Study Guides/AWS Cybersecurity Notes/VPC Security: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
| (7 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
:* Subnets - Remember each subnet must stay within its AZ. No Multiple AZ's or regions. | :* Subnets - Remember each subnet must stay within its AZ. No Multiple AZ's or regions. | ||
:* Security groups - Think of them as firewalls assigned to the EC2 instance. | :* Security groups - Think of them as firewalls assigned to the EC2 instance. | ||
| Line 10: | Line 11: | ||
::: These are stateful - they will remember. | ::: These are stateful - they will remember. | ||
:* NACL - Network Access Control Lists | :* NACL - Network Access Control Lists | ||
| Line 16: | Line 18: | ||
::: They are evaluated in order from low to high. | ::: They are evaluated in order from low to high. | ||
::: A NACL with always be associated with a subnet. | |||
:::: If no NACL is specified for a VPC the VPC will be assigned a default NACL. | |||
:* NAT - Forwards traffic from a private subnet ot the internet or other AWS service. | :* NAT - Forwards traffic from a private subnet ot the internet or other AWS service. | ||
::: These are not secure - never use in production. | ::: These are not secure - never use in production. | ||
:* VPC Endpoint | :* VPC Endpoint | ||
::: Allows a resounce to connect you AWS VPC or AWS services without the public internet. | ::: Allows a resounce to connect you AWS VPC or AWS services without the public internet. | ||
:* AWS Direct Connect | :* AWS Direct Connect | ||
::: A direct connection to AWS - no public internet. | ::: A direct connection to AWS - no public internet. | ||
:* Elastic network interface - A virtual network card. | :* Elastic network interface - A virtual network card. | ||
== The NO NO IP addresses == | == The NO NO IP addresses == | ||
| Line 48: | Line 57: | ||
Basically the same as most modern networks, except AWS takes .2 and .3 | Basically the same as most modern networks, except AWS takes .2 and .3 | ||
== Multiple VPCs == | |||
::* Every region has a default VPC | |||
::* You can setup another VPC if needed. | |||
::: Remember the VPC is virtual - so setup is not a big deal. | |||
::: Their is a nominal additional cost for an another VPC. | |||
== Route tables == | |||
::* Allows the subnet to route traffic. | |||
::* It is not security | |||
::* A subnet uses the default VPC route table if no route table is defined. | |||
By default you get the local route: | |||
::* This allows the VPC to communcate with other VPC's | |||
::* Local cannot be deleted. | |||
::* You can add more routes if needed. | |||
=== Route terms === | |||
::* Destination: The CDIR block where the traffic needs to go. | |||
::* Target: The gateway that allows the traffic to reach the destination. | |||
::* Status: Status of route. | |||
::* Propagated: Used when the VPG (Virtual Private Gateway) can automatically propagate rotes. | |||
::: With this you do not need to enter VPN routs manually. | |||
== Flow logs == | |||
::* Flow logs capture network traffic for analysis. | |||
::: Think of it like a wireshark capture. | |||
::* Flow logs can also be configrued at the VPC level - capture all traffic on the VPC. | |||
::* In the UI a tab will only configrue flow logs for a particular subnet. | |||
Why capture flow logs: | |||
::* Security incident data. | |||
::* Communcation issue data. | |||
== CIDR Reservation and Sharing == | |||
::* Alows blocks of IP addresses to be reserved. | |||
::* Sharing allows the subnet to be shared with another account in your organization. | |||
== Tags == | |||
::* Help you orgnaize subnets. | |||
= NACL Notes = | |||
::* They are stateless - don't care about connection state. | |||
::: So.. you need to pair rules inbout and outbound otherwise - connection problems (it won't warn you!). | |||
::* Think of them as an additional layer of deffense. | |||
::: They work at the subnet level protecting each subnet. | |||
::: They DON'T work at the machine level - that is security groups. | |||
::* Evalaution occurs in the order of definition. | |||
They allow traffic to be permitted or denied based on: | |||
::* IP Addresses (Source / Destination) | |||
::* Port numbers | |||
::* Protocols | |||
NACL is vial for diffense in depth. | |||
:: Should not be your only defense in prod - use security groups and ALB's also. | |||
A NACL must be associated with a subnet '''Good exam question''' if it is not associated it will not work as designed. | |||
= Security Group Notes = | |||
Not the same as a NACL! | |||
::* Operate at the instance level. | |||
::: Think of it as a host firewall | |||
::: They are statefull. | |||
Security groups are '''Fail closed''' they don't have a deny option. | |||
::* If you don't expeciltly allow something it is denied. | |||
= Public and Private Subnets = | |||
Subnets devide your network into logical segments. | |||
::The subnet mask acts as the devider between the netowrk and host portion of the address. | |||
Subnets improve security by breaking the network up. | |||
:: A single homogionous network is a bad idea! | |||
:: This gives you better control over resources - you have a NACL between the subnets. | |||
AWS has two types of subnet: | |||
::* Public: Can access from the internet | |||
::* Private: No internet access. | |||
::: Use the private subnet for things that should not be directly accessable from the internet, for example databases. | |||
What's the difference? | |||
::* A subnet is pubic if the IGW is attached to the VPC (data in) | |||
::* A route exists in the subnet with a default route to the IGW target (data out). | |||
When to use a public subnet: | |||
::* Bastion hosts - So you can connect in | |||
::* Public data storage. | |||
::* Public Websits and apps. | |||
== Bastion hosts == | |||
::* These are essential to access EC2 instances on the private subnet. | |||
::* It's a hardened EC2 instance with a connection to both subnets. | |||
How you use them: | |||
:: SSH to the bastion from the public internet | |||
:: Copy the pem file for the destination | |||
:: From the bastion SSH to the protection EC2 on the private subnet. | |||
:: When done delete the pem file | |||
Harden the bastion host: | |||
::* Only allow the essential ports. | |||
::* restrict access to a range of IP addresses (if possible). | |||
Think about the .pem file. | |||
::Don't store the file on the bastion host if you do this security is pointless. | |||
Latest revision as of 18:55, 13 June 2026
VPC Security
Important terms
- Subnets - Remember each subnet must stay within its AZ. No Multiple AZ's or regions.
