SEC05-BP04 Implement inspection and protection
Inspect and filter your traffic at each layer. You can inspect your
VPC configurations for potential unintended access
using VPC
Network Access Analyzer. You can specify your network access
requirements and identify potential network paths that do not meet
them. For components transacting over HTTP-based protocols, a web
application firewall can help protect from common
attacks. AWS WAF
For managing AWS WAF, AWS Shield Advanced protections, and Amazon VPC security groups across AWS Organizations, you can use AWS Firewall Manager. It allows you to centrally configure and manage
firewall rules across your accounts and applications, making it
easier to scale enforcement of common rules. It also allows you to
rapidly respond to attacks,
using AWS Shield Advanced,
or solutions
Level of risk exposed if this best practice is not established: Low
Implementation guidance
-
Configure Amazon GuardDuty: GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. Use GuardDuty and configure automated alerts.
-
Configure virtual private cloud (VPC) Flow Logs: VPC Flow Logs is a feature that allows you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs and Amazon Simple Storage Service (Amazon S3). After you've created a flow log, you can retrieve and view its data in the chosen destination.
-
Consider VPC traffic mirroring: Traffic mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon Elastic Compute Cloud (Amazon EC2) instances and then send it to out-of-band security and monitoring appliances for content inspection, threat monitoring, and troubleshooting.
Resources
Related documents:
Related videos:
Related examples: