Best Practices for Securing an Amazon VPC (NET318) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Corina Motoi
Solutions Architect
AWS UK Public Sector
Matt Johnson
Manager, Solutions Architecture
Best Practices for Securing
Amazon VPC
N E T 3 1 8

AWS re:Invent this workshop
In this interactive workshop, we provide practical advice and guidance
for designing and building secure Amazon Virtual Private Clouds
(Amazon VPCs).
Using a hands-on approach, we take you through using Amazon VPC
features such as subnets, security groups, AWS PrivateLink, network
ACLs, routing, flow logs, and service endpoints. We also share best
practices for VPC design and management based on our experience
supporting customers running large-scale infrastructures.

Welcome to the workshop
• We have a number of AWS staff in the room:
• Amazonians, please identify yourselves!
• Your fellow conference attendees at your table
• Say hello, make a new friend 
• Work on your own, or get together in small teams (2-3 people)
• Decide who will be following along with their laptop
• Please feel free to ask questions at any time

If you want to go hands-on, you will need…
• Your laptop (use tablets at your own risk!)
• An AWS account with:
• Full AWS Identity and Access Management (IAM) administrator access
• Recommended regions: EU (Dublin, Frankfurt, London), Asia (Singapore, Sydney, Tokyo)
• Ability to create two VPCs in your chosen region
• Pro tip: Choose a region you don’t normally work in, to avoid hitting limits!
• To start the AWS CloudFormation deployment — NOW!
• http://bit.ly/net318workshop/
Note: we will provide a $20 credit voucher at the end of the workshop to
cover the costs of deploying the workshop resources

VPC
monitoring &
automated
remediation
Monitoring
tools
Automated
remediation
Show&tell
Controlling
VPC traffic
flows
VPC
security
basics
External
AWS
traffic
VPC private
connectivity
Gateway
endpoints
Interface
endpoints
PrivateLink
Securing the
Amazon
VPC control
plane
Securing
VPC config
Track/audit
changes
Least privileged
access/VPC flow logs
What we are going to cover today

Related breakouts
Tuesday, November 27
AIOPs – Find Your Needle in the Haystack
1:00 PM – 2:00 PM | Mirage, Montego D, T1
Wednesday, November 28
NET303 - Advanced VPC Design and New Capabilities for Amazon VPC
4:00 PM – 5:00 PM | Aria West, Level 3, Ironwood 5, T1
Wednesday, November 28
NET301 – Best Practices for AWS PrivateLink
4:45 PM – 5:45 PM | Venetian, Level 2, Venetian F, T2

Assumptions
This workshop assumes an introductory (200 level) familiarity with:
• Amazon VPC concepts
• Subnets, route tables, gateways
• Amazon EC2 concepts
• AWS load balancing,
• IAM concepts
• Users, groups, policies, roles
• Other AWS services
• AWS Identity and Access Management (IAM)
• Amazon CloudWatch
• AWS CloudFormation

Today’s objectives
• By the end of the workshop, you should have built a fully functional
VPC architecture, aligned with security best practices in three areas:
 VPC control plane
 Traffic control
 VPC monitoring
• You should understand how to implement security measures in a VPC
• You (hopefully) have learned something new that you can apply back
at your organization

Auto Scaling group
Users
Auto Scaling group
AWS Cloud
Region
VPC VPC
High-level architecture
Deployment guide here: http://bit.ly/net318workshop/

AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
WEB-VPC
Web
instances
Public route
table
App
instances
APP-VPC
App
instances
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
Main route
table
S3 gateway
endpoint
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
SecurityUser
policy
SecurityUser
role
Endpoint
Policy
Endpoint
policy

Objective of this chapter
Learn how to configure permissions to
manage your VPC and track/audit any
changes to its configuration

Why secure the Amazon VPC control plane?
Securing VPC config
Track/audit changes in your VPC environment

AWS Identity and Access Management (IAM)
Assess the following:
• What types of users access the resources in a VPC?
• What kind of VPC resources are users allowed to access?
• What tasks do users need to perform?
General rule:
• Allow least privilege access when accessing your VPC resources
Least privilege access:
• Identities: users, groups, roles
• Access management: policies and permissions

