules at the subnet level. Virtual private clouds enable a logical network that spans availability zones and contains multiple subnets. And it supports the extension of an on-premises network into the cloud using a VPN.

Next Steps

Stay ahead of AWS security issues

Team effort necessary to secure AWS resources

Monitor your network to prevent brute-force attacks

Dig Deeper on AWS security