Search for Well Architected Advice
Create network layers
To protect network resources, grouping components into network layers based on their sensitivity is crucial. By segmenting resources with similar security and sensitivity requirements, you can minimize the scope of impact from unauthorized access. Each layer should have carefully controlled traffic flow, and only trusted and necessary communications should be allowed between layers. This layered approach strengthens network defenses by isolating sensitive components, reducing the attack surface, and limiting access to critical resources.
- Segment sensitive resources into layers: Place sensitive components, such as databases or critical applications, in separate network layers. For example, a database should be placed in a private subnet without internet access, while only specific application servers in a different layer can communicate with it. This reduces the risk of unauthorized access or data exposure.
- Control traffic between layers: Implement strict security controls to manage traffic between layers. Use security groups and network access control lists (ACLs) to allow only necessary communication between components. For example, a web server can communicate with a database server, but the database should not be directly accessible from the internet or from unrelated components in the network.
- Use isolated subnets for internet-exposed and private resources: Place public-facing resources, such as web servers, in subnets that are configured to access the internet, but restrict internal resources, like databases or application servers, to private subnets with no internet access. This ensures that only trusted components can communicate with sensitive data stores.
- Implement VPC peering or private connections for inter-layer communication: Use VPC peering, AWS Transit Gateway, or private connections such as AWS PrivateLink to securely route traffic between layers without exposing traffic to the public internet. This ensures that inter-layer communication happens securely over private networks.
- Apply least privilege to network flows: Ensure that network traffic is allowed only where explicitly required. For instance, the web layer should communicate with the application layer, but the application layer should be the only one with direct access to the database. This principle of least privilege in network flows helps limit the scope of potential attacks.
- Use network monitoring and logging: Continuously monitor traffic between network layers using AWS services such as Amazon VPC Flow Logs and AWS CloudTrail. Logging traffic allows you to detect suspicious activity, track access patterns, and respond to potential threats.
Supporting Questions:
- How do you segment sensitive resources into network layers to minimize the risk of unauthorized access?
- What mechanisms are in place to control and monitor traffic between different layers of your network?
- How do you ensure that network flows follow the principle of least privilege?
Roles and Responsibilities:
Network Security Architect:
- Responsibilities:
- Design network layers that group components with similar sensitivity requirements and ensure traffic between layers is strictly controlled.
- Define security group and network ACL policies to restrict access between layers according to the principle of least privilege.
- Implement private networking solutions such as VPC peering or AWS Transit Gateway to isolate sensitive traffic.
Cloud Administrator:
- Responsibilities:
- Configure VPCs, subnets, and security groups to ensure proper network segmentation and isolation of resources.
- Monitor traffic between network layers using Amazon VPC Flow Logs and AWS CloudWatch to detect unauthorized access or anomalous behavior.
- Maintain the least privilege model for all network flows, reviewing access patterns regularly to identify potential risks.
Artefacts:
- Network Layer Design Documentation: A detailed outline of the network architecture, showing how sensitive components are grouped into layers and how traffic is controlled between those layers.
- Security Group and Network ACL Policies: Policies governing what traffic is allowed between network layers, enforcing least privilege access between resources.
- Network Flow Logs: Logs from Amazon VPC Flow Logs, AWS CloudTrail, and other monitoring services that track network traffic and access patterns between layers.
Relevant AWS Services:
AWS Networking Services:
- Amazon VPC (Virtual Private Cloud): Allows you to create isolated network environments with subnets for public and private resources, supporting segmentation and controlled network traffic.
- AWS Security Groups and Network ACLs: Manage inbound and outbound traffic for instances and subnets, ensuring that only authorized communication occurs between different network layers.
- AWS Transit Gateway: Enables secure, scalable communication between VPCs, allowing different network layers to communicate without exposing traffic to the public internet.
- AWS PrivateLink: Provides private connectivity between VPCs and AWS services without exposing traffic to the public internet, supporting secure inter-layer communication.
AWS Monitoring and Logging Services:
- Amazon VPC Flow Logs: Captures network traffic information, allowing you to monitor and analyze traffic between different layers of your network.
- AWS CloudTrail: Logs API calls and network changes, helping track any unauthorized or unexpected changes to network configurations and flows.
- AWS Config: Monitors network configurations, ensuring that subnets, security groups, and other settings comply with security best practices for network segmentation.