More Related Content Similar to Infrastructure Security: Your Minimum Security Baseline (20) More from Amazon Web Services (20) Infrastructure Security: Your Minimum Security Baseline5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Security Groups / Network ACL Comparison
Security Group Network ACL
Operates at the instance level Operates at the subnet level
Supports allow rules only Supports allow rules and deny rules
Stateful: Return traffic is automatically
allowed, regardless of any rules
Stateless: Return traffic must be explicitly
allowed by rules
We evaluate all rules before deciding whether
to allow traffic
We process rules in number order when
deciding whether to allow traffic
Applies to an instance only if the security
group is specified
Automatically applies to all instances in the
subnets
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Elastic Load Balancers (ELB)
Feature ALB NLB CLB
Protocols HTTP, HTTPS TCP
TCP, SSL,
HTTP, HTTPS
Health Checks
✔ ✔ ✔
Load Balancing multiple ports ✔ ✔
Path-Based Routing ✔
Cross-zone load balancing ✔ ✔
SSL offloading ✔ ✔
Server Name Indication (SNI) ✔
Back-end server encryption ✔ ✔
• Application LB
– Layer 7
– SSL
• Network LB
– Layer 4 (TCP)
– Ultra low latency
• Classic LB
– Layer 4/7
– Only for EC2 Classic
– Not recommended
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Define and maintain consistent configuration of operating
systems and applications running in your data center or in AWS
§ Control configuration details such as anti-virus settings, iptables, etc.
§ Define your own schedules for deployment reviews
§ Compare actual deployments against specified configuration policy
§ State Manager reapplies policies if state drift is detected
§ Query State Manager to view status of deployments
State Manager: Overview
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Summary
• Ingress filtering capability: use VPC design in combination with security groups and NACLs to
establish boundaries
• Egress filtering capability: use Security Groups, NACLs, NAT gateways, route tables and VPC
endpoints
• DDoS mitigation capability use: Cloudfront (Shield) & Route 53 to mitigate layer 3 and 4 attacks
• Vulnerability & Patch management capability: use Inspector and SSM
• Use SSM for:
– Configuration and patch compliance
– Secure privileged access to instances
– Automated patch management
– Software inventory & licensing compliance
– Secrets vaulting