At DigitalCloudAdvisor, we are really passionate about Security. Regarding the Network Security aspect, we believe that Networking is the first point where any attacker can begin attempting to access your environment. So, in order to protect your data, best practice is to look after your Network first. A Defence in Depth (AKA the Onion model for having several layers on top of each other) is what we follow when comes to securing your Network. In other words, having a security measure in place at each layer means that any possible attacker will cry harder as he passes each layer. We recommended the following solution to a customer who has concerns about Security on his Network.
When we think about Securing any Network, we start from the outside of your environment all the way to the core, your data base layer. In this example, we created the security layers as follows;
1st layer. We created a CloudFront distribution at the edge of our customer Network. Amazon CloudFront (Amazon CloudFront) is a CDN- Content Delivery Network service that caches your website/application content at the Edge of your AWS infrastructure for better performance. It comes with some great added features built for Security.
2nd Layer. CloudFront integrates with AWS Shield (AWS Shield) service that gives you DDOS protection
3rd Layer. Cloud Front also integrates with ACM (AWS Certificate Manager), which can generate TLS/SSL Certificates to have a secured tunnel all the way to the entry into your environment.
4th Layer. CloudFront also integrates with AWS WAF (AWS WAF), also known as Web Application Firewall, that handles security for your layer 7 traffic, HTTP/HTTPS. In AWS WAF, you can set up either AWS-managed or your managed rules. AWS-managed rules are updated on a regular basis, following the top 10 worldwide common threats from OWASP (OWASP Foundation). So, any possible attacker will have to deal with 4 controls before he even passes the Edge of your infrastructure.
Now, we reach the client VPC (Amazon VPC). Entering into our customer environment, we recommend using an Application Load Balancer (Application Load Balancer).
5th Layer. Adding ALB, Many AWS customers think that the ALB has nothing to do with Security. We can prove otherwise. The ALB, as opposed to the NLB (Network Load Balancer), is an intelligent distribution of your traffic service. The Security features related to the ALB are the following: integrates with ACM, so you can apply an ACM certificate at your load balancer level and that way, you have TLS/SSL encryption all the way to your web servers on the ALB level where you can start implementing the Security Groups chaining, so your point control entering into your environment. Also, at the ALB level, you can apply for WAF again. If you want to log the traffic that passes the ALB, you can also enable logging (Application logging and monitoring using VPC Flow Logs) for further analyses.
6th Layer. At the Subnets level, we implemented NACLs (Control traffic to subnets using Network ACLs—Amazon Virtual Private Cloud) Security chaining, so as traffic flows between subnets, requests from the previous subnet are allowed.
7th Layer. At the server’s level, we implemented Security Group controls (VPC Security Groups), so by example, the only traffic that will be accepted on the web layer is traffic from the ALB security group.
8th Layer. When our client has an organisation with many different accounts or just one account, we recommend using AWS Firewall Manager (AWS Firewall Manager). This simplifies administration and maintenance tasks across multiple accounts and resources for various protections, including AWS WAF, AWS Shield Advanced, Amazon VPC security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall.
9th Layer. We also recommended implementing Amazon Guard Duty into the VPC environment. Amazon Guard Duty uses machine learning to examine your traffic logs and notify your administrators of any malicious findings.
Further layers of security can be added deeper at individual resource levels using RBAC (resource-based access controls) and resource-based policies, which depend on the use case and the architectural design, which varies according to the customer’s business model and case.
This was just a model DigitalCloudAdvisor presented that meets the client’s needs. However, many security controls could still be integrated. We always consider what is necessary for the client to have a secured business and don’t spend on unnecessary provisioned resources.
We know and understand that companies like to manage their budgets. However, a strong security approach will make your system impenetrable and help your business flourish without spending time dealing with possible threats.
Get in touch today to find out our Security recommendations for your infrastructure.