Back to Course

Introduction to AWS Security

0% Complete
0/0 Steps
  1. Introduction

    About the course and authors
  2. AWS cloud architecture
  3. Security concerns with our architecture
  4. Regions and Availability Zones (AZs)
  5. Shared responsibility in the cloud
  6. [Cheat Sheet] AWS Security Services
  7. [LAB] Create a billing alert to avoid surprise bills
  8. Infrastructure Security
    VPC networks
  9. Default VPCs
  10. [DEMO] Creating VPCs and Subnets
  11. How many VPCs should you use?
  12. [DEMO] Subnet, Route Table, and Gateway Configurations
  13. [LAB] [Challenge] Create a VPC with public and private subnets
  14. [DEMO] Security Groups (SGs)
  15. Security Groups Best Practices
  16. [DEMO] Network Access Control Lists (NACLs)
  17. [Cheat Sheet] SGs vs. NACLs
  18. [LAB] [Challenge] Configure security groups and NACLs to specific requirements
  19. Elastic Load Balancers
  20. [DEMO] AWS WAF
  21. [LAB] [Challenge] Deploy AWS WAF ACL for Application Load Balancer
  22. [DEMO] AWS Network Firewall - Part 1
  23. [DEMO] AWS Network Firewall - Part 2
  24. AWS Shield for DDoS Protection
  25. AWS Firewall Manager
  26. Identity and Access Management (IAM)
    Key Concepts of IAM in AWS
  27. [DEMO] Getting started with IAM in AWS
  28. [DEMO] Creating our first admin user
  29. Assigning permissions with policies
  30. [Cheat Sheet] Anatomy of an AWS IAM Policy
  31. [DEMO] Using Identity Center AWS SSO
  32. IAM Roles
  33. [DEMO] Creating a role for EC2 instances to access S3 buckets
  34. End-User Management with Amazon Cognito
  35. Data Protection
    Data protection in the cloud
  36. EBS Data Protection and Encryption
  37. Amazon RDS Data Protection and Encryption
  38. Key Management with AWS KMS
  39. [DEMO] Creating a Symmetric Encryption KMS Key
  40. Amazon S3 Bucket Protection
    Understanding Bucket Ownership
  41. Managing Access to Buckets
  42. [Cheat Sheet] S3 Bucket Policies vs. ACLs vs. IAM Policies
  43. [LAB] [Challenge] Create an IAM role for secure access to S3 based on a scenario
  44. Using Signed URLs
  45. Encrypting S3 Data
  46. [DEMO] Enable S3 Object Versioning
  47. [Cheat Sheet] Amazon S3 Protection Summary
  48. [Cheat Sheet] Create a least privilege S3 bucket policy
  49. Logging, Monitoring, and Incident Response
    AWS Log Types and Auditing Options
  50. [DEMO] Enable S3 Server Access Logs
  51. AWS CloudTrail
  52. Amazon CloudWatch
  53. [DEMO] CloudTrail Security Automation with CloudWatch Logs and SNS
  54. [DEMO] Amazon VPC Flow Logs
  55. Proper Logging and Monitoring
  56. Amazon GuardDuty
  57. [LAB] [DEMO] Enable Threat Detection with GuardDuty
  58. [DEMO] Amazon EventBridge
  59. AWS Config
  60. AWS Systems Manager
  61. [DEMO] AWS Config Automated Remediation with SSM
  62. Amazon Detective
  63. [LAB] [DEMO] Amazon Inspector
  64. [DEMO] Amazon Macie
  65. [DEMO] AWS Security Hub
  66. [DEMO] Must-have AWS monitoring and alerting with SSK
  67. Multi-Account Security
    [DEMO] AWS Organizations
  68. [DEMO] AWS SCPs and Management Policies
  69. AWS Control Tower
  70. Wrap-up and Key Takeaways
    What now?
Lesson 8 of 70
In Progress

VPC networks

Christophe October 18, 2022

Access the interactive diagram for this lesson here. (It may ask you to create a free account in order to view. You do not need paid features to view this course’s content so you can ignore that!)

When it comes to infrastructure security in the AWS cloud, one of the core components to understand is the Amazon VPC, or Virtual Private Cloud.

The Amazon VPC is the basic building block in AWS, and it’s represented by the green rectangle in our sample architecture. Just like we can create virtual networks on-premises, we can also create virtual networks in the cloud.

These VPCs let you carve out a section of the cloud where you can then launch your own resources. Once created, no one else can use that section apart from you, and you can launch all kinds of resources like: web servers, app servers, databases, and so on…

You can create multiple of these virtual networks, and you can either keep them in isolation, or you can connect them to other virtual networks, and even to on-premises resources.

We talked about Regions and Availability Zones in prior lessons. Virtual networks can be created across regions and you can then create subnetworks across zones in order to achieve high availability and data replication.

These subnetworks are more often called subnets, and they further subdivide your virtual network. You can have either public or private subnets, so let’s talk about what that means.

Public and private subnets

Whenever you first create a subnet in a virtual network, that subnet is private by default. Private means that whatever resources you launch within that subnet will only receive a private IP address, and that private IP address won’t resolve from the open Internet. You won’t be able to communicate with that service and that service won’t be able to connect to the Internet without additional configurations.

A public subnet, instead, would provide a public IP address to that resource in addition to a private IP address, which means that anyone could access that resource by default.

A subnet becomes public by giving it an Internet Gateway.

An Internet Gateway creates a door that connects to the Internet so that your virtual network and certain subnets can communicate back and forth with Internet resources. It provides an entry point into your virtual network.

You can think of it in terms of configuring a home network. Before you connect to an Internet Service Provider (ISP) via a modem, you only have a private network that allows you to communicate only with resources within that network, and not the open Internet. Except as soon as you add a modem and pay for your service, plus add a router (if it doesn’t come bundled that way already) those resources within your private network can now access Internet resources.

While it functions differently, the concepts are very similar and this can be a good way for you to remember the difference between public and private subnets.

VPC Security Features

This separation of networks by using public and private subnets is referred to as network segmentation or network isolation, which is an architecture design choice that helps provide a layer of security.

VPCs offer other security features in addition, including:

  • Traffic filtering
  • Access control
  • Capabilities for external connectivity

These security features are going to be the primary focus of this section, but before we can talk about them in more depth, let’s jump into the AWS console to see what a VPC looks like and how we can create one from scratch to fit our needs.

Go ahead and complete this lesson, and we’ll do that in the next!


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.