Implement inspection and protection

PostedNovember 28, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Ensuring the security of your network resources is vital in safeguarding against both external and internal threats. By implementing a multi-layered defense strategy, you can inspect, filter, and manage traffic to create stronger protections against various attacks and vulnerabilities.

Best Practices

Implement Network Traffic Inspection

Utilize AWS VPC Network Access Analyzer to assess your VPC configurations for any unintended access paths. This proactive inspection helps in identifying vulnerabilities in your network setup.
Deploy AWS GuardDuty for continuous monitoring of malicious or unauthorized behavior within your AWS environment. GuardDuty can detect anomalous API calls, account compromise, and other threats effectively.
Regularly review and strengthen security group rules and network ACLs to enforce the principle of least privilege. This means limiting traffic to only what is necessary for your applications to function.

Integrate Web Application Firewall (WAF)

Implement AWS WAF to protect your web applications from common exploits that could affect application availability, compromise security, or consume excessive resources.
Create custom rules that align with your application use case. This can include rules to protect against SQL injection and cross-site scripting (XSS).
Combine AWS Managed Rules with your own custom rules to benefit from a community-driven approach while tailoring security to your specific needs.

Utilize Encryption for Data in Transit

Ensure all data transmitted across your network is encrypted using protocols such as TLS to protect sensitive information from being intercepted.
Configure AWS services to enforce TLS connections where applicable, which includes load balancers and API Gateway.

Monitor and Audit Network Activities

Leverage AWS CloudTrail to log and monitor API calls made on your account. This provides visibility into user activity and helps in the detection of unauthorized actions.
Set up Amazon CloudWatch alarms to alert on unusual traffic patterns or potential attacks, enabling quick response to threats.

Questions to ask your team

Have you implemented a VPC Network Access Analyzer to evaluate network configurations for unintended access?
What measures are in place to monitor and filter traffic at each network layer?
Are you using AWS WAF or any other web application firewall to protect your web applications against common attacks?
Have you configured custom rules in addition to AWS Managed Rules for your web application firewall?
Is there an ongoing review process to adapt your traffic inspection and filtering as your application evolves?

Who should be doing this?

Cloud Security Architect

Design and implement security architectures for network resources.
Ensure the deployment of multi-layered security measures to protect against threats.
Select and configure AWS WAF with appropriate rules for traffic filtering.
Regularly review and update security policies and firewall rules.

Network Security Engineer

Conduct inspections of network traffic and configurations using VPC Network Access Analyzer.
Monitor network traffic for unusual patterns or potential threats.
Implement and manage the configuration of network access controls.
Collaborate with the Cloud Security Architect to apply security best practices.

DevOps Engineer

Integrate security practices into the CI/CD pipeline.
Automate the deployment of security tools and updates.
Ensure compliance with security measures during application deployment.
Work alongside security teams to implement findings from network security inspections.

What evidence shows this is happening in your organization?

Network Security Inspection Policy: A comprehensive policy that outlines procedures for inspecting and filtering network traffic, including the use of AWS WAF and VPC Network Access Analyzer to identify potential vulnerabilities and safeguard against unauthorized access.
Traffic Filtering Checklist: A detailed checklist for implementing traffic filtering mechanisms within AWS infrastructures, ensuring all necessary configurations and rules are applied for AWS WAF and VPC settings.
Network Protection Strategy Document: A strategic document outlining the multi-layered approach to network security, including the integration of AWS Managed Rules with customer-defined rules to enhance protection against network threats.
AWS WAF Configuration Playbook: A practical playbook detailing the step-by-step guide for configuring AWS WAF, including the implementation of custom rules and the integration of existing partner solutions for enhanced security.
VPC Security Diagram: A visual diagram illustrating the architecture of the VPC with implemented security measures, showing layers of defenses, traffic inspection points, and how different AWS services interact to secure network resources.
Incident Response Runbook for Network Threats: A runbook designed to guide teams in responding to identified network threats, detailing the actions to take once an intrusion or vulnerability is detected, including the use of inspection tools.

Cloud Services

AWS

AWS WAF: AWS WAF helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
AWS Shield: AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
Amazon VPC Network Access Analyzer: This tool helps you identify network access configurations that can lead to unintended access to your Amazon VPC resources.
AWS Config: AWS Config enables you to assess, audit, and evaluate the configurations of your AWS resources, providing the visibility you need to maintain security compliance.

Azure

Azure Firewall: Azure Firewall is a managed, cloud-based network security service that protects Azure Virtual Network resources.
Azure DDoS Protection: Azure DDoS Protection provides enhanced DDoS attack mitigation for your Azure applications.
Azure Network Security Groups: Network Security Groups (NSGs) contain security rules that allow or deny inbound or outbound network traffic to and from the Azure resources.
Azure Bastion: Azure Bastion provides secure and seamless RDP and SSH connectivity to your virtual machines directly through the Azure portal.

Google Cloud Platform

Google Cloud Armor: Google Cloud Armor provides DDoS protection and helps protect your backend services from attacks.
Identity-Aware Proxy (IAP): IAP secures applications by controlling access to your applications based on the identity of the user and the context of their request.
Cloud Pub/Sub: Cloud Pub/Sub provides a reliable way to send and receive messages between independent applications, ensuring a secure communication channel.
Google Cloud VPC Firewall Rules: Firewall rules allow you to define the traffic allowed to and from your Virtual Private Cloud (VPC) network resources.

Question: How do you protect your network resources?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals