6.2.2. Key Concepts Review: Infrastructure & Application Security
First Principle: Robust infrastructure and application security involves implementing layered controls at network, compute, and application levels, applying security best practices to protect foundational AWS resources from unauthorized access, configuration flaws, and malicious attacks.
This review consolidates concepts for securing cloud infrastructure and applications.
Core Concepts & AWS Services for Infrastructure & Application Security:
- Network Security Design:
- VPC Security Controls: Security Groups (SGs) (instance-level, stateful), Network ACLs (NACLs) (subnet-level, stateless).
- AWS Network Firewall: VPC-level intrusion prevention, web filtering.
- AWS WAF (Web Application Firewall): Application-layer web exploit protection (for ALB, CloudFront, API Gateway).
- AWS Shield (DDoS Protection): Managed DDoS protection.
- VPN & Direct Connect (DX) Security: Encryption, authentication, network access controls for hybrid connections.
- Compute Security:
- EC2 Instance Security: Patching, OS hardening, IAM roles via Instance Profiles.
- Container Security: ECR Image Scanning, Runtime Protection (GuardDuty Runtime Monitoring), IAM Roles for Tasks.
- Serverless Security: Lambda Permissions (execution roles), API Gateway Authorization.
- Application Security:
- Secure Application Development: Threat modeling, secure coding (input validation, error handling), secrets management.
- Runtime Protection: Agent-based vs. agentless (e.g., GuardDuty Runtime Monitoring).
Scenario: You need to secure a complex web application running on EC2 instances and Lambda functions, with connectivity to an on-premises data center. This involves network protection, instance hardening, and application-level security.
Reflection Question: How do robust infrastructure (e.g., VPC security controls, EC2 instance hardening) and application security (e.g., secure development practices, serverless permissions) fundamentally protect foundational AWS resources and execution environments from unauthorized access, configuration flaws, and malicious attacks as part of a strong defense-in-depth strategy?