인프라 보안 (Infra Security)

AWS상의 전체 인프라에 대한 통제와 데이터 보호 수준을 향상시키고 위협에 노출되는 부분을 최소화시켜 주는 기능과 관련된 영역입니다. 이 영역에 해당하는 AWS 보안 서비스들에는 다음과 같은 것들이 있습니다.

Amazon Systems Manager

OS 패치, 안전한 시스템 이미지 생성, 안전한 OS설정 등의 작업을 비롯하여 Amazon EC2 및 온프레미스 환경의 구성 및 관리 편의성을 향상시켜주는 기능을 제공합니다. Amazon System Manager를 보안 관점에서 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.

Bookmark

AWS Systems Manager의 보안
AWS Systems Manager Incident Manager의 보안
GIT - Amazon SSM Agent
GIT - AwsApiActionDemo
GIT - SSM Agent Toolkit - Windows
GIT - SSM Agent Toolkit - Linux
GIT - Operational Management: Inventory, Patching, and Compliance
동영상 - Manage Distribution of Software Packages with AWS Systems Manager Distributor
동영상 - Aggregate and Resolve Operational Issues Using AWS Systems Manager OpsCenter
Support - AWS Systems Manager를 통해 SSH 터널을 사용하여 프라이빗 VPC 리소스에 액세스하려면 어떻게 해야 하나요?
Support - 연결 끊김 상태의 관리형 인스턴스 문제 해결
SUPPORT - Systems Manager 자동화를 사용하여 Amazon EC2 인스턴스에서 인스턴스 메타데이터에 액세스하는 데 IMDSv2만 사용하도록 하려면 어떻게 해야 합니까?
Blog - Replacing a Bastion Host with Amazon EC2 Systems Manager – System Manager의 Run Command를 활용하여 Bastion Host를 대체하는 방법
Blog - Streaming AWS Systems Manager Run Command output to Amazon CloudWatch Logs
Blog - New – AWS Systems Manager Session Manager for Shell Access to EC2 Instances – System Manager의 Session Manager를 활용하여 인스턴스로 Shell세션을 만들수 있는 기능에 대한 소개를 하는 블로그
Blog - Port Forwarding Using AWS System Manager Session Manager
Blog - Managing Secrets for Amazon ECS Applications Using Parameter Store and IAM Roles for Tasks
Blog - Manage Instances at Scale without SSH Access Using EC2 Run Command
Blog - How to Remediate Amazon Inspector Security Findings Automatically
Blog - Preventing blacklisted applications with AWS Systems Manager and AWS Config
Blog - Providing temporary instance permissions with AWS Systems Manager Automations
Blog - How do I create VPC endpoints so that I can use Systems Manager to manage private EC2 instances without internet access?
Blog - Build your own software asset governance platform on AWS
Blog - How to automate SCAP testing with AWS Systems Manager and Security Hub
Blog - How Moody’s uses AWS Systems Manager to patch servers across multiple cloud providers
Blog - Resolve IT Incidents Faster with Incident Manager, a New Capability of AWS Systems Manager
Blog - AWS Systems Manager Incident Manager integration with Amazon CloudWatch
Blog - Creating contacts, escalation plans, and response plans in AWS Systems Manager Incident Manager
Blog - Configure Session Manager access for federated users using SAML session tags
Blog - Configuring AWS Systems Manager Session Manager run as support for federated users using session tags
Blog - Manage instances using AWS Systems Manager Quick Setup across AWS Organization
Blog - New – Query for AWS Regions, Endpoints, and More Using AWS Systems Manager Parameter Store
Blog - How Rackspace uses AWS Systems Manager for instance patching across multi-cloud and hybrid environments
Blog - Operational insights in Systems Manager OpsCenter help you identify duplicate issues and noisy event sources
Blog - How to automate incident response to security events with AWS Systems Manager Incident Manager
Blog - Centralized multi-account and multi-Region patching with AWS Systems Manager Automation
Blog - Avoid zero-day vulnerabilities with same-day security patching using AWS Systems Manager
Blog - Simplifying Active Directory domain join with AWS Systems Manager

Amazon VPC(Virtual Private Cloud)

고객들이 본인의 AWS리소스들을 다른 고객과 완벽하게 분리된 환경에서 운영할 수 있도록 해주는 가상 사설 네트웍을 제공합니다. Amazon VPC를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.