How IAM works
• Principal
• Authorization
• Action-level permissions
• Resource-level permissions
• Resource-based permissions
• Tag-based permissions
• Service-linked roles
• Resources

The structure of an IAM policy
• JSON-formatted documents
• Contain a statement (permissions)
that specifies
• Which actions a principal can perform
• Which resources can be accessed
• You can have multiple statements
and each statement is comprised of
PARC
{
"Statement":[{
"Effect”: "Allow",
"Principal": "*",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"condition": {
"key": "value" }
}
}]
}

What we have learned

What’s next to learn

AWS CloudTrail
 Capture and log events related to AWS API calls
 Increase visibility into your user and resource activity
 Discover and troubleshoot security and operational issues

AWS Config & AWS Config rules
 Record configuration
changes continuously
 Time-series view of resource
changes
 Archive and compare
 Enforce best practices
 Automatically roll-back
unwanted changes
 Trigger additional workflow
Rule

Hands-on 2:
Authorize the SecurityUser role to
enable logging of VPC traffic, and to
activate automated security monitoring

Services we will be enabling:
Amazon GuardDuty Amazon VPC flow logs
VPC flow logs

Do you have Amazon GuardDuty already enabled?

Hands-on 2: Back to work!
Authorize the SecurityUser role to
enable logging of VPC traffic, and to
activate automated security monitoring

AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
WEB-VPC
Web
instances
Public route
table
App
instances
APP-VPC
App
instances
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
Main route
table
S3 gateway
endpoint
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
SecurityUser
policy
SecurityUser
role
Endpoint
policy
Endpoint
policy

AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
WEB-VPC
Web
instances
Public route
table
App
instances
APP-VPC
App
instances
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
Main route
table
S3 gateway
endpoint
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
Endpoint
policy
Endpoint
policy
SecurityUser
policy
SecurityUser
role
WEB-VPC
flow logs
APP-VPC
flow logs
Lab guide: http://bit.ly/net318workshop/

Understand VPC traffic control
mechanisms and how to use them for
external AWS connectivity, private
connectivity to AWS services, or for
multi-VPC architectures

Controlling VPC traffic flows
Best practice VPC connectivity patterns
VPC security basics
Connectivity using VPC endpoints and AWS PrivateLink
Internet gateway NAT gateway
VPC Gateway
Endpoint
Peering

Let’s start

VPC traffic security control mechanisms
• Subnets
• Are specific to an Availability Zone (AZ), and they can be public and private
• Security group
• Acts as a virtual firewall for your instance / elastic network interfaces (ENIs) to control
inbound and outbound traffic; can be cross-referenced (within a region)
• Route table
• Contains a set of rules, called routes, that are used to determine where network traffic is
directed. Each subnet in your VPC must be associated with a route table.
• Network access control lists (NACLs)
• Optional layer of security for your VPC that acts as a firewall for controlling traffic in and
out of one or more subnets

Security groups vs. NACLs
Security group Network ACL
Operates at instance level Operates at subnet level
Supports allow rules only Supports allow and deny rules
Is stateful: return traffic is automatically
allowed regardless of any rules
Is stateless: return traffic must be explicitly
allowed by rules
All rules evaluated before deciding whether to
allow traffic
Rules evaluated in order when deciding whether
to allow traffic
Applies only to instances explicitly associated
with the security group
Automatically applies to all instances launched
into associated subnets
Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4
addresses; these are the first four IPv4 addresses of the subnet (including the Amazon VPC DNS
server)

Reasons for using network ACLs
• Allows for separation of duties
• Different IAM actions mean that management of network ACLs can be handled separately
from security group configuration
• Gives the ability to specify explicit deny rules
• Allows you to blacklist specific IP addresses/ports
• Provides a mechanism to sever connection-tracked network flows
• Immediately drop established connections when security group rules are changed*
* docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-
group-connection-tracking

Gotchas
• Security groups don’t implicitly allow east-west traffic
• Instances within a security group can only talk to each other if explicitly allowed by
relevant rule(s)
• Note: the default security group has this exception!
• Rules that use security group references and/or private address ranges
will only work for connections that target private IP addresses
• Connections from within the VPC to public IP addresses will be rejected, because the
source will appear to be from a public IP address
• When using network ACLs and Amazon Elastic Load Balancers (ELBs)
• Allow health check traffic from the ELB subnets to the backend subnets

