![Page 1: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Justin Bradley, Solutions Architect
30. Juni 2016
Sichere Netzwerke in der CloudBest Practices
![Page 2: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/2.jpg)
What to expect from the session
• What is Amazon VPC• VPC Toolkit • Building your VPC
• Public vs Private• Connectivity to your Data center
• Protecting your VPC Resources• Moving Beyond a Single VPC• Configuring logging and monitoring
![Page 3: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/3.jpg)
AWS Global Infrastructure
Region
Edge Location
12 Regions33 Availability Zones54 Edge Locations
![Page 4: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/4.jpg)
What is Amazon VPC
![Page 5: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/5.jpg)
What is Amazon VPC?A private, isolated section of the AWS cloudA virtual network topology you can deploy and customizeYou have complete control of your networkingProven and well-understood networking concepts
![Page 6: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/6.jpg)
Most simply put, it is a virtual data center you can build out and control
on AWS!
![Page 7: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/7.jpg)
VPC Toolbox
![Page 8: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/8.jpg)
VPC components
Route table
Elastic network interface
Amazon VPC
Subnet
Elastic IP
routerInternet gateway
customer gateway
VPN gateway
VPN connection
VPCpeering
endpoints flow logs
VPC NAT gateway
AWS Direct Connect
![Page 9: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/9.jpg)
Building your VPC
![Page 10: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/10.jpg)
VPCs span an entire region
Availability Zone A Availability Zone B
VPC CIDR: 10.1.0.0 /16
![Page 11: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/11.jpg)
Subnets sit in a single Availability Zone
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)
VPC CIDR: 10.1.0.0 /16
![Page 12: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/12.jpg)
• Consider future AWS region expansion
• Consider future connectivity to your internal networks
• Consider subnet design
• VPC can be /16 down to /28
• CIDR cannot be modified after creation
• Overlapping IP spaces = future headache
Plan your VPC IP space before creating it
![Page 13: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/13.jpg)
Add an Internet Gateway
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)
VPC CIDR: 10.1.0.0 /16
Web(public)
![Page 14: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/14.jpg)
Add an Internet Gateway
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)
VPC CIDR: 10.1.0.0 /16
Web(public)
Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 Internet Gateway
![Page 15: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/15.jpg)
Add private subnets
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)
VPC CIDR: 10.1.0.0 /16
PUBLIC PUBLIC
PRIVATE PRIVATE
![Page 16: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/16.jpg)
Add private subnets
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)Database(private)
Database(private)
Web(public)
Web(public)
VPC CIDR: 10.1.0.0 /16
![Page 17: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/17.jpg)
Add private subnets
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)Database(private)
Database(private)
Web(public)
Web(public)
VPC CIDR: 10.1.0.0 /16
Route Table
Destination Target
10.1.0.0/16 Local
Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 Internet Gateway
![Page 18: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/18.jpg)
NAT Gateway
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)Database(private)
Database(private)
Web(public)
Web(public)
VPC CIDR: 10.1.0.0 /16
VPC NAT gateway
![Page 19: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/19.jpg)
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)Database(private)
Database(private)
Web(public)
Web(public)
VPC CIDR: 10.1.0.0 /16
Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 NAT Gateway(ENI)
NAT Gateway
Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 Internet Gateway
