Minimize exposure of resources to the internet

A common mistake in VPC design is the unnecessary exposure of resources to the internet. This is often due to a misunderstanding of how AWS services work together, or a lack of awareness of the security risks involved. Exposing resources to the internet increases the attack surface and can lead to security breaches if not properly managed.

For instance, it is a common misconception that web servers need to be placed in a public subnet to be accessible from the internet. If you are using an ELB, the ELB itself should be in the public subnet, while the web servers can reside in a private subnet. The ELB handles incoming internet traffic and forwards it to the web servers, keeping them shielded from direct internet access.

Another common error is placing EC2 instances in a public subnet for management purposes, such as SSH or RDP access. While this may seem convenient, it exposes these instances to potential threats from the Internet. Instead, consider the following alternatives:

  • Bastion host: Deploy a bastion host as a fortified, singular entry point within a VPC for secure management of instances. This method minimizes direct exposure but requires diligent security practices, including applying the principle of least privilege, routine updates and patches, and comprehensive monitoring and logging.
  • AWS Systems Manager (SSM) Session Manager: This enables secure instance management via a browser-based shell or CLI, facilitated by an agent. This approach eliminates the need for open SSH/RDP ports and the management of SSH keys or Windows credentials, thereby reducing the attack surface and simplifying instance management.
  • EC2 Instance Connect endpoint: This offers secure instance management without requiring an agent on the instance. It is based on VPC endpoints and leverages IAM-based permissions for improved security, effectively serving as a managed bastion service without the associated vulnerabilities.
  • VPN access: This establishes a secure, encrypted VPN tunnel to manage instances, shielding your activities from internet threats and offering enhanced privacy and security.
By Access control models, Microsoft AWS Exams, Microsoft Certifications, Use cases for IAM rolesLeave a Comment on Minimize exposure of resources to the internet – Infrastructure Security – Keeping Your VPC secure

Leave a Reply

Your email address will not be published. Required fields are marked *