- Security groups - Think of them as firewalls assigned to the EC2 instance.
- You can have up to 5 per instance
- These are stateful - they will remember.
- NACL - Network Access Control Lists
- Remember these are stateless - so you need to enable both directions.
- They are evaluated in order from low to high.
- A NACL with always be associated with a subnet.
- If no NACL is specified for a VPC the VPC will be assigned a default NACL.
- NAT - Forwards traffic from a private subnet ot the internet or other AWS service.
- These are not secure - never use in production.
- VPC Endpoint
- Allows a resounce to connect you AWS VPC or AWS services without the public internet.
- AWS Direct Connect
- A direct connection to AWS - no public internet.
- Elastic network interface - A virtual network card.
The NO NO IP addresses
Some IP's cannot be used.
- .0 - DUR!!
- .1 - The VPC router
- .2 - Rserved by AWS
- .3 - Reseved by AWS
- .255 - Don't think about it (broadcast address)
Basically the same as most modern networks, except AWS takes .2 and .3
Multiple VPCs
- Every region has a default VPC
- You can setup another VPC if needed.
- Remember the VPC is virtual - so setup is not a big deal.
- Their is a nominal additional cost for an another VPC.
Route tables
- Allows the subnet to route traffic.
- It is not security
- A subnet uses the default VPC route table if no route table is defined.
By default you get the local route:
- This allows the VPC to communcate with other VPC's
- Local cannot be deleted.
- You can add more routes if needed.
Route terms
- Destination: The CDIR block where the traffic needs to go.
- Target: The gateway that allows the traffic to reach the destination.
- Status: Status of route.
- Propagated: Used when the VPG (Virtual Private Gateway) can automatically propagate rotes.
- With this you do not need to enter VPN routs manually.
Flow logs
- Flow logs capture network traffic for analysis.
- Think of it like a wireshark capture.
- Flow logs can also be configrued at the VPC level - capture all traffic on the VPC.
- In the UI a tab will only configrue flow logs for a particular subnet.
Why capture flow logs:
- Security incident data.
- Communcation issue data.
CIDR Reservation and Sharing
- Alows blocks of IP addresses to be reserved.
- Sharing allows the subnet to be shared with another account in your organization.
Tags
- Help you orgnaize subnets.
NACL Notes
- They are stateless - don't care about connection state.
- So.. you need to pair rules inbout and outbound otherwise - connection problems (it won't warn you!).
- Think of them as an additional layer of deffense.
- They work at the subnet level protecting each subnet.
- They DON'T work at the machine level - that is security groups.
- Evalaution occurs in the order of definition.
They allow traffic to be permitted or denied based on:
- IP Addresses (Source / Destination)
- Port numbers
- Protocols
NACL is vial for diffense in depth.
- Should not be your only defense in prod - use security groups and ALB's also.
A NACL must be associated with a subnet Good exam question if it is not associated it will not work as designed.
Security Group Notes
Not the same as a NACL!
- Operate at the instance level.
- Think of it as a host firewall
- They are statefull.
Security groups are Fail closed they don't have a deny option.
- If you don't expeciltly allow something it is denied.
Public and Private Subnets
Subnets devide your network into logical segments.
- The subnet mask acts as the devider between the netowrk and host portion of the address.
Subnets improve security by breaking the network up.
- A single homogionous network is a bad idea!
- This gives you better control over resources - you have a NACL between the subnets.
AWS has two types of subnet:
- Public: Can access from the internet
- Private: No internet access.
- Use the private subnet for things that should not be directly accessable from the internet, for example databases.
What's the difference?
- A subnet is pubic if the IGW is attached to the VPC (data in)
- A route exists in the subnet with a default route to the IGW target (data out).
When to use a public subnet:
- Bastion hosts - So you can connect in
- Public data storage.
- Public Websits and apps.
Bastion hosts
- These are essential to access EC2 instances on the private subnet.
- It's a hardened EC2 instance with a connection to both subnets.
How you use them:
- SSH to the bastion from the public internet
- Copy the pem file for the destination
- From the bastion SSH to the protection EC2 on the private subnet.
- When done delete the pem file
Harden the bastion host:
- Only allow the essential ports.
- restrict access to a range of IP addresses (if possible).
Think about the .pem file.
- Don't store the file on the bastion host if you do this security is pointless.
