HomeDocumentationCode SamplesAnnouncementsModelsRelease NotesFAQGitHubVideos
Developer HubAPI StatusSupport
Documentation
Developer HubAPI StatusSupport

Network Protection Guidance

Network protection techniques and controls that comply with Amazon’s DPP and AUP.

Overview

Network protection is a well-thought-out set of tools, rules, and configurations designed with the primary intent to protect the confidentiality, integrity and accessibility of data. Any device that can be accessed via internet connection is prone to attack. Defining strong network protection protocols and policies can help protect your device and network from unnecessary or malicious network traffic.

As part of the Amazon Data Protection Policy (DPP), developers are required to create a secure environment to reduce data loss risks and related vulnerabilities. Amazon's DPP and Acceptable Use Policy (AUP) policies are accepted by developers during the registration process.

During Data Security Assessments, Amazon assesses developer compliance to Data Protection Policies. Without exception, Amazon requires developers to maintain necessary protocols to protect their network infrastructure consistently, at all times. This technical paper discusses the importance of network protection techniques and controls that can help protect your network while maintaining compliance to Amazon’s DPP and AUP requirements.

Amazon Data Protection Policy (DPP) requirements

As stated in the Amazon Data Protection Policy (DPP) under 1.1 Network Protection:

Network protection. Developers must implement network protection controls including network firewalls and network access control lists to deny access to unauthorized IP addresses. Developers must implement network segmentation, antivirus and anti-malware software on end-user devices. Developers must restrict public access only to approved users and carry out data protection and IT security training for everyone with system access.

Network segmentation and firewall filtering

Network segmentation is a technique that splits a large network into smaller sub-networks, providing better access controls and security. When network segregation and segmentation are implemented, IT admins can better control the flow of traffic within a well-defined security perimeter from intruder breaches and infiltration. While segregation divides the network based on role and functionality, segmentation makes a flat network disparate and disconnects the network from its components.

Network segmentation helps contain security breaches, thereby reducing risks during attacks and failures. One way to implement effective perimeter-based segmentation is through network firewalls. This includes effectively setting up a desired network boundary and ensuring all traffic crossing the boundary gets routed through the firewall. While the application of network segmentation can be specific to a company’s needs, developers must implement certain best practices as an organization for compliance with Amazon’s DPP. Examples include:

  • Define strong network firewall policies based on a comprehensive risk analysis of your organization. Effective firewall policies are based on blocking all inbound and outbound traffic, with exceptions set for trusted traffic.
  • Segment networks with Virtual Local Area Networks (VLAN) or subnets. VLAN tags reroute authorized-only traffic to a specific isolated network thereby reducing malicious packet sniffing and surface attacks.
  • Micro-segment the network by isolating guest access to networks. In addition to creating guest credentials for access to Wi-Fi networks, create separate portals for third party service providers.
  • Segment user access for users inside the company between perimeters. This will restrict authorization to specific users and initiate alerts when unauthorized access is attempted.

By using the AWS Network Firewall, you get a stateful, managed, network firewall and intrusion detection as well as prevention service for the virtual private cloud (VPC) environment that you created in Amazon Virtual Private Cloud (Amazon VPC).

The AWS network firewall placement within a simple architecture.

Network Firewall is supported by AWS Firewall Manager, which can be leveraged to centrally configure and manage firewalls across your accounts and applications. The Firewall Policy defines rules and other settings for a firewall to use to filter incoming and outgoing traffic in a VPC.

AWS WAF, AWS Shield, and AWS Firewall Manager work together to serve as a comprehensive security solution. As traffic enters your VPC boundaries, AWS WAF can be used to monitor requests that are forwarded to your web applications and control access to your content. A common method of attack by malicious entities is to send a large volume of traffic to overload your servers, and AWS Shield helps protect against these Distributed Denial of Service (DDoS) attacks. A complementary tool to centrally manage these network protection mechanisms is AWS Firewall Manager, which can be leveraged to set up your firewall rules and apply the rules automatically across accounts and resources, even as new resources are added.

Network access controls

In addition to implementing network segmentation and firewalls, steps should be taken to keep unauthorized devices from accessing the network. This can be achieved through network access control tools, which allow businesses to check devices for compliance and keep unauthorized devices from accessing their corporate networks.

With organizations becoming more open to employees using their personal devices for work purposes, it is more important than ever before to scan these devices for corporate policy adherence and vulnerabilities prior to allowing access to business data.

