ADVSEC01-BP02 Restrict DSP access to allow only authorized SSPs

Provide a mechanism to control and manage third-party access to each part of your cloud network environment.

Implementation Guidance

Consider using AWS WAF to allow access for authorized IPs for traffic that arrives at your Application Load Balancer, Amazon API Gateway, and Amazon CloudFront distributions. AWS WAF helps protect your web applications against common web exploits that may compromise security. Using AWS WAF rules, you can define a set of inspection criteria and review when incoming requests meets the set criteria. It is recommended to use AWS WAF rules to inspect incoming traffic based on several factors like source IP or originating geographic location.

Additionally, consider using AWS PrivateLink to restrict access to your AWS services. AWS PrivateLink allows for the private connection between your AWS VPCs and AWS services without exposing your network traffic to the public internet. If you cannot use AWS PrivateLink, consider using IAM to control access to your AWS services.

Resources

• Configure security groups for your Classic Load Balancer

• How do I use AWS WAF to create IP set rules to restrict IPv4 and IPv6 access?

• Update the security groups for your Network Load Balancer

• Controlling access to Amazon Kinesis Data Streams resources using IAM

• Introducing Amazon API Gateway Private Endpoints

• Use interface VPC endpoints for Amazon Kinesis Data Streams

• Private Amazon AppFlow flows

• Create a server in a virtual private cloud

• Configuring VPC endpoints as AWS Database Migration Service source and target endpoints

• Creating an interface VPC endpoint for AWS Data Exchange

• AWS PrivateLink for Amazon S3

• Considerations for AWS Glue VPC endpoints

• Amazon MSK multi-VPC private connectivity in a single Region

• Changing an Amazon MSK cluster's security group