This is the fourth in a series of seven on the five pillars for well-architected AWS security. For the entire series, visit the Five pillars – AWS blog page here.
Many organizations make the mistake of beginning their security framework discussions around Infrastructure Protection (aka NetSec), as this was traditionally how they secured on-premises infrastructure. Companies erroneously assume that because they are leveraging a cloud infrastructure, either they will be less secure than when they “owned” all those resources, or that they can simply mirror their on-premises network security controls in the cloud.
Again, the cloud is different. The Shared Security model under which AWS operates inherently guarantees security of the network – but can’t guarantee the security of the companies who are accessing it. Or put another way, organizations using the cloud need to put security measures in place that will ensure they are not the source of threats and compromises.
In AWS, you can implement both stateful and stateless packet inspection at a very basic protection level – either AWS-native technologies can be leveraged or a number of third-party partner products and services can be acquired through the AWS Marketplace.
The Amazon Virtual Private Cloud (Amazon VPC) provides a private, secured and scalable environment – specifically designed to allow you to define your own specific topology. With the VPS environment, gateways, routing tables, and both public and private subnets can be defined and protected. Persistent defenses can be deployed by hardening configurations they develop in either Amazon EC2, ECS, or Elastic Beanstalk instances by containers and then applying these configurations to an Amazon Machine Image AMI – then, all new instances launched via this AMI will receive the same hardened configuration.
To develop a well-architected infrastructure protection pillar, customers must:
- Understand how they will protect their networks
- Understand how they will protect their compute resources
Visit the Well-Architected Labs documentation series to read more about Protecting Networks and Protecting Compute Resources.
Next week we’ll dive deeper into the 4th Pillar, Data Protection. To follow this series in its entirety, visit the Five Pillars – AWS blog page here.
Barracuda Cloud Security Guardian has been designed from the ground up to integrate with AWS and leverage built-in security and alerting features. For a free scan, visit our website here.
Rich est directeur marketing pour les produits de cloud public chez Barracuda. Il a rejoint l'équipe dans le cadre de l'acquisition de C2C Systems en 2014. Rich est l'un des experts du cloud public de Barracuda. Il travaille directement sur les écosystèmes cloud et est cité dans des ebooks de Microsoft sur la sécurisation du cloud public. Il est également contributeur régulier des blogs thématiques sur le cloud de Barracuda. Dans le cadre de notre travail sur le cloud, il aide au développement de stratégies et à leur exécution avec nos partenaires et nos équipes commerciales.
Si vous souhaitez entrer en contact avec Rich, vous pouvez vous connecter avec lui sur LinkedIn et le suivre sur Twitter.
Vous pouvez contacter Rich par e-mail à l'adresse rturner@barracuda.com.