![Page 20: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/20.jpg)
Connect to your data center
10.1.0.0/16
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)192.168.0.0/16
![Page 21: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/21.jpg)
Connect to your data center
10.1.0.0/16
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)192.168.0.0/16
or
![Page 22: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/22.jpg)
Connect to your data center
10.1.0.0/16
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)192.168.0.0/16
or
Internal Server
![Page 23: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/23.jpg)
Connect to your data center
10.1.0.0/16
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)192.168.0.0/16
or
Internal Server
![Page 24: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/24.jpg)
Connect to your data center
10.1.0.0/16
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24)
Subnet (10.1.3.0/24)
Subnet (10.1.2.0/24)
Subnet (10.1.4.0/24)192.168.0.0/16
or
Internal Server
Route Table
Destination Target
10.1.0.0/16 Local
192.168.0.0/16 VPG
0.0.0.0/0 NAT Gateway
Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/16 IGW
![Page 25: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/25.jpg)
Protecting your VPC resources
![Page 26: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/26.jpg)
Protecting your VPC resources
Public / Elastic IP
Internet gateway
VPN connection VPC peering
route table
AWS Direct Connect
Network Linking
Endpoint Routingflow logs
CloudTrail
endpoints
Auditing
![Page 27: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/27.jpg)
Subnet (10.1.1.0/24)
Subnet (10.1.1.0/24)
Protecting your VPC resources
Public / Elastic IP
Internet gateway
VPN connection VPC peering
route table
AWS Direct Connect Fleet 1 SG Fleet 2 SG
Security Group Ingress/Egress Rules
Subnet (10.1.2.0/24)
Network Access Control Lists
App 1 SG App 2 SG
Network Linking
Endpoint Routing
![Page 28: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/28.jpg)
Virtual Private Cloud Security Layers
Security Group
Subnet 10.0.0.0/24
Routing Table
Network ACL
Security Group
Subnet 10.0.1.0/24
Routing Table
Network ACL
Security Group
Virtual Private Gateway Internet Gateway
Lockdown at instance level
Isolate network functions
Lockdown at network level
Route restrictively
Router
Availability Zone A Availability Zone B
![Page 29: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/29.jpg)
VPC Security Groups
VPC (BuildABeer-VPC-1)
security group (BuildABeer-SG-1)
HTTP GET BeerTCP(6) Port(80)
NTP Buffer OverrunUDP(17) Port(123)
![Page 30: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/30.jpg)
Network ACL
VPC (BuildABeer-VPC-1)
security group (BuildABeer-SG-1)
HTTP GET BeerTCP(6) Port(80)
HTTP GET BeerTCP(6) Port(80)srcIP=216.246.16.228
![Page 31: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/31.jpg)
VPC (BuildABeer-VPC-1)
Obfuscate - CloudFront
AmazonRoute 53
CloudFront
Users
![Page 32: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/32.jpg)
Hide ’n’ go seek~>nslookup www.buildabeer.comServer: 10.43.23.72
Address: 10.43.23.72#53
Non-authoritative answer:www.buildabeer.us canonical name = d3u9qbug2y23to.cloudfront.net.Name: d3u9qbug2y23to.cloudfront.netAddress: 52.84.20.173<snip>Name: d3u9qbug2y23to.cloudfront.netAddress: 52.84.20.85
![Page 33: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/33.jpg)
Moving Beyond a Single VPC
![Page 34: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/34.jpg)
Why have more than one?Application isolation
Scope of audit containment (separate AWS Accounts)
Risk level separation
Separate production from non-production
Multi-tenant isolation
Business unit alignment
![Page 35: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/35.jpg)
Growing your VPCs
VPC AWeb App
HA Pair of VPN Endpoints
VPC AInternal App
VPC BInternal App
VPC (N)Internal App
VPC DInternal App
VPC CInternal App
![Page 36: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/36.jpg)
Connecting your VPCs (VPC Peering)Now, with VPC Peering, you can connect VPCs together within a Region without having to maintain all the VPN overhead.
