Security best practices for your VPC - Amazon Virtual Private Cloud

Security best practices for your VPC

The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

  • When you add subnets to your VPC, choose multiple Availability Zones (AZs) to ensure that the resources hosted in those subnets are highly available. An AZ is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. AZs enable you to make production applications highly available, fault tolerant, and scalable. For more information on adding subnets to multiple AZs, see Create a VPC.

  • Use network ACLs to control access to your subnets and use security groups to control traffic to EC2 instances in your subnets. For more information, see Control traffic to subnets using Network ACLs and Control traffic to resources using security groups.

  • Manage access to AWS VPC resources and APIs using AWS Identity and Access Management (IAM) identity federation, users, and roles. For more information, see Identity and access management for Amazon VPC.

  • Use Amazon CloudWatch with VPC flow logs to monitor the IP traffic going to and from network interfaces in your VPC. For more information, see Publish flow logs to CloudWatch Logs.

For answers to frequently asked questions related to VPC security, see Security and Filtering in the Amazon VPC FAQs.