Amazon Web Services (AWS) clouds offer a variety networking security controls for segmenting and isolating EC2 instances running in that cloud. These controls address the following use cases
AWS offers a variety of networking constructs to implement these controls. These include VPC's, Gateways(Internet and VPN), NAT, Subnets, Routes, Security Groups and Elastic IP's. These objects would be used to implement the above controls as described below in an example scenario: A VPC creates a private address space that is not visible to other AWS customers. Instances within a VPC cannot receive traffic from nodes outside the VPC. To allow this traffic (at least for some instances) the following must happen
Routes offer additional controls on which instances may make outbound calls to the public internet. Network ACL’s can be used for controlling access between instances running in different subnets.
Clearly there are a wide variety of AWS objects that need to be configured correctly, and must be monitored for changes that may weaken the network security posture. These practices are well known to network security architects. However in the cloud often the application admin or server admin takes on networking and storage configuration responsibilities. This conflation of responsibilities may lead to misconfiguration errors. Examples of such vulnerabilities include:
Configuration checks on infrastructure assets are a common feature of on-premise security programs. Tools for implement these checks discover assets(servers, applications etc), and have pre-built checks against those asset types. The checks may roll up into various internal IT or regulatory compliance standards (e.g. PCI, HIPAA). Similar capabilities need to be developed against cloud infrastructures. This includes the ability to model rich object relationships such as those defined in the AWS network security objects, and be able to rapidly query those object models for configuration vulnerabilities. We are working on extending our control compliance products to implement network security checks against AWS configurations.