Bookmark

VPC 보안
VPC 피어링에 대한 자격 증명 및 액세스 관리
What is Traffic Mirroring?
Identity and access management for VPC Reachability Analyzer
Transit Gateway의 인증 및 액세스 제어
Identity and access management for AWS Network Manager
VPC 엔드포인트 및 VPC 엔드포인트 서비스에 대한 ID 및 액세스 관리
AWS Cloud WAN security
동영상 - How can I search CloudTrail event history to determine how a security group or resource was changed?
Best Practice - Accessing VPC Endpoints From Remote Networks – 온프레미스 등 VPC 외부에서 VPC S3 Endpoint로의 안전하고 가용성 있는 접근 통로 구축에 대한 소개
Best Practice - Controlling VPC Egress Traffic – VPC Outbound 트래픽 제어에 대한 AWS 제공 기능들 및 파트너 솔루션에 대한 소개
Best Practice - VPC Security Capabilities – VPC가 제공하는 각종 보안 기능들과 WAF, Shield 및 활용가능한 네트웍 파트너 솔루션들에 대한 소개
Best Practice - Single Region Multi-VPC Connectivity – 단일 리전에서 peering, DX 등을 이용하여 멀티 VPC에 대한 연결을 디자인 하기 위한 옵션들을 소개
Best Practice - Multiple Region Multi-VPC Connectivity – 멀티 리전에서 VPN, DX, WAN 등을 이용하여 멀티 VPC에 대한 연결을 디자인 하기 위한 옵션들을 소개
Best Practice - AWS Global Transit Network – 글로벌 Transit 네트워크를 구축할 수 있는 Cisco, Aviatrix 등 파트너 솔루션들에 대한 소개
백서 - Amazon Virtual Private Cloud Connectivity Options
Support - 내 VPC에서 NAT 게이트웨이를 통해 트래픽에 대한 최고 원인 제공자를 찾으려면 어떻게 해야 합니까?
Support - NAT 게이트웨이에 대한 인바운드 인터넷 트래픽 분석
Quick Starts - 확장 가능한 모듈식 VPC 아키텍처
GIT - aws-securitygroup-grapher
GIT - aws-security-viz -- A tool to visualize aws security groups
GIT - CloudMapper - VPC상의 환경 구성에 대해 Visualize하는 툴
GIT - aws-vpc-flow-log-appender
Blog - Analyzing VPC Flow Logs with Amazon Kinesis Firehose, Amazon Athena, and Amazon QuickSight
Blog - Learn From Your VPC Flow Logs With Additional Meta-Data
Blog - One to Many: Evolving VPC Design
Blog - AWS networking capabilities give you choices for hybrid cloud connectivity, but which service works best for your use case?
Blog - Automating AWS Transit Gateway attachments to a transit gateway in a central account
Blog - VPC sharing: A new approach to multiple accounts and VPC management
Blog - How to Address the PCI DSS Requirements for Data Encryption in Transit Using Amazon VPC
Blog - New – VPC Ingress Routing – Simplifying Integration of Third-Party Appliances
Blog - Overlay Multicast in Amazon Virtual Private Cloud
Blog - How to set up an outbound VPC proxy with domain whitelisting and content filtering
Blog - How to add DNS filtering to your NAT instance with Squid
Blog - VPC Reachability Analyzer
Blog - Securing ingress using security solutions and AWS Transit Gateway
Blog - VPC sharing: key considerations and best practices
Blog - Mirror production traffic to test environment with VPC Traffic Mirroring
Blog - Automating connectivity assessments with VPC Reachability Analyzer
Blog - Automating service discovery using AWS Transit Gateway Multicast with IGMP
Blog - Monitoring AWS Transit Gateway route limits using a serverless architecture
Blog - Integrating Network Connectivity Testing with Infrastructure Deployment
Blog - Easily Manage Security Group Rules with the New Security Group Rule ID
Blog - Leveraging AWS PrivateLink for volumetric data processing
Blog - Inspect Subnet to Subnet traffic with Amazon VPC More Specific Routing
Blog - Building an egress VPC with AWS Transit Gateway and the AWS CDK
Blog - Analyze VPC Flow Logs with point-and-click Amazon Athena integration
Blog - How to solve Private IP exhaustion with Private NAT Solution
Blog - Scale traffic using multiple Interface Endpoints
Blog - Integrating AWS Transit Gateway with AWS PrivateLink and Amazon Route 53 Resolver
Blog - How NLCHI provides hybrid access to their EHR system through AWS PrivateLink
Blog - Amazon VPC Routing Enhancements Allow You to Inspect Traffic Between Subnets In a VPC
Blog - Automatically update security groups for Amazon CloudFront IP ranges using AWS Lambda
Blog - Automate Networking foundation in multi-account environments
Blog - Optimize performance and reduce costs for network analytics with VPC Flow Logs in Apache Parquet format
Blog - Amazon VPC Network Access Analyzer
Blog - Automated VPC prefix list population for cross-Region and in-Region security group referencing
Blog - Reduce Cost and Increase Security with Amazon VPC Endpoints
Blog - Introduction to Traffic Mirroring to GWLB Endpoints as Target
Blog - Introduction to Traffic Mirroring to GWLB Endpoints as Target
Blog - Introducing VPC Flow Logs for AWS Transit Gateway
Blog - Identifying publicly accessible resources with Amazon VPC Network Access Analyzer
Blog - Introducing Amazon VPC Flow Logs to Kinesis Data Firehose

