Security in Amazon Virtual Private Cloud

Security: Shared Responsibility Model

  • Security of the Cloud - AWS responsibility
  • Security in the Cloud - customer responsibility

Data protection in Amazon VPC

  • Use MFA for each account
  • Use SSL/TLS to communicate with AWS resources
  • Set up API and user activity logging with AWS CloudTrail
  • Use AWS encryption solutions, along with all default security controls provided by AWS
  • Use advanced managed security services, such as Amazon Macie, which assist in discovering and securing personal data that is stored in Amazon S3

IAM for Amazon VPC

  • Amazon VPC shares its API namespace with Amazon EC2
  • Policy actions in Amazon VPC use the ec2: prefix
  • Use authorization based on Resource, Conditions and Tags for granular control

Logging and Monitoring for Amazon VPC

  • Flow logs
    • Capture information about the IP traffic going to and from network interfaces in your VPC
    • Data is published to CloudWatch Logs or Amazon S3, and can help you diagnose overly restrictive or overly permissive security group and network ACL rules
  • Monitoring NAT gateways
    • Monitor your NAT gateway using CloudWatch
    • Readable, near real-time metrics

Resilience in Amazon VPC

  • AWS Regions and Availability Zones
  • Low-latency, high-throughput, and highly redundant networking
  • Connectivity Options
    • Amazon VPC-to-Amazon VPC Connectivity
    • Network-to-Amazon VPC Connectivity

Compliance validation for Amazon VPC

  • Third party vendors compliance of Amazon VPC: SOC, PCI, FedRAMP, DoD CCSRG, HIPAA BAA, IRAP, MTCS, C5, K-ISMS, ENS-High, OSPAR, and HITRUST-CSF
  • Third-party audit reports are available in AWS Artifact
  • AWS Security Hub - This AWS service provides a comprehensive view of your security state within AWS that helps you check your compliance with open standards and best practices for security

SG for your VPC

  • Statefull
  • For inbound and outbound rules the source or the destination can be another security group, an IPv4 or IPv6 CIDR block, a single IPv4 or IPv6 address, or a prefix list ID
  • When you specify a security group as the source for a rule, traffic is allowed from the network interfaces that are associated with the source security group for the specified protocol and port
  • In VPC peering connection with another VPC, a security group rule can reference another security group in the peer VPC
  • If the owner of the peer VPC deletes the referenced security group, or if you or the owner of the peer VPC deletes the VPC peering connection, the security group rule is marked as stale
  • You can’t use the security groups that you’ve created for use with EC2-Classic with instances in your VPC


  • Stateless
  • By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic
  • Each subnet in your VPC must be associated with a network ACL
  • Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it’s applied regardless of any higher-numbered rule that might contradict it
  • You can open ephemeral ports in Outbound traffic
    • Many Linux kernels (including the Amazon Linux kernel) use ports 32768-61000
    • Requests originating from Elastic Load Balancing use ports 1024-65535
    • Windows operating systems through Windows Server 2003 use ports 1025-5000
    • Windows Server 2008 and later versions use ports 49152-65535
    • A NAT gateway uses ports 1024-65535
    • AWS Lambda functions use ports 1024-65535
  • Path MTU Discovery should be allowed if MTU between hosts in your subnets is different
    • Used to determine the path MTU (maximum transmission unit) between two devices
    • Select Custom ICMP Rule for the type and Destination Unreachable, fragmentation required, and DF flag set for the port range (type 3, code 4)
    • If you use traceroute, also add the following rule: select Custom ICMP Rule for the type and Time Exceeded, TTL expired transit for the port range (type 11, code 0)

Security Best Practices for your VPC

  • Use multiple Availability Zone deployments so you have high availability
  • Use security groups and network ACLs
  • Use IAM policies to control access
  • Use Amazon CloudWatch to monitor your VPC components and VPN connections
  • Use flow logs to capture information about IP traffic going to and from network interfaces in your VPC