Security Groups and Network Access Control Lists (NACLs) (BP5) - AWS Best Practices for DDoS Resiliency

Security Groups and Network Access Control Lists (NACLs) (BP5)

You can specify security groups when you launch an instance, or you can associate the instance with a security group at a later time. All internet traffic to a security group is implicitly denied unless you create an allow rule to permit the traffic. For example, if you have a web application that uses an ELB and a number of Amazon EC2 instances, you might decide to create one security group for the ELB (ELB security group) and one for the instances (web application server security group). You can then create an allow rule to permit internet traffic to the ELB security group, and another rule to permit traffic from the ELB security group to the web application server security group. This ensures that internet traffic can’t directly communicate with your Amazon EC2 instances, which makes it more difficult for an attacker to learn about and impact your application.

When you create NACLs, you can specify both allow and deny rules. This is useful if you want to explicitly deny certain types of traffic to your application. For example, you can define IP addresses (as CIDR ranges), protocols, and destination ports that are denied access to the entire subnet. If your application is used only for TCP traffic, you can create a rule to deny all UDP traffic, or vice versa. This option is useful when responding to DDoS attacks because it lets you create your own rules to mitigate the attack when you know the source IPs or other signature.

If you are subscribed to AWS Shield Advanced, you can register Elastic IPs (EIPs) as Protected Resources. DDoS attacks against EIPs that have been registered as Protected Resources are detected more quickly, which can result in a faster time to mitigate. When an attack is detected, the DDoS mitigation systems read the NACL that corresponds to the targeted EIP and enforce it at the AWS network border. This significantly reduces your risk of impact from a number of infrastructure layer DDoS attacks.

To learn more about configuring Security Groups and NACLs to optimize for DDoS resiliency, see How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface.

To learn more about using AWS Shield Advanced with EIPs as Protected Resources, see the steps to Activate AWS Shield Advanced.