1. Home
  2. Training Library
  3. Amazon Web Services
  4. Amazon Web Services Courses
  5. AWS Security Best Practices: Abstract and Container Services

Security Controls: Network Segmentation

Start course

When implementing different AWS services and architecting them within your environments, whether it be production, test or dev, do you know your security responsibilities for these services?

It is very likely that you are using services from three different classifications, which each have very different boundaries for enforcing security between the customer and AWS.

These classifications are:

  1. Infrastructure services
  2. Container services
  3. Abstract services

The level of responsibility around these services are defined within three different AWS Shared Responsibility Models, and it’s essential when using AWS you understand your level of responsibility when it comes to applying security.

This course focuses on Container and Abstract services. The primary Container services we look at are: RDS, EMR and Elastic Beanstalk and the primary Abstract services include: S3, DynamoDB, SQS and Glacier.

The lectures within this course will define and guide you through the following areas to help you apply the correct level of security to your Container and Abstract services.

What are AWS Abstract & Container Services?:  This lecture provides you with a clear understanding of what abstract and container services are within AWS. There is a clear divide between the two which must be understood as responsibilities around security is a key difference between them

Security Controls: Data at Rest and In Transit:  Here we will take a look some of the available options and best practises to help you maintain integrity and protection around your data when at rest, in transit and held within a number of container and abstract services

Security Controls: Network Segmentation:  In this lecture we look at how we can use the network infrastructure and architecture to connect and restrict access to our container and abstract services to increase security through a number of different controls

Identity & Access Management:  IAM is heavily used for both container and abstract services and plays a key part in authorisation and authentication for access and management, this lecture looks at how IAM can be used to help protect access across your services

Built-in Service Security Controls:  This lecture will briefly look at some of the service specific security controls that may not have been covered in the previous lectures that you can leverage to help secure you data and environment

If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.


Hello, and welcome to this lecture where we are going to discuss how the configuration of your network infrastructure can help you increase security specifically for your container services. If we remember back to the lecture entitled AWS abstract and container services, where we looked at the different responsibility models, we can see that the responsibility for network traffic control lays firmly in the hands of us, the customers. As a result, we must look at the best ways to architect and secure our services and data, utilizing different network features and controls.

Within this lecture, we're going to cover the following topics and how each one can help you secure container services. So we'll be looking at subnets, both public and private, routing tables, network access control lists, known as NACLs, security groups, network address translation and bastion hosts. Let's start out by looking at a high level at what each of these controls are, starting with public and private subnets within your VPC.

Firstly, what is a subnet, and what makes us subnet public or private? Subnets allow you to segment your VPC into different networks with different IP ranges, which is important both from a deployment and design perspective and also for security. Segmentation allows you to refine your security profile as appropriate for each of the services operating within each subnet. A subnet is the distinct network segment with its own IP address range within the larger VPC CIDR block. So let's have a quick look at how these subnets look and their network diagram.

So we have a VPC with a network range of, so that's our VPC CIDR block. And then we have a private subnet within this with and another private subnet with an IP address range of And each subnet is in a different availability zone. It's important to point out here that subnets cannot cross availability zones. So what is the difference between a public and a private subnet? Well, you can only have a public subnet when the following two conditions are true. Firstly, you need to have an internet gateway attached to your VPC. And secondly, you need to have a route from your subnet pointing to the outside world via the internet gateway. If both of these conditions are met, then that subnet is considered to be a public subnet. If your subnet does not meet this criteria, then you have a private subnet.

So if we take a look at our network diagram again to see how these controls fit in. Without an internet gateway attached to your VPC, then your VPC is at that point an isolated network, only accessible via the Management Console or the AWS CLI. By attaching an internet gateway to your VPC, it provides your VPC a gateway to the outside world. And this internet gateway is provided and managed by AWS. All we need to do is to create it and attach it to our VPC. When the internet gateway is attached, a subnet still doesn't know it exists, as there are no routes to that internet gateway to the outside world.

At this point, your subnet and other subnets are still classed as private. That is why it is only when point two from the conditions I mentioned previous is true, that the subnet is then classed as a public subnet. There has to be a route. So here we can see that there's now a route from subnet to the internet gateway via a public route table. And between the two subnets, we just have a private route. So when this public subnet is configured, traffic can then traverse in and out of your VPC public subnet and potentially beyond depending on security controls you have set up between other private subnets.

