Amazon Virtual Private Cloud (Amazon VPC) Security
In general, each Amazon EC2 instance we launch is randomly assigned a public IP address in the Amazon EC2 address space. Amazon VPC allows us to create an isolated portion of the AWS Cloud and launch Amazon EC2 instances that have private (RFC 1918) addresses in the range of choice (for instance, 10.0.0.0/16).
Amazon VPC is isolated from all other Amazon VPCs. Such that at the time of creation we select an IP address range for each Amazon VPC. Also we might create and attach an Internet gateway, virtual private gateway, or both to establish external connectivity, subject given the the following controls. We shall now discuss the controls –
- API access – API access calls to create and delete Amazon VPCs change routing, security group, and network ACL parameters; so as to perform other functions that are all signed by Amazon secret access key, which could be either the AWS account’s secret access key or the secret access key of a user created with IAM. Amazon VPC API calls cannot be made on my behalf, without access to the secret access key.
- Subnets and route tables – We can create one or more subnets in each Amazon VPC. Such that each instance launched in the Amazon VPC is connected to one subnet. Also Traditional Layer 2 security attacks, including MAC spoofing and Address Resolution Protocol (ARP) spoofing, are blocked. Each subnet in an Amazon VPC is associated with a routing table, and all network traffic leaving the subnet is processed by the routing table to determine the destination.
- Firewall (security groups): A complete firewall solution is supported by Amazon VPC just like Amazon EC2 , that allows filtering on both ingress and egress traffic from an instance. Also the default group enables inbound communication from other members of the same group and outbound communication to any destination. Note the traffic can be restricted by any IP protocol, by service port, and by source/destination IP address (individual IP or CIDR block). The firewall is not controlled through the guest operating system; rather, it can be modified only through the invocation of Amazon VPC APIs.
The following figure Amazon VPC with two types of subnets—public and private — and two network paths with two different networks — a customer data center and the Internet.
Amazon VPC network architecture
Amazon VPC APIs helps to manage security groups, network ACLs, adding an additional layer of protection and enabling additional security through separation of duties. The figure below depicts how the security controls discussed so far interrelate to enable flexible network topologies while providing complete control over network traffic flows.
Flexible network Topologies
Virtual private gateways – A virtual private gateway allows private connectivity between the Amazon VPC and another network. Network traffic within each virtual private gateway is isolated from network traffic within all other virtual private gateways.
Internet gateways – Internet gateway may be attached to an Amazon VPC to enable direct connectivity to Amazon S3, other AWS Cloud services, and the Internet. Therefore each instance desiring this access must either have an Elastic IP associated with it or route traffic through a Network Address Translation (NAT) instance. This access can only be modified through the invocation of Amazon VPC APIs. AWS supports the ability to grant granular access to different administrative functions on the instances and the Internet gateway, enabling you to implement additional security through separation of duties.
Dedicated instances – In an Amazon VPC, we can launch Amazon EC2 instances which are physically isolated at the host hardware level (that is, they will run on single-tenant hardware). An Amazon VPC can be created with “dedicated” tenancy so that all instances launched into the Amazon VPC will use this feature. Alternatively, an Amazon VPC may be created with “default” tenancy, but dedicated tenancy for particular instances launched into it can be specified by we Dedicated hosts An Amazon EC2 Dedicated Host is a physical server with Amazon EC2 instance capacity fully dedicated to use. Dedicated hosts allow us to use existing per-socket, per core, or per-virtual machine software licenses, including Windows Server, Microsoft SQL Server, SUSE, Linux Enterprise Server, and so on.
Amazon CloudFront Security
Amazon CloudFront provides customers with an easy way to distribute content to end users with low latency and high data transfer speeds. Using a global network of edge locations it delivers dynamic, static, and streaming content. Requests for customers’ objects get automatically routed to the nearest edge location, so content is delivered with the best possible performance. Amazon CloudFront is optimized to work with other AWS Cloud services like Amazon S3, Amazon EC2, Elastic Load Balancing, and Amazon Route 53. It also works consistently with any non-AWS origin server that stores the original, definitive versions of the files.
Amazon CloudFront allows us to create one or more origin access identities and associate these with the distributions to control access to the original copies of the objects in Amazon S3. When an origin access identity has association with an Amazon CloudFront distribution, the distribution will use that identity to retrieve objects from Amazon S3. We can then use Amazon S3’s ACL feature, which limits access to that origin access identity so that the original copy of the object is not publicly readable.
Note – Storage with high durability and availability AWS provides low-cost data storage. AWS offers storage choices for backup, archiving, disaster recovery, and block and object storage.