Set up API and user activity logging with AWS CloudTrail
Use AWS encryption solutions, along with all default security controls provided by AWS
Use advanced managed security services, such as Amazon Macie, which assist in discovering and securing personal data that is stored in Amazon S3
IAM for Amazon VPC
Amazon VPC shares its API namespace with Amazon EC2
Policy actions in Amazon VPC use the ec2: prefix
Use authorization based on Resource, Conditions and Tags for granular control
Logging and Monitoring for Amazon VPC
Flow logs
Capture information about the IP traffic going to and from network interfaces in your VPC
Data is published to CloudWatch Logs or Amazon S3, and can help you diagnose overly restrictive or overly permissive security group and network ACL rules
Monitoring NAT gateways
Monitor your NAT gateway using CloudWatch
Readable, near real-time metrics
Resilience in Amazon VPC
AWS Regions and Availability Zones
Low-latency, high-throughput, and highly redundant networking
Connectivity Options
Amazon VPC-to-Amazon VPC Connectivity
Network-to-Amazon VPC Connectivity
Compliance validation for Amazon VPC
Third party vendors compliance of Amazon VPC: SOC, PCI, FedRAMP, DoD CCSRG, HIPAA BAA, IRAP, MTCS, C5, K-ISMS, ENS-High, OSPAR, and HITRUST-CSF
Third-party audit reports are available in AWS Artifact
AWS Security Hub - This AWS service provides a comprehensive view of your security state within AWS that helps you check your compliance with open standards and best practices for security
SG for your VPC
Statefull
For inbound and outbound rules the source or the destination can be another security group, an IPv4 or IPv6 CIDR block, a single IPv4 or IPv6 address, or a prefix list ID
When you specify a security group as the source for a rule, traffic is allowed from the network interfaces that are associated with the source security group for the specified protocol and port
In VPC peering connection with another VPC, a security group rule can reference another security group in the peer VPC
If the owner of the peer VPC deletes the referenced security group, or if you or the owner of the peer VPC deletes the VPC peering connection, the security group rule is marked as stale
You can’t use the security groups that you’ve created for use with EC2-Classic with instances in your VPC
NACLs
Stateless
By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic
Each subnet in your VPC must be associated with a network ACL
Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it’s applied regardless of any higher-numbered rule that might contradict it
You can open ephemeral ports in Outbound traffic
Many Linux kernels (including the Amazon Linux kernel) use ports 32768-61000
Requests originating from Elastic Load Balancing use ports 1024-65535
Windows operating systems through Windows Server 2003 use ports 1025-5000
Windows Server 2008 and later versions use ports 49152-65535
A NAT gateway uses ports 1024-65535
AWS Lambda functions use ports 1024-65535
Path MTU Discovery should be allowed if MTU between hosts in your subnets is different
Used to determine the path MTU (maximum transmission unit) between two devices
Select Custom ICMP Rule for the type and Destination Unreachable, fragmentation required, and DF flag set for the port range (type 3, code 4)
If you use traceroute, also add the following rule: select Custom ICMP Rule for the type and Time Exceeded, TTL expired transit for the port range (type 11, code 0)
Security Best Practices for your VPC
Use multiple Availability Zone deployments so you have high availability
Use security groups and network ACLs
Use IAM policies to control access
Use Amazon CloudWatch to monitor your VPC components and VPN connections
Use flow logs to capture information about IP traffic going to and from network interfaces in your VPC