What’s next to learn in this chapter

Securing internet connectivity—Inbound
VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
Router Internet
gateway
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
10.0.0.0/24
10.0.1.0/24
Internet
Custom route tableInternet gateway
Do I really need inbound
internet traffic to my VPC?
Subnet
Best practices to secure your
instances

Securing internet connectivity—Inbound
VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
Router Internet
gateway
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
10.0.0.0/24
10.0.1.0/24
Internet
Custom route tableInternet gateway
Do I really need inbound
internet traffic to my VPC?
Secure traffic by applying the VPC
security controls discussed in the
previous chapter
Subnet
Best practices to secure your
instances
NACL
NACL

Securing internet connectivity - outbound
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
App servers
Private subnet
Router Internet
gateway
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
198.51.100.
4 (Elastic IP)
10.0.0.0/24
10.0.1.0/24
Internet
Do I really need outbound internet
access from the instances in the private
subnet?
Route table
Internet gateway
Do I really need outbound
internet access from my VPC?
NAT
gateway

Securing internet connectivity - outbound
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
App servers
Private subnet
Router Internet
gateway
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
198.51.100.
4 (Elastic IP)
10.0.0.0/24
10.0.1.0/24
Internet
Destination Target
10.0.0.0/16 local
0.0.0.0/0 Nat_gateway_i
d
Do I really need outbound internet
access from the instances in the private
subnet?
Route table
Route table
Internet gateway
Do I really need outbound
internet access from my VPC?
Secure traffic by applying the VPC
security controls discussed in the
previous chapter
NAT
gateway
NACL
NACL

Options for on-premises connectivity
Option Use Case Internet connection
required
Dedicated network
connection
Traffic
encryption
AWS Managed VPN AWS managed IPsec VPN
connection over the
internet
YES YES
Software VPN Software appliance-based
VPN connection over the
internet
YES YES
AWS Direct Connect Dedicated network
connection over private
lines
YES
AWS Direct Connect
Plus Software VPN
Software appliance-based
VPN connection over
private lines
YES YES
AWS Direct Connect
Plus managed VPN
AWS Managed IPsec VPN
connection via DX Public VIF
YES (DX public VIF) YES YES

Private connectivity to AWS services
Use cases
• Scenarios where you have only DX/VPN connectivity to VPCs
• No egress from the VPC to public networks (and hence AWS API
endpoints)
Best practice:
• Reduces the attack surface by only allowing outbound traffic
initiated from the VPC
Supporting services
• VPC endpoints

VPC endpoints
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
Private subnet
Internet
gateway
198.51.100.
4 (Elastic IP)
10.0.0.0/24
10.0.1.0/24
Internet
App servers
Service VPC

VPC endpoints
VPC
Public subnet
AWS Cloud
Availability zone 1
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
App servers
Service VPC
No IGW, NGW, or public
IP addresses required

VPC endpoints
VPC gateway endpoints
• Private routed access to Amazon
S3 and Amazon DynamoDB
• IAM-based access control
VPC
Public subnet
AWS Cloud
Availability zone 1
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
VPC gateway
endpoint
App servers
Service VPC

VPC endpoints
VPC
Public subnet
AWS Cloud
Availability zone 1
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
VPC gateway
endpoint
App servers
Service VPC
VPC interface endpoints (AWS
PrivateLink)
• Private IP access to specific AWS
service endpoints and customer
endpoints
• Security group access controls
VPC gateway endpoints
• Private routed access to
Amazon S3 and DynamoDB
• IAM-based access control

Gateway endpoints—Access control
VPC
Public subnet
AWS Cloud
Availability zone 1
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
VPC gateway
endpoint
App servers
Service VPC
Robust access control
• Route table association
• Resource policies (for
Amazon S3 endpoints)
• VPC endpoints policies
• Prefix lists within
security groups
Destination Target
10.0.1.0/16 local
Prefix List for S3 us-west-
2
VPCE