Peering creates a private network connection between any two VPCs in a region
Including cross-account VPC Peering
![Page 37: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/37.jpg)
Common Design – Shared Services VPC
VPC A10.1.0.0/16
10.0.0.0/16
VPC D10.4.0.0/16
VPC C10.3.0.0/16
VPC B10.2.0.0/16
• Move shared services such as Active Directory, Logging and Monitoring to a shared services VPC
• None of the other VPCs can send traffic directly to each other through VPC A (= app isolation)
• Only VPC A has direct network access to your data center via a VPN
• Security Groups and NACLs still apply
pcx-aaaabbbb pcx-aaaadddd
pcx-aaaacccc
![Page 38: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/38.jpg)
Common Design – Shared Services VPCRoute Table
Route Tables Destination Target
VPC A's route table 10.1.0.0/16 Local
10.2.0.0/16 pcx-aaaabbbb
10.3.0.0/16 pcx-aaaacccc
10.4.0.0/16 pcx-aaaadddd
10.0.0.0/16 VPG1
VPC B's route table 10.2.0.0/16 Local
10.1.0.0/16 pcx-aaaabbbb
VPC C's route table 10.3.0.0/16 Local
10.1.0.0/16 pcx-aaaacccc
VPC D's route table 10.4.0.0/16 Local
10.1.0.0/16 pcx-aaaadddd
VPC A10.1.0.0/16
10.0.0.0/16
VPC D10.4.0.0/16
VPC C10.3.0.0/16
VPC B10.2.0.0/16
pcx-aaaabbbb pcx-aaaadddd
pcx-aaaacccc
![Page 39: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/39.jpg)
Simplify with AWS Direct Connect
Customer data centerAWS Direct Connect
location
VPC A10.1.0.0/16
VPC D10.4.0.0/16
VPC C10.3.0.0/16
VPC B10.2.0.0/16
pcx-aaaabbbb pcx-aaaadddd
pcx-aaaacccc
VPC A10.5.0.0/16
VPC D10.8.0.0/16
VPC C10.7.0.0/16
VPC B10.6.0.0/16
pcx-aaaabbbb pcx-aaaadddd
pcx-aaaacccc
VPC A10.9.0.0/16
VPC D10.12.0.0/16
VPC C10.11.0.0/16
VPC B10.10.0.0/16
pcx-aaaabbbb pcx-aaaadddd
pcx-aaaacccc
![Page 40: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/40.jpg)
Configuring logging and monitoring
![Page 41: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/41.jpg)
Services
• AWS CloudTrail
• VPC Flow Logs
![Page 42: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/42.jpg)
AWS CloudTrail
![Page 43: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/43.jpg)
Introduction to AWS CloudTrailStore/ archive
Troubleshoot
Monitor and alarm
You are making API calls...
On a growing set of AWS
services around the world..
CloudTrail is continuously recording API calls
Amazon Elastic Block Store
(Amazon EBS)
Amazon S3 bucket
![Page 44: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/44.jpg)
Use cases enabled by CloudTrail
• IT and security administrators can perform security analysis
• IT administrators and DevOps engineers can attribute changes on AWS resources to the identity, time and other critical details of who made the change
• DevOps engineers can troubleshoot operational issues• IT auditors can use log files as a compliance aid• See: Security at Scale: Logging in AWS White Paper
![Page 45: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/45.jpg)
VPC Flow Logs
![Page 46: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/46.jpg)
Dumping out the heavy hitter IP addresses#!/usr/bin/python3import boto3
# Get the service resourcelogs = boto3.client(’logs’)
# Get the log groups
groups = logs.describe_log_groups()
for logGroup in groups[’logGroups’] :
# Get the LogStream for each logGroup
logStreamsDesc = logs.describe_log_streams(logGroupName=logGroup[’logGroupName’])
for logStream in logStreamsDesc[’logStreams’]:events_resp = logs.get_log_events(logGroupName=logGroup[’logGroupName’], logStreamName=logStream[’logStreamName’])
# Store each log entry by the src IP addressip_dict = {}for event in events_resp[’events’] :
ip = event[cd ’message’].split()[4]
if ip in ip_dict:ip_dict[ip] = ip_dict[ip] + 1
else :ip_dict[ip] = 1
for w in sorted(ip_dict, key=ip_dict.get, reverse=True):print (’{0:15} {1:8d}’.format(w, ip_dict[w]))
#Early exitexit()
![Page 47: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/47.jpg)
Partners
![Page 48: 1330 AWS-Sichere Netzwerke in der Cloud · AWS Direct Connect Fleet 1 SG Fleet 2 SG SecurityGroup" Ingress/EgressRules Subnet"(10.1.2.0/24) NetworkAccess ... Introduction’to’AWS’CloudTrail](https://reader030.vdocuments.us/reader030/viewer/2022040609/5eca43a5ce74ca60fc41d914/html5/thumbnails/48.jpg)
Justin Bradley