Security - Transit Network VPC (Cisco CSR)


The AWS Cloud provides a scalable, highly reliable platform that helps customers deploy applications and data quickly and securely. When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. In turn, you assume responsibility and management of the guest operating system (including updates and security patches), other associated applications, as well as the configuration of the AWS-provided security group firewall. For more information about security on AWS, visit the AWS Security Center.

Security Groups

The security groups created in this solution are designed to control and isolate network traffic between the AWS Lambda functions, CSR instances, and remote VPN endpoints. To perform testing, troubleshooting, or remote configuration, you will need to update the CSR security group to allow inbound SSH traffic. We recommend that you review the security groups and further restrict access as needed once the deployment is up and running.

In the transit VPC network, all VPN connections originate from the CSR instances. Therefore, no inbound traffic is necessary other than for access to the CSR instances. This solution includes a security group rule that grants access to inbound SSH traffic from the Cisco Configurator Lambda function only.

Additional Security Settings

Password authorization is explicitly disabled. The Cisco Configurator Lambda function generates an SSH key pair, stores it securely in the Amazon S3 bucket, and uses that key pair for authentication to access the CSR instances. The Cisco Configurator Lambda function is configured to run inside the transit VPC only.

All files in the S3 bucket are encrypted using server-side encryption with AWS KMS (S3 SSE-KMS). An Amazon S3 bucket policy controls which additional accounts can have access to the bucket, and an AWS KMS key policy controls which accounts are authorized to use the solution-specific customer master key for decryption, therefore enabling those accounts to connect their VGWs to the transit VPC network. These policies may be modified manually to add additional accounts to the transit VPC network (see Appendix C for details).