With so many organizations gradually migrating their IT infrastructure to the Cloud these days – or even specifically engineering their products with Cloud deployment in mind, it’s not surprising that you may have considered going the same way at some point in the future. You may have thought that you will soon have to embrace digital transformation and what our digital era brings to the table. The benefits of doing so are, after all, numerous. And no matter if you want to move your existing systems to the Cloud, or establish there the backbone of your newly founded business from the beginning, the AWS platform is undoubtedly one of your best choices. Our topic is, of course, Amazon VPC.
Networks on the Cloud
Amazon VPCs (aka Virtual Private Cloud) are, in practice, containers for virtual networks and other AWS resources – like Amazon EC2 instances, which reside on the Cloud. You can operate them pretty much just like traditional computer networks, such as those found at a local data center. Of course, as with any other mission critical system, it is of paramount importance to make certain that they are secure.
So, what about security?
As you may already know, any device that is connected to the Internet, should be considered potentially vulnerable to some kind of cyber-attack. This is a fundamental concept, that most IT specialists and computer geeks are well familiar with. And, as anticipated, it applies to your Amazon VPC as well. Furthermore, IT security is in general even more crucial nowadays, than it was a couple of decades ago.
Why, you ask? Well, do you use social media? What about email? Have you ever paid for groceries with your smartwatch or phone? Or bought goods from eBay? Like it or not, information -such as your credit card data- is constantly being moved around, processed, and stored on the Cloud. Our society is dependent on the Internet. One could say that data is gold in our era. Thus, you’d better guard it. Because, trust me, many would like to grab it and run.
Thankfully, AWS provides all the necessary tools to help you safeguard your infrastructure. However, in order to achieve good results, you may have to raise your sleeves and fine-tune some things on your own. For starters, you need to understand what your first line of defense against digital threats consists of. And which are the best practices when it comes to utilizing the array of weapons at your disposal.
A fully featured toolbox
In order to deter malicious actors, it is necessary to deploy a basic layer of defensive measures on your Amazon VPC. AWS offers a rich set of features to help you enhance security in your environments. Employing these features optimally can lead to great results. More specifically, the main tools at your disposal are security groups, network access control lists (ACLs) and flow logs.
Layered firewall
Security groups are applied at the instance level. Thus, they are quite similar, both in features and operation, to a software firewall that runs on a single server. Think of them as your apartment’s door: It isolates your property from the outside world, yet it doesn’t protect the rest of your building. As one would expect, like most firewalls, security groups can be configured to control inbound and outbound traffic from and to specific IP addresses and port ranges. You can assign up to five security groups to a single Amazon EC2 instance.
Access control lists (ACLs), on the other hand, are applied on the subnet level. They are more comparable to the firewall of a router, that stands between a private network and the Internet. Or, using the door analogy again, ACLs act more like the main gate of your building: Not only it isolates each flat, but it also keeps the rest of the building secure. Using ACLs is optional, however they can act as an extra level of protection for your cloud assets. Keep in mind that ACLs are based on a strict rule hierarchy system, which favors lower-numbered rules over higher-numbered ones.
At their core, nonetheless, both security groups and ACLs achieve the same function: Stop potential intruders before they have a chance to get closer. You can think of them as independent, yet interrelated features. By using them in combination, you strengthen your fortifications. But in order to get the most out of these tools, you also need to know how they differ from each other.
We can summarize the main differences between security groups and ACLs, as following:
| Security Groups | Network ACLs | |
| Scope | Applied at the instance level | Applied on the subnet level |
| Policy | Can set “allow” rules | Can set “allow” and “deny” rules |
| Is stateful | Yes | No |
| Rule evaluation | All rules are evaluated equally | Actions depend on rule hierarchy |
| Setup | Manually assigned per instance | Auto-assigned to every instance in the subnet |
For more details, you can refer to the official AWS documentation.
Follow the traces
While employing a firewall – or in our case security group or network ACL — which can definitely help you keep intruders away, it is really important to know exactly what’s moving through your networks. This will not only increase your chances of identifying possible attack vectors — or actual intrusion attempts — but also troubleshoot connectivity issues. AWS enables you to do this via flow logs. Think of them as filters you can apply to your Amazon VPCs – on subnets, or even individual network interfaces. What they do is actually really simple; they capture network traffic data, which can be published to Amazon S3, or Amazon CloudWatch Logs. This way, all collected information can easily be accessed and reviewed later.
It isn’t hard to understand why VPC flow logs are so useful. Complementing Amazon’s security mechanisms, they can provide beneficial insights for your IT teams. Thus, allowing you to fail-proof your security strategy, making sure that nothing unwelcome will get past your defenses. Even if it somehow does, the information found on these logs can give your people the upper hand when dealing with the threat.
Get your Cloud secured. It ‘s easy!
As you can see, AWS provides everything you need in order to safeguard your Amazon VPC. However, understanding how to correctly use those arrows in your quiver, is the key to the equation. As the saying goes, a tool is only as good as the person using it. Here at Stackmasters, we firmly believe that deep knowledge is the most important asset when it comes to IT security. And we look forward to share it with you. Do you need to learn more about Amazon VPC? Contact us, so we can further discuss your needs, and come up with the best security strategy for your business.