techcloudgeek

A virtual private cloud (VPC) is a virtual network dedicated to the AWS account. It is logically isolated from other virtual networks in the AWS cloud.

VPC allows the user to select IP address range, create subnets, and configure route tables, network gateways, and security settings.

VPC Sizing

VPC allows VPC Peering connections with other VPC within the same or different AWS accounts

A connection between your VPC and corporate or home network can be established, however, the CIDR blocks should be not be overlapping for e.g. VPC with CIDR 10.0.0.0/16 can communicate with 10.1.0.0/16 corporate network but the connections would be dropped if it tries to connect to 10.0.37.0/16 corporate network cause of overlapping ip addresses.

VPC allows you to set tenancy option for the Instances launched in it. By default, the tenancy option is shared. If dedicated option selected, all the instances within it are launched on dedicated hardware overriding the individual instance tenancy setting

Deletion of the VPC is possible only after terminating all instances within the VPC, and deleting all the components with the VPC for e.g. subnets, security groups, network ACLs, route tables, Internet gateways, VPC peering connections, and DHCP options

VPC needs a set of IP addresses in the form of a Classless Inter-Domain Routing (CIDR) block for e.g, 10.0.0.0/16, which allows 2^16 (65536) IP address to be available

Allowed CIDR block size is between

CIDR block from private (non-publicly routable) IP address can be assigned

It’s possible to specify a range of publicly routable IP addresses; however, direct access to the Internet is not currently supported from publicly routable CIDR blocks in a VPC

CIDR block once assigned to the VPC cannot be modified.  NOTE – You can now resize VPC. Read AWS blog post.

Each VPC is separate from any other VPC created with the same CIDR block even if it resides within the same AWS account

/28 netmask (minimum with 2^4 – 16 available IP address) and

/16 netmask (maximum with 2^16 – 65536 IP address)

10.0.0.0 – 10.255.255.255 (10/8 prefix)

172.16.0.0 – 172.31.255.255 (172.16/12 prefix)

To help secure AWS resources, AWS recommends the following AWS Identity and Access Management (IAM) service – IAM Best Practices

Root Account -Don’t use & Lock away access keys

Do not use AWS Root account which has full access to all the AWS resources and services including the Billing information.

Permissions associated with your AWS Root account cannot be restricted.

Do not generate the access keys, if not required

If already generated and not needed, delete the access keys.

If access keys needed, rotate (change) the access key regularly

Never share your Root account credentials or access keys, instead create IAM users or Roles to grant granular access

Enable AWS multifactor authentication (MFA) on your AWS account

User – Create individual IAM users

Don’t use your AWS root account credentials to access AWS, and don’t share your credentials with anyone else.

Start by creating an IAM User with Administrator role, which has access to all resources as the Root user except to the account’s security credentials

Create individual users for anyone who needs access to your AWS account and gives each user unique credentials and grant different permissions

Groups – Use groups to assign permissions to IAM users

Instead of defining permissions for individual IAM users, create groups and define the relevant permissions for each group as per the job function, and then associate IAM users to those groups.

Users in an IAM group inherit the permissions assigned to the group and a User can belong to multiple groups

It is much easier to add new users, remove users and modify the permissions of a group of users.

Permission – Grant least privilege

IAM user, by default, is created with no permissions

Users should be granted LEAST PRIVILEGE as required to perform a task.

Starting with minimal permissions and add to the permissions as required to perform the job function is far better than granting access all and trying to then tighten it down

Passwords – Enforce a strong password policy for users

Enforce user to create strong passwords and enforce them to rotate their passwords periodically

Enable a strong password policy to define passwords requirements forcing users to create passwords with requirements like at least one capital letter, one number, how frequently it should be rotated.

MFA – Enable MFA for privileged users

For extra security, Enable MultiFactor Authentication (MFA) for privileged IAM users, who are allowed access to sensitive resources or APIs.

Role – Use roles for applications that run on EC2 instances

Use roles for applications running on EC2 instances instead of creating IAM user and hardcoding the credentials within that application.

Roles do not have a permanent set of credentials associated with it but dynamically provide temporary credentials that are automatically rotated

Hardcoding of credentials can compromise the access and are also hard to rotate. Also, they may pose a problem in the creation of new EC2 instances through AutoScaling and handling credential rotation.

Sharing – Delegate using roles

Allow users from same AWS account, another AWS account, or externally authenticated users (either through any corporate authentication service or through Google, Facebook etc) to use IAM roles to specify the permissions which can then be assumed by them

A role can be defined that specifies what permissions the IAM users in the other account are allowed, and from which AWS accounts the IAM users are allowed to assume the role

Rotation – Rotate credentials regularly

Change your own passwords and access keys regularly and enforce it through a strong password policy. So even if a password or access key is compromised without your knowledge, you limit how long the credentials can be used to access your resources

Access keys allow the creation of 2 active keys at the same time for a user. These can be used to rotate the keys.

Track – Remove unnecessary credentials

Remove IAM user and credentials (that is, passwords and access keys) that are not needed

Use the Credential report that lists all IAM users in the account and status of their various credentials, including passwords, access keys, and MFA devices and usage pattern to figure out what can be removed

Passwords and access keys that have not been used recently might be good candidates for removal.

Conditions – Use policy conditions for extra security

Define conditions under which IAM policies allow access to a resource.

Conditions would help provide finer access control to the AWS services and resources for e.g. access limited to specific IP range or allowing the only encrypted request for uploads to S3 buckets etc.

Auditing – Monitor activity in the AWS account

Enable logging features provided through CloudTrail, S3, CloudFront in AWS to determine the actions users have taken in the account and the resources that were used.