Gateway endpoints—VPC endpoints policies
• A VPC endpoint policy is an
IAM resource policy that you
attach to an endpoint when
you create or modify the
endpoint
• An endpoint policy does not
replace IAM user policies or
service-specific policies (such
as S3 bucket policies)
• You cannot attach more than
one policy to an endpoint
{
"Statement": [
{
"Sid": "vpce-restrict-to-backup-bucket",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject”
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::backups-reinvent",
"arn:aws:s3:::backups-reinvent/*"]
}
]
}

Gateway endpoints—Prefix list & security groups
• Logical route destination target
• Amazon S3 prefix lists abstract
changes to S3 IP ranges
• Can be used in security group rules
aws ec2 describe-prefix-lists
PREFIXLISTS pl-68a54001
com.amazonaws.us-west-2.s3
CIDRS 54.231.160.0/19
CIDRS 52.218.128.0/18

 VPC traffic control mechanisms
 Private connectivity to AWS services
 VPC gateway endpoints
Let’s take a break—Hands-on time!

Hands-on 3:
Configure (and test) the S3 gateway
endpoint in the app VPC to allow instances
to read data from the S3 logging bucket

AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
WEB-VPC
Web
instances
Public route
table
App
instances
APP-VPC
App
instances
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
Main route
table
S3 gateway
endpoint
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
SecurityUser
policy
SecurityUser
role
Endpoint
policy
Endpoint
policy
WEB-VPC
flow logs
APP-VPC flow
logs

AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
WEB-VPC
Web
instances
Public route
table
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
Main route
table
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
Endpoint
policy
SecurityUser
policy
SecurityUser
role
WEB-VPC
flow logs
APP-VPC
flow logs
App
instances
App
instances
S3 gateway
endpoint
Endpoint
policy
APP-VPC

 VPC gateway endpoints
 VPC interface endpoints

VPC interface endpoints (AWS PrivateLink)—Access
control
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
App servers
Service VPC
Interface endpoints are created
directly inside your VPC
• using elastic network interfaces
(ENIs)—one per AZ
• IP addresses in your VPC’s subnets
• Accessible via DX, VPN, and inter-
region peering
Support for private DNS names
Amazon VPC security groups

VPC interface endpoints (AWS PrivateLink)
Currently supported services
• Specific AWS services (list here:
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-
interface.html)
• Endpoint services hosted by other AWS accounts
• Supported AWS Marketplace partner services

 VPC gateway endpoints
 VPC interface endpoints

Hands-on 4:
Establish private connectivity to push
custom metric data from EC2 instances
into Amazon CloudWatch

AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
WEB-VPC
Web
instances
Public route
table
App
instances
APP-VPC
App
instances
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
Main route
table
S3 gateway
endpoint
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
SecurityUser
policy
SecurityUser
role
Endpoint
policy
Endpoint
policy
WEB-VPC
flow logs
APP-VPC
flow logs

AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
WEB-VPC
Web
instances
Public route
table
AWS interface
endpoints
AWS interface
endpoints
Main route
table
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
Endpoint
policy
SecurityUser
policy
SecurityUser
role
WEB-VPC
flow logs
APP-VPC
flow logs
App
instances
App
instances
S3 gateway
endpoint
Endpoint
policy
APP-VPC
AWS interface
endpoints
AWS interface
endpoints

.

Multi-VPC architecture
Use cases
• Peering two or more VPCs to provide access to resources
• Peering to one VPC to access centralized resources
Best practice
• Minimize blast radius for users and networks
Supporting services
• VPC peering
• AWS PrivateLink for customer and partner services

VPC peering
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
App servers
Service VPC
• Networking connection
between two VPCs
• Peering connection can be
made between
• Your own VPCs, and/or…
• …VPCs in another AWS
account and/or…
• …VPCs in another region
• Uses the underlying
Amazon VPC infrastructure
• Doesn’t create a bottleneck
• No single point of failure
Peering

AWS PrivateLink for customer and partner services
VPC
Private subnet 10.0.1.0/24
Instances
Service VPC
Service provider VPCService consumer VPC
Private IP
10.0.1.5
Private IP
10.0.1.10
VPC endpoint
network interface
Private subnet
10.0.2.0/24
Instances
• Great for vending SaaS
services securely
• Tenancy:
• Single-tenant mode: create a
PrivateLink NLB for every
client/customer
• Multi-tenant mode: allow
many customers to use the
same PrivateLink NLB
• Endpoints have regional
and zonal DNS names