As we briefly mentioned, when you have more than one subnet, you can implement routing between the two network segments using route tables which are attached to the subnet itself. These route tables define which subnets can talk to which other subnets. This helps you isolate traffic between specific subnets to help increase security and by only allowing communication between subnets that needs to talk to each other. You may have submits where instances never need to send traffic to instances or services in another subnet. If so, then it's best practice to ensure no route between these two subnets exist. Also attached to each subnet is something called a network address control list, a NACL.

NACLs provide a rule-based tool for controlling ingress and egress network traffic at the protocol and subnet level. In other words, NACLs monitor and filter traffic moving in and out of a network. You can attach a NACL to one or more subnets within your VPC. If you haven't created a custom NACL, then your subnets will automatically be associated with your VPC's default NACL, which allows all traffic to float in and out of every subnet. One point to mention is that NACLs are stateless in their design, meaning that any response traffic generated from a request will have to be specified in either the inbound or outbound rule set depending on the direction of response expected.

So again, if we go back to our network diagram, we can see that we have two NACLs, both a public and a private NACL, that control ingress and egress network traffic at the subnet level. Security groups are very similar to NACLs, but they work at the instance level rather than the network subnet level. AWS security groups are associated with instances and provide security at the protocol and port access level. Each security group, working much the same as a firewall, contains a set of rules that filter traffic coming into and out of an EC2 instance. There are no deny rules like there are with NACLs. Rather, if there is no rule that explicitly permits a particular data packet, it will be dropped. Whereas NACLs are stateless by design, AWS security groups are stateful, meaning that response traffic does not need to be specified in the inbound/outbound rule set. So if we have a quick look at our network diagram just to see the placement of our security groups, and there you can see, within our security groups, we've have instances that are protected by the conditions within those security groups.

Now let's look at what a NAT is. From a security stance, a NAT, network address translation, essentially allows your private instances to have outgoing connectivity to the internet while at the same time blocking inbound traffic from the internet, therefore protecting your private instances. Your NAT resides within the public subnet. This is useful for allowing your private instances to access the internet for important operating system updates that may be required.

Lastly, at a high level, a bastion host sits within your public subnet, which should only be accessible by authorized personnel via a secure connection using SSH or RDP. Once remote connectivity is established with the bastion host, the host then acts as a jump server, allowing you to SSH or RDP to log into other instances within private subnets deeper within your network. When properly configured for the use of security groups and network ACLs, the bastion essentially acts as a bridge to your private instances via the internet. If you require remote connectivity with your private instances over the public internet, then a bastion host would be a great solution. There are many ways to secure your bastion host, and it should be locked down as much as possible, such as hardening your chosen operating system. If this is not locked down sufficiently and gets breached by a malicious user, then they could potentially gain access to your internal instances, too. Again, looking at our network diagram, we can see that our NAT instance sits within our public subnet along with our bastion host.

Okay. Thus far, we have looked at some of the network security controls that are available within the VPC. I now want to talk about some of the container services and how they can leverage these features to implement additional security. As before, let's run through some of the container services mentioned previously to see the best placement within a VPC, starting with RDS.

As we know, RDS is a database service and as such, will often store sensitive customer data for some application. This application could be a web app which will be accessible from the internet by the general public. In this scenario, we would only want internet users to interact with the web server and not the back end infrastructure, such as the application servers, or more importantly, the database where the customer data may be stored. As a result for security concerns and possibly governance controls, your RDS instances should be located within a private subnet within your VPC, removing the exposure to the internet like we have with the public subnet. This essentially creates multiple layers within your infrastructure through the use of multiple subnets. From a network architecture perspective, a best practice approach would be to use different subnets carrying out similar functions to create different layers within your infrastructure. For example, you would have a public subnet which would act as a public internet layer. Here you may have an Elastic Load Balancer receiving incoming traffic from your web application. Next, you will have a threat protection layer where network level security appliances can intercept and analyze traffic before being sent to the next layer.

Next, we'll have a web server layer. This is where your web servers will be located to manage the web communications from your users. Following this, an application layer. This is where your application will process the requests from the web servers. And finally, your database layer. And this is where your RDS instances will be located to store any data from the application processing. As you can see, by placing your RDS instances in the fifth level behind the other four layers, the likelihood of malicious users and traffic getting access to your RDS instance is significantly reduced, especially when you begin to couple this with other security features we have discussed, such as NACLs, security groups and route tables.

