Attack Surface Reduction - AWS Best Practices for DDoS Resiliency

Attack Surface Reduction

Another important consideration when architecting an AWS solution is to limit the opportunities an attacker has for targeting your application. For example, if you do not expect users to directly interact with certain resources, you can make sure that those resources are not accessible from the internet. Similarly, if you do not expect users or external applications to communicate with your application on certain ports or protocols, you can make sure that that traffic is not accepted.

This concept is known as attack surface reduction. In this section, we provide best practices to help you reduce your attack surface and limit your application’s internet exposure. Resources that are not exposed to the internet are more difficult to attack, which limits the options an attacker has to target your application’s availability.