This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Network protection
The Network Protection component provides capability to defend the network against threats that require network movement.
Table 11 — Network protection capability and the associated AWS services
| Capability and CSF mapping | AWS service | AWS service description | Function |
AWS GovCloud (US) |
|---|---|---|---|---|
|
Network Protection ID.AM-1, PR.AC-1, PR.AC-3, PR.AC-5, PR.DS-2, PR.PT-4 |
Amazon CloudFront |
Amazon CloudFront is a highly secure CDN that provides both network and application-level protection.
All your CloudFront distributions are defended by
default against the most frequently occurring network
and transport layer DDoS attacks that target your
websites or applications with
AWS Shield
To defend against more complex attacks, you can add a
flexible, layered security perimeter by integrating
CloudFront with AWS Shield Advanced and
AWS WAF |
N/A | |
| Amazon EC2 Security Groups | A security group is a virtual firewall that controls inbound and outbound traffic to your network resources and Amazon EC2 instance. | Provides capability to limit communication to allowed IP addresses. | Yes | |
|
Amazon GuardDuty |
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in S3. | This control detects reconnaissance activity, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known, bad IP address. | Yes | |
| Amazon Route 53 Resolver DNS Firewall | Protect your recursive DNS queries within the Route 53 Resolver. Create domain lists and build firewall rules that filter outbound DNS traffic against these rules. | Yes | ||
| AWS ALB | Application Load Balancer operates at the request level (layer 7), routing traffic to targets (EC2 instances, containers, IP addresses, and Lambda functions) based on the content of the request. | Yes | ||
|
AWS Firewall Manager |
AWS Firewall Manager is a security management service
which allows you to centrally configure and manage
firewall rules across your accounts and applications in
AWS Organizations As new applications are created, Firewall Manager makes it easy to bring new applications and resources into compliance by enforcing a common set of security rules. Now you have a single service to build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your entire infrastructure, from a central administrator account. |
This control enables you to centrally configure and manage firewall rules across accounts and applications | Yes | |
|
AWS Network Firewall |
AWS Network Firewall is a high availability, managed network firewall service for your VPC. It enables you to easily deploy and manage stateful inspection, intrusion prevention and detection, and web filtering to help protect your virtual networks on AWS. Network Firewall automatically scales with your traffic, ensuring high availability with no additional customer investment in security infrastructure. |
This control detects reconnaissance activity using signature-based detection. | Yes | |
|
AWS Shield |
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic, inline mitigations that minimize application downtime and latency, so you don’t have to engage AWS Support to benefit from DDoS protection. | Defends against most common, frequently occurring network and transport layer DDoS attacks that target your website or applications. | No | |
|
AWS WAF |
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application.
For more information, see
AWS WAF Security Automations |
Malicious sources scan and probe internet-facing web applications for vulnerabilities. They send a series of requests that generate HTTP 4xx error codes. You can use this history to help identify and block malicious source IP addresses. |
Yes | |
|
AWS WAF Automation |
Configuring WAF rules can be challenging, especially for organizations that do not have dedicated security teams. To simplify this process, AWS offers the AWS WAF Security Automations solution, which automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules that filters web-based attacks.
During initial configuration of the
AWS CloudFormation template Once deployed, AWS WAF begins inspecting web requests to CloudFront distributions or Application Load Balancer, and blocks them if applicable. |
This control is a solution that leverages automation to quickly and easily configure AWS WAF rules that help block scanners and probes, known attacker origins, and bots and scrapers solutions. | Yes | |
| AWS WAF-Managed Rules |
Managed rules for AWS WAF are a set of rules written,
curated and managed by AWS Marketplace Sellers that can be
easily deployed in front of your web applications running
on
Amazon CloudFront |
A managed service that provides protection against common application vulnerabilities or other unwanted traffic, without having to write your own rules. | No | |
| Network Access Control Lists | Similar to a firewall, Network Access Control Lists (NACLs) control traffic in and out of one or more subnets. To add an additional layer of security to your Amazon VPC, you can set up NACLs with rules similar to your security groups. | This control helps prevent attackers from scanning network resources during reconnaissance. | Yes |
