Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing your vpc in aws


Published on

Agenda for the session.
1. Creating public and private subnets with Elastic IP, Route tables, IGW and NAT Gateways
2. VPC Security components : Security Groups ( SG ), Network Access control list ( NACL ), FlowLogs.
3. Mitigating DDOS.
4. VPC Peering
5. VPC Cleanup

Published in: Education
  • Be the first to comment

Securing your vpc in aws

  1. 1. VPC Security n|u - The Open security community Chennai Meet Presenter : Vinoth Kumar Date : 17/02/2018
  2. 2. # About Me Application security engineer. Blogger @ Email @ Tweet @vinothpkumar
  3. 3. Topics covered ● Introduction to VPC. ● VPC Creation. ○ Subnets, Route tables, IGW, Elastic IP, NAT Gateways ● Security Components in VPC ○ Security Groups ○ Network ACLs ○ Flow Logs ● Mitigating DDOS ● VPC Peering ● VPC Cleanup
  4. 4. Introduction to VPC Amazon VPC enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS. A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. You can configure your VPC by modifying its IP address range, create subnets, and configure route tables, network gateways, and security settings.
  5. 5. VPC Creation
  6. 6. VPC Sample Network
  7. 7. Security components in VPC Amazon VPC provides features that you can use to increase and monitor the security for your VPC: ● Security groups — Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level ● Network access control lists (ACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level ● Flow logs — Capture information about the IP traffic going to and from network interfaces in your VPC Source :
  8. 8. VPC Architecture with Network ACLs and SG ● Comparison of SG and Network ACLs ● Use Cases for SG and Network ACLs Source: UserGuide/VPC_Security.html#VPC_Security_Comparison
  9. 9. Security Groups - Associated with Instances ● A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. ● For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic. “Deny All and Allow Some” approach. ● Security groups are stateful. ● When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. ● You can specify allow rules, but not deny rules. Source:
  10. 10. Network ACLs - Associated with Subnets ● Network access control list (ACL) is a security layer for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. NACLs is stateless ● When you add or remove rules from a network ACL, the changes are automatically applied to the subnets ● Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic. ● You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL denies all inbound and outbound traffic until you add rules. ● Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL. Source:
  11. 11. Flow Logs ● VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC ● Flow log data is stored using Amazon CloudWatch Logs. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. ● Flow logs can help you with a number of tasks; for example, to troubleshoot why specific traffic is not reaching an instance, which in turn can help you diagnose overly restrictive security group rules. You can also use flow logs as a security tool to monitor the traffic that is reaching your instance. Source:
  12. 12. Mitigating DDOS ● Have provisions to scale as traffic surges. Helps both business run and during DDOS attack. ○ ELB, Autoscaling. ● Minimize the attack surface area - Have decoupled infrastructure. ○ Avoid running multiple services in a single server. Application and DB server in different instance ● Know what is normal and Abnormal ○ Define key metrics to understand the behaviour ( Cloudwatch ). Huge traffic at 2am is something unusual. ● Create a plan for Attacks ○ Check IP, Geolocation, Nature of the attack, Can SG or Network ACLs help in this case.
  13. 13. VPC Peering ● A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. ● Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account ● No transitive peering Source :
  14. 14. VPC Cleanup Deleting created Subnets, SG, NACLs, IGW, Route Tables, NIC and VPC Peering connections.
  15. 15. Resources ● ● Udemy courses ○ Author - Zeal Vora ■ AWS Cloud practitioner ■ AWS-Certified-Security-Specialty
  16. 16. Tha