The route tables for these subnets can be configured to only allow communications with the subnets both above and below its current layer. For example, the subnet for layer three only needs to be able to communicate with layer two and four subnets. Routes to subnet one and five can be removed from the route table. For Elastic Beanstalk, we can use the same approach. Again, we are responsible for implementing the correct level of security for environments that are deployed via the Elastic Beanstalk service, which, often by design, have a multi-layered approach of web, app and database infrastructure components.

Grouping similar elements and spitting others into different subnets enhances the overall security of the deployment. This grouping allows you to implement other security features, such as NACLs and security groups more effectively, as the number of protocols and ports being used will be kept to a minimum, thus narrowing any room for error or malicious access. For example, an incoming NACL applied at level five subnet, the database layer, using the layered example previously discussed, may look like the following. This keeps the network firewall restricted to only those ports expected by the instances within that subnet, which, in this case, would be MySQL running on RDS.

In addition to this network-level security, it would be advisable to also implement security groups to add another level of security protection at the instance level. In this example, we would use VPC security groups to control this access. One security group would contain all the application servers, and another security group would contain the database instances. This would ensure that the only communication between the application servers and the database servers will be between the instances included within the respective security groups over specific ports that are defined inside the security group. It's recommended that you define the specific ports here instead of opening up access to communicate over all TCP ports for example.

With RDS being a container service, platform and application management is taken care of. As a result, the need to patch the instance and perform updates on the database itself falls under the responsibility of AWS. Therefore, the need for NAT implementation is not required to perform these actions. I briefly mentioned the Elastic Beanstalk earlier, where I referenced the resources caught up to deploy your environment to run your application. Depending on your configuration, you will likely be using a number of resources between your public and private subnets. And so it's imperative to make use of the range of network security features throughout the VPC that we've already mentioned.

Again, AWS offers the ability for Elastic Beanstalk to manage updates to your underlying platform, run a new application, such as PHP, Java, et cetera, the OS as well as the web and application server updates. By design, Elastic MapReduce automatically uses some of these VPC security features, in particular, security groups. During an EMR job flow, EMR will launch and create two different EC2 security groups. One that sets the security for the master node and the secondary security group for the slaves. This secondary security group only allows communication between the slaves and the master. The master security group allows communication between itself and the AMR service and resources, such as S3 for pulling data. As these are security groups, we have the ability to modify and change these groups as necessary. So we still have full control over security from this perspective. 

Again, the EC2 instances used by EMR within its cluster should be located within a private subnet, especially, if the data is sensitive. This subnet would also have its own NACL. Always protect your data and services where possible within private subnets. If the data or service does not need to be access over the internet, then they should be within private subnets behind NACLs, behind route tables and not made accessible via the public subnet. If we take a quick look at our abstract services, the network security is largely taken care of by AWS as the shared responsibility model dictates. 

Firstly, DynamoDB. DynamoDB is an abstract database service, whereas RDS is a container database service. There are some fundamental differences between the two as expected. More of DynamoDB security, operational controls and underlined maintenance falls under the responsibility of AWS. For example, DynamoDB hardware failover and data replication is taken care of by AWS automatically and does not have to be configured like it does in RDS by setting multi-AZ failover. Also with DynamoDB, you do not place a database yourself within a particular AZ or network segment, being an abstracted service. And as such, network inspections around security for DynamoDB are also managed by AWS. This approach remains the same for both S3 and SQS.

Network security controls and management for these services are managed by AWS and are governed by the security mechanisms impose on AWS's own network. However, controlling who has access to these services does require you to set up the necessary authorized permissions. This is largely related to identity and access management, IAM, and this is what we will be discussing in the next lecture. So to summarize this lecture quickly, we can clearly see that there's clear distinction between the amount of network security control we have over container services to those of abstract services. Detail, care and attention should be taken to ensure the correct level of network security is used to protect your data when using these container services. Genuinely speaking, container services offer more control, along with that is an increased effort to secure them however. Conversely, abstract services are easy to set up, as AWS is responsible for the lion's share, but also offer less control. 


About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.