AWS PrivateLink—Good to know
How do we tell endpoint traffic and different VPCs apart? Three options:
1. Use traditional accounts/passwords/security tokens at application level
2. Use separate NLBs and different listener ports on the targets
3. Enable the ProxyProtocolV2 preamble
Supports traffic in one direction only
Supports TCP, not UDP

VPC peering vs AWS PrivateLink
Use case VPC peering AWS PrivateLink
Private connection between two VPCs YES YES
Source IP identification YES NO
Provide an endpoint service to another
VPC
NO YES
Supports overlapping CIDR ranges NO YES
Bidirectional traffic YES NO
UDP support YES NO
Connectivity from DX/VPN NO YES

 Multi-VPC architectures
 AWS PrivateLink

Hands-on 5:
Pass traffic directed to the /service/ URL
from the front-end load balancer
privately to the back-end load balancer

AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
WEB-VPC
Web
instances
Public route
table
AWS interface
endpoints
AWS interface
endpoints
Main route
table
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
Endpoint
policy
SecurityUser
policy
SecurityUser
role
WEB-VPC
flow logs
APP-VPC
flow logs
App
instances
App
instances
S3 gateway
endpoint
Endpoint
policy
APP-VPC
AWS interface
endpoints
AWS interface
endpoints

AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
Web
instances
Public route
table
AWS interface
endpoints
AWS interface
endpoints
Main route
table
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
Endpoint
policy
SecurityUser
policy
SecurityUser
role
WEB-VPC
flow logs
APP-VPC
flow logs
S3 gateway
endpoint
Endpoint
policy
AWS interface
endpoints
AWS interface
endpoints
APP-VPC
App
instances
App
instances
WEB-VPC

Learn about the VPC-related monitoring
tools and how to use them to detect and
remediate security breaches

• Monitoring IP traffic flows
• Detecting malicious or unauthorised behaviour
• Triggering automated remediation
What is the role of VPC monitoring?
VPC Flow
logs
CloudWatch
Events

Services and tools for VPC monitoring
Account Resources Network
VPC Flow logs

VPC flow logs
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
Web
servers
Service VPC
ENI
ENI
App servers
VPC flow
logs
Capture information about the
IP traffic going to and from
network interfaces in your VPC

VPC flow logs
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
Web
servers
Service VPC
ENI
ENI
App servers
VPC flow
logs
network interfaces in your
VPC

VPC flow logs
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
Web
servers
Service VPC
ENI
ENI
App servers
VPC flow
logs
network interfaces in your VPC
Use cases
• Diagnose overly restrictive
security controls
• Monitor the traffic
reaching your instances
• Identify trends and create
alarms in response to
specific types of traffic

VPC flow logs format

VPC flow logs—Good to know
• If traffic is sent to a secondary IP address on an ENI, the flow log
displays the primary IPv4 address in the destination IP address field
• Flow log API actions don’t support resource-level permissions
• Not all traffic is captured:
• Traffic sent to the Amazon DNS Server
• Traffic sent to the Windows License Activation server
• Traffic sent to the 169.254.169.254 metadata server
• DHCP request and response traffic
• Traffic to the reserved IP address for the default VPC router

HIGH
MEDIUM
LOW
Amazon GuardDuty
AWS Cloud
VPC Flow
logs
DNS logs Threat intel,
ML/AI,
anomaly
detection
SIEM
and/or
RESPONDInstance
compromise
Reconnaissance
Account
compromise
Intelligent continuous security monitoring and threat detection, fully managed,
integrated threat intelligence, anomaly detection, and machine learning
service