In addition to on-premise networks, it is essential to also protect your organization’s cloud services. It is important to note that Network Access Controls and Access Control Lists (ACLs) are two different concepts. While Network Access Controls are access protocols applied to network nodes based on authenticated user identities or trusted devices, ACLs are rules applied at router level to either allow or deny access to an environment.

As part of Amazon DPP compliance, it is critical to deploy identity and access management tools or mechanisms that can apply granular permissions based on access control attributes such as department, job, role, and team names. Such role-based controls help organizations monitor actions as well as associate events and actions to relevant identities. Both on-premise network devices and cloud devices should have a process in place to authorize, restrict, and control both the allocation and use of access to a network. It is up to developers to deploy a tool based on their scale and pricing needs.

Anti-Malware

Any device connected to the internet is prone to malware. Malware is a catch-all umbrella term used to represent any malicious code written to infect the host computer. Viruses are a kind of malware that easily attach themselves to programs and distribute through emails, removable storage devices, and contaminated networks. After a computer is infected, malware can delete or encrypt files, modify applications, or disable system functions.

It is essential for organizations to develop and implement effective approaches to malware incident prevention based on the attack vectors that are most prevalent. Organizations should have policies that address prevention of malware incidents and threat mitigation capabilities to assist in containing malware incidents.

Antivirus software is the most commonly used malware threat mitigation technical control. Antivirus software is capable of device scans, virus identification, and removal of viruses. Besides active scanning, regularly updating your antivirus application is necessary for protection from current threats. While antivirus programs are designed to protect a single endpoint, larger corporations with a diverse collection of endpoints require Enterprise Endpoint Security protection. Advanced Endpoint Protection Platforms (EPP) solutions provide capabilities such as firewall and heuristics with cutting-edge machine learning and containment.

Amazon’s DPP requires that our SP-API users have mechanisms to protect their endpoint. While Amazon does not advocate a specific antimalware tool, developers are required to enable certain controls. All systems which have access to user data should have antivirus and antimalware installed on it. Systems must run full system scans on a regular basis, instead of fully relying on on-access scans.

Controls to turn off antivirus scans should be disabled. Ensure antivirus definitions are up-to-date. Antivirus logging and alerting should be enabled. If antivirus is disabled, the IT team should be notified and appropriate follow-up process should be initiated.

Network-based intrusion detection systems (NIDS) and network intrusion prevention systems (NIPS)

Network-based intrusion detection systems (NIDS) monitor the traffic patterns and detect malicious activity by analyzing inbound and outbound network packets. While NIDS are capable of detecting and alerting any intrusion on the network, network intrusion prevention systems (NIPS) can prevent an attack by ending a Transmission Control Protocol (TCP) connection or blocking suspicious network activity by commanding the firewalls. Amazon’s Data Protection Policies recommend that NIDS and NIPS systems be installed on network and endpoint devices. Note that when implemented properly, NIPS can detect a threat in advance and stall powerful network assaults that conventional security controls cannot detect.

Amazon GuardDuty is a cloud native NIDS service that uses traffic data coming from VPC Flow Logs to detect threat behaviors. You should enable flow logging of your VPC. These logs give you full visibility into the type of traffic that goes through the VPC. Flow logging can help you detect problematic traffic and give you valuable insights. It can also help you solve access and security issues. For instance, the flow log can help you determine whether there are security groups that are overly permissive. Amazon GuardDuty can be configured to notify personnel of suspected compromises via email or Short Message Service (SMS) message in order to react and mitigate any threats.

These tools are not limited to just Amazon, other cloud providers and open source solutions such as Snort and Wazuh are available to help you secure your environment.

Conclusion

This white paper discussed the importance of network and application protection. Use these as guidelines to double down on your network protection, however you do not have to limit yourself to these tools and controls. While most of the preceding services are Amazon services, feel free to use analogous tools of your choice that fit your requirements.

Notices

Amazon sellers and developers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current practices, which are subject to change without notice, and (c) does not create any commitments or assurances from Amazon.com Services LLC (Amazon) and its affiliates, suppliers or licensors. Amazon Services API products or services are provided “as is” without warranties, representations, or conditions of any kind, whether express or implied. This document is not part of, nor does it modify, any agreement between Amazon and any party.

© 2022 Amazon.com Services LLC or its affiliates. All rights reserved.