Please enable JavaScript.
Coggle requires JavaScript to display documents.
Infrastructure security - Coggle Diagram
Infrastructure security
Infrastructure Security
AWS Config
to monitor access, AWS Config uses CloudTrail
-
-
-
requires IAM role (with Read only permissions to the all resources, Write access to S3 logging bucket, Publish access to SNS)
-
-
-
Trusted Advisor
will advice you on Cost Optimization, Performance, Security, Fault Tolerance
-
-
DDoS
DDoS
AWS Shield protects against SYN/UDP Floods, Reflection and other layer 3 and 4 attacks
should be enabled when you use ELB, CloudFront or Route53
Safeguard Exposed Resources (e.g. by using geolimitatio, CloudFront, Route53, WAFs)
in Route53 using alias Record Sets you can redirect traffic to CloudFront distribution, Private DNS
-
mitigation
minimize the attack surface (e.g. by using Bastion Host with whitelisted IPs, the attack surface is limited to exposed, few hardened entry points)
WAF
-
-
-
-
-
If you are subject to regulatory compliance like PCI or HIPAA you might be able to use AWS Marketplace rule groups to satisfy web application firewall requirements
WAF Sandwich = EC2 instance running your WAF is included in Auto Scaling group and placed in between 2 ELBs
-
-
AWS Certificate Manager
allows you for automatic certificate renewal unless it wasn't imported or associated with Route53 private hosted zone
-
Load Balancer
-
Network LB should be used if you need ultra high performance or you need to terminate TLS/SSL on the EC2 instance. Usually you should use ALB
-
in Elastic Load Balancer you can terminate TLS/SSL connection either on the LB or on your EC2 instances
-
API gateway
Throttling - if there are too many requests (above the limit) the API Gateway replies with "429 Too Many Requests"
-
-
-
you can (NOT enabled by default) enable caching (default for 5 minutes, can be raised up to 1 hour)
API Gateway Lambda authorizer (formerly custom authorizer) is a Lambda function that you provide to control access to your API methods.
AWS Systems Manager
-
-
you can use this service with EC2, CloudFormation, Lambda etc.
-
-
-
AWS Hypervisor
hypervisor automatically scrubs (sets to 0) unallocated EBS memory (no risk of accessing someone else data)
-
Windows EC2 instances can only be HVM (Hardware Virtual Machine) whereas Linux can be PV (paravirtualized) or HVM
in PV, CPU supports 4 privilege modes: Ring 0 is used by host OS and guest OS uses only Ring 1-3
-
NACLs
-
-
NACL can have multiple subnets but a subnet can have just 1 NACL (old one is replaced by the newest one)
-
-
-
VPC
-
-
there's no transitive peering (if VPC A can communicate with B and B can communicate with C, then A cannot communicate with C unless you explicitly configure it)
-
creating a new VPC means creating new default route table, security group and NACL
subnets
-
-
first 4 and last IP address from the subnet is reserved by Amazon for: VPC router, DNS server, reservered for future use, network address, broadcast address
In order to use your own DNS server you need to ensure that you create a new custom DHCP options set with the IP of the custom DNS server. You cannot modify the existing set so you have to create a new one.
VPC endpoints
VPC endpoint is internal gateway for accessing other AWS services from private subnets such as S3 Buket/ Dynamo DB directly instead of going through internet
2 types
Interface endpoint = Elastic Network Interface (ENI)
Interfce endpoint resides in the VPC with same subnet hence are accessible for the users from VPN and Direct connect.
It provide access to more services than gateway endpoint
Gateway endpoint = similar to Network Gateway
Route is added to the Subnet wherein a DNS name xlating to CIDR range of service is sent to gateway
It only supports S3 and Dynamo DB currently
As VPN endpoint is accessible via Route table It resides outside of VPC , Hence has some drawbacks.
- Endpoints are supported in one region , we cannor create the endpoint between VPC and a service in different region
- Users using VPN and Direct connect cannot use Engpoint gateway
- Must turn on DNS resolution in the VPC
when VPC endpoint is used the source IP address uses private address, not public
-
-
AWS Secrets Manager
similar to Parameter Store, but SM has built-in integration with RDS, Aurora, MySQL and PostgreSQL
-
-
AWS Lambda
-
-
Basic Log permissions are given by default to Lambda (but only basic; the detailed logging with data events has to be enabled explicitly)