Reconnaissance Instance compromise Account compromise
Instance recon:
• Port probe/accepted comm
• Port scan (intra-VPC)
• Brute force attack (IP)
• Drop point (IP)
• Tor communications
Account recon:
• Tor API call (failed)
• C&C activity
• Malicious domain request
• EC2 on threat list
• Drop point IP
• Malicious comms (ASIS)
• Bitcoin mining
• Outbound DDoS
• Spambot activity
• Outbound SSH brute force
• Unusual network port
• Unusual traffic volume/direction
• Unusual DNS requests
• Domain generated algorithms
• Malicious API call (bad IP)
• Tor API call (accepted)
• CloudTrail disabled
• Password policy change
• Instance launch unusual
• Region activity unusual
• Suspicious console login
• Unusual ISP caller
• Mutating API calls (create,
update, delete)
• High volume of describe calls
• Unusual IAM user added
*Signature-based stateless findings *Behavioral stateful findings and anomaly detections (ML driven)
Amazon GuardDuty threat detection type details

Amazon GuardDuty—Good to know
• You don’t need to have any logging turned on in account in order for
GuardDuty to process any of the log types.
• Currently, customers do not have direct access to the DNS logs and so
GuardDuty is, in effect, their only means of monitoring these logs.
• All the logging is all done on the back end as GuardDuty gets them
directly from the relevant services. So, there is no need for architecture
changes, no agents, and no account performance impact.

Amazon CloudWatch—Good to know
• CloudWatch offers a range of capabilities
• Metrics
• Dashboards
• Logs
• Events
• Alarms
• CloudWatch logs provides a range of benefits
• A useful aggregation point for log data
• The ability to push data into other services
• Integration with third-party services

Automated remediation—VPC security breaches
• Apply controls that can help restore the environment to the “desired”
state based on information from detective controls
• Respond with no (or limited) human interaction to security breaches
• Provides a “failsafe” capability when preventive controls fail or are
compromised
Supporting services
• CloudWatch Events
• Custom Config rules
• AWS Lambda

CloudWatch Events concepts—Good to know
• Driven by API activity
• Concepts:
• Event—indicates a change in your AWS environment
• Target—processes events
• Rule—matches incoming events and routes them to targets for
processing
• Amazon CloudWatch Event bus allows centralized CloudWatch Events
within/between organizations

Automatic remediation within a VPCDetect
Report
Remediate
CloudWatch
EventsVPC flow logs
Lambda
Function

Show & Tell
Maintain the security of the application
VPC by removing any internet gateway
that might get attached

AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
Web
instances
Public route
table
AWS interface
endpoints
AWS interface
endpoints
Main route
table
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
Endpoint
policy
SecurityUser
policy
SecurityUser
role
WEB-VPC
flow logs
APP-VPC
flow logs
S3 gateway
endpoint
Endpoint
policy
AWS interface
endpoints
AWS interface
endpoints
APP-VPC
App
instances
App
instances
WEB-VPC

AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
Web
instances
Public route
table
AWS interface
endpoints
AWS interface
endpoints
Main route
table
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
Endpoint
policy
SecurityUser
policy
SecurityUser
role
WEB-VPC
flow logs
APP-VPC
flow logs
S3 gateway
endpoint
Endpoint
policy
AWS interface
endpoints
AWS interface
endpoints
App
instances
App
instances
WEB-VPC
Internet
gateway
Event (event-
based)
Rule Detach
gateway
APP-VPC

VPC
monitoring &
automated
remediation
Monitoring
tools
Automated
remediation
Show&tell
Controlling
VPC traffic
flows
VPC
security
basics
External
AWS
traffic
VPC private
connectivity
Gateway
endpoints
Interface
endpoints
PrivateLink
Securing the
Amazon
VPC control
plane
Securing
VPC config
Track/audit
changes
Least privileged
access/VPC Flow logs
What we’ve covered today

Finally …
• Don’t forget to delete the CloudFormation stack and any resources you
have created today
• http://bit.ly/net318cleanup/
• Complete the evaluation form (NET318) so we can improve this
workshop next year
• Enjoy the rest of the week!

Thank you!
Corina Motoi
Solutions Architect
Matt Johnson
Manager, Solutions
Architecture

Best Practices for Securing an Amazon VPC (NET318) - AWS re:Invent 2018

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Best Practices for Securing an Amazon VPC (NET318) - AWS re:Invent 2018

Similaire à Best Practices for Securing an Amazon VPC (NET318) - AWS re:Invent 2018 (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

Best Practices for Securing an Amazon VPC (NET318) - AWS re:Invent 2018