Securing Network Resources

Security Layers of Defense

As a best practice, secure your resources with multiple layers of defense. A client application can use a secure network protocol such as TLS and HTTPS to encrypt data payload in transit, ensuring third party actors can’t read or impersonate the traffic.

In a VPC, you can add both security groups and network ACLs to further protect your EC2 instances in a subnet. When you implement both as a defense-in-depth approach, a mistake in the configuration of one control won’t expose the instance to unwanted traffic.

Defense Layers Overview

Secure Network Protocol Layer: TLS/HTTPS encryption
Route Table Layer: Traffic routing controls
Network ACL Layer: Subnet-level firewall
Subnet Layer: Resource grouping and isolation
Security Group Layer: Instance-level firewall

Security Groups vs Network ACLs Scope

Both security groups and network ACLs define network traffic filters called rules. They can be used simultaneously or individually to protect VPC resources.

Security Groups

Security groups are stateful firewalls that act at the level of instance or network interface and can span multiple AZs.

Key Characteristics

Stateful: Return traffic is automatically allowed, regardless of any rules
Allow Rules Only: You can specify allow rules, but not deny rules
Resource Level: Protect individual instances or network interfaces
Grouping: Resources with same security requirements should be grouped together

Default Behavior

New Security Group:
- No inbound rules (no inbound traffic allowed)
- Default outbound rule allows all outbound traffic
Response Traffic: Automatically allowed back through the security group due to stateful nature

Security Group Rules Example

Inbound Security Group Rule

Source: Load balancer security group ID
Traffic Type: HTTPS
Protocol: TCP
Port Range: 443

You can define relationships between security groups, such as instances in a database tier security group only accepting traffic from application tier security groups.

Network ACLs

A network access control list (network ACL) is an optional stateless firewall for controlling traffic in and out of one or more subnets.

Key Characteristics

Stateless: No information about requests is maintained after processing
Subnet Level: Acts as firewall for entire subnets
Allow and Deny Rules: Can specify both allow and deny traffic rules
Numbered Evaluation: Rules evaluated in number order, evaluation stops when match is found

Default Network ACL

Allows all traffic: Both inbound and outbound IPv4 (and IPv6 if applicable)
Rule Structure:
- Rule 100: Allow all traffic on all ports
- Asterisk (*) rule: Deny all traffic (catches misconfigured rules)

Custom Network ACL Example

Inbound ACL Rules:

Rule 100: Allow HTTPS TCP traffic from 188.7.55.9/32 on port 443
Rule *: Deny all traffic on all ports

Outbound ACL Rules:

Rule 100: Allow HTTPS traffic on port 443
Rule *: Deny all traffic on all ports

Comparing Security Groups and Network ACLs

Security Groups

Operate at resource level
Specify allow traffic rules only
Rules are stateful
All rules are evaluated
New group: no inbound traffic allowed by default
New group: all outbound traffic allowed by default
Response traffic automatically allowed

Network ACLs

Operate at subnet level
Specify deny and allow traffic rules
Rules are stateless
Rules evaluated in number order, stops at match
New ACL: all inbound traffic allowed by default
New ACL: all outbound traffic allowed by default
Response traffic always evaluated against rule set

AWS Recommendation Use security groups over network ACLs where possible for ease of maintenance and flexibility.

AWS Network Firewall

When organizations deal with sensitive data or have strict compliance requirements, AWS Network Firewall provides an additional security layer beyond security groups and network ACLs.

Characteristics

Stateful managed service: Network firewall and intrusion detection/prevention
VPC Integration: Deployed in firewall subnet to inspect all incoming VPC traffic
Route Table Modification: Modify VPC route tables to send traffic through Network Firewall endpoints

Traffic Flow with Network Firewall

External traffic routes through route table 1 to AWS Network Firewall endpoint
Traffic routes to Gateway Load Balancer in VPC 2 for distribution to security appliances
Security appliances inspect traffic and return to Gateway Load Balancer
Traffic routes through route table 2 to EC2 application instance in private subnet

Bastion Hosts for Administration

A bastion host provides maintenance access to private subnet resources from external networks without direct access to private instances.

Configuration Example

Bastion Host: EC2 instance in public subnet
Security Group A: Allows SSH TCP traffic on port 22 from specified IP address range
Security Group B: Allows SSH TCP traffic on port 22 from Security Group A
IAM Integration: Bastion host EC2 instances have IAM policies for VPC resource access

Benefits

Minimizes attack surface on private subnet resources
Provides controlled, auditable access for server administration
Bastion host should be the only source of SSH traffic to private instances

Key Security Takeaways

Multiple Defense Layers: Implement security groups, network ACLs, and AWS Network Firewall for comprehensive protection
Stateful vs Stateless: Security groups automatically handle return traffic, while network ACLs require explicit rules for both directions
Traffic Inspection: Route external VPC traffic through AWS Network Firewall for additional security layer
Administrative Access: Use bastion hosts to securely administrate private subnet resources from on-premises environments

Securing AWS infrastructure requires multiple layers of defense combining stateful security groups for resource-level protection and stateless network ACLs for subnet-level control, with optional AWS Network Firewall for advanced threat protection and bastion hosts for secure administrative access.