SEC05-BP01 Create network layers - AWS Well-Architected Framework

SEC05-BP01 Create network layers

Group components that share sensitivity requirements into layers to minimize the potential scope of impact of unauthorized access. For example, a database cluster in a virtual private cloud (VPC) with no need for internet access should be placed in subnets with no route to or from the internet. Traffic should only flow from the adjacent next least sensitive resource. Consider a web application sitting behind a load balancer. Your database should not be accessible directly from the load balancer. Only the business logic or web server should have direct access to your database.

Desired outcome: Create a layered network. Layered networks help logically group similar networking components. They also shrink the potential scope of impact of unauthorized network access. A properly layered network makes it harder for unauthorized users to pivot to additional resources within your AWS environment. In addition to securing internal network paths, you should also protect your network edge, such as web applications and API endpoints.

Common anti-patterns:

  • Creating all resources in a single VPC or subnet.

  • Using overly permissive security groups.

  • Failing to use subnets.

  • Allowing direct access to data stores such as databases.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Components such as Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) database clusters, and AWS Lambda functions that share reachability requirements can be segmented into layers formed by subnets. Consider deploying serverless workloads, such as Lambda functions, within a VPC or behind an Amazon API Gateway. AWS Fargate (Fargate) tasks that have no need for internet access should be placed in subnets with no route to or from the internet. This layered approach mitigates the impact of a single layer misconfiguration, which could allow unintended access. For AWS Lambda, you can run your functions in your VPC to take advantage of VPC-based controls.

For network connectivity that can include thousands of VPCs, AWS accounts, and on-premises networks, you should use AWS Transit Gateway. Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks, which act like spokes. Traffic between Amazon Virtual Private Cloud (Amazon VPC) and Transit Gateway remains on the AWS private network, which reduces external exposure to unauthorized users and potential security issues. Transit Gateway Inter-Region peering also encrypts inter-Region traffic with no single point of failure or bandwidth bottleneck.

Implementation steps

  • Use Reachability Analyzer to analyze the path between a source and destination based on configuration: Reachability Analyzer allows you to automate verification of connectivity to and from VPC connected resources. Note that this analysis is done by reviewing configuration (no network packets are sent in conducting the analysis).

  • Use Amazon VPC Network Access Analyzer to identify unintended network access to resources: Amazon VPC Network Access Analyzer allows you to specify your network access requirements and identify potential network paths.

  • Consider whether resources need to be in a public subnet: Do not place resources in public subnets of your VPC unless they absolutely must receive inbound network traffic from public sources.

  • Create subnets in your VPCs: Create subnets for each network layer (in groups that include multiple Availability Zones) to enhance micro-segmentation. Also verify that you have associated the correct route tables with your subnets to control routing and internet connectivity.

  • Use AWS Firewall Manager to manage your VPC security groups: AWS Firewall Manager helps lessen the management burden of using multiple security groups.

  • Use AWS WAF to protect against common web vulnerabilities: AWS WAF can help enhance edge security by inspecting traffic for common web vulnerabilities, such as SQL injection. It also allows you to restrict traffic from IP addresses originating from certain countries or geographical locations.

  • Use Amazon CloudFront as a content distribution network (CDN): Amazon CloudFront can help speed up your web application by storing data closer to your users. It can also improve edge security by enforcing HTTPS, restricting access to geographic areas, and ensuring that network traffic can only access resources when routed through CloudFront.

  • Use Amazon API Gateway when creating application programming interfaces (APIs): Amazon API Gateway helps publish, monitor, and secure REST, HTTPS, and WebSocket APIs.


Related documents:

Related videos:

Related examples: