Attack surface reduction

Another important consideration when architecting an AWS solution is to limit the opportunities an attacker has to target your application. This concept is known as attack surface reduction. Resources that are not exposed to the internet are more difficult to attack, which limits the options an attacker has to target your application’s availability.

For example, if you do not expect users to directly interact with certain resources, make sure that those resources are not accessible from the internet. Similarly, do not accept traffic from users or external applications on ports or protocols that aren’t necessary for communication.

In the following section, AWS provides best practices to guide you in reducing your attack surface and limiting your application’s internet exposure.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Engage SRT (Shield Advanced subscribers only)

Obfuscating AWS resources (BP1, BP4, BP5)