AWS Shield

AWS 상의 워크로드 환경을 디도스 공격으로 부터 방어하는 관리형 디도스 방어 서비스입니다. AWS Shield를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.

Bookmark

AWS Shield 의 보안
Best Practice - Denial of Service Attack Mitigation on AWS – AWS 워크로드에 대한 디도스 방어 능력을 향상시키기 위한 아키텍쳐 설계 원칙들을 소개
TIP - AWS Shield Engagement Lambda - SRT 에스컬레이션 람다 함수
동영상 [AWS Cloud 2017] - AWS Shield를 통한 DDoS 대비 복원성 강한 AWS 보안 아키텍처 구성
동영상 [AWS reInvent 2017] - Automating DDoS Response in the Cloud (SID324) - 리인벤트에 소개된 디도스 데모 영상
동영상 - Getting started with AWS Shield Advanced
동영상 - Validating your AWS Shield Advanced deployment and configuration
Blog - How to Help Protect Dynamic Web Applications Against DDoS Attacks by Using Amazon CloudFront and Amazon Route 53
Blog - How to defend games against DDoS attacks
Blog - AWS 기반 게임 개발자를 위한 안내서 – 1부. DDoS 공격 방어 방법
Blog - Set up centralized monitoring for DDoS events and auto-remediate noncompliant resources
Blog - How to protect a self-managed DNS service against DDoS attacks using AWS Global Accelerator and AWS Shield Advanced
Blog - How to estimate your AWS WAF and AWS Shield Advanced cost?
Blog - AWS Shield threat landscape review: 2020 year-in-review
Blog - Automatic Application Layer DDoS Mitigation
Blog - Calculating data transfer leveraging Amazon VPC flow logs

AWS WAF(Web Application Firewall)

고객 웹 애플리케이션을 일반적인 웹 취약점 기반 공격들로 부터 보호하고 사용성과 보안을 향상시키는 기능을 제공합니다. AWS WAF를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다. AWS WAF API가 개선되었습니다. 이에따라, 기존 버전에 대한 안내는 아래에 Classic 이라는 Prefix를 붙여서 구분하였습니다.

Bookmark

AWS WAF 의 보안
AWS WAF 클래식의 보안
MaxMind GeoIP2 - WAF GEO 기반 Rule에 사용되는 GeoIP정보 제공 싸이트
Support - AWS WAF를 사용하여 사용자 에이전트 헤더가 포함되지 않은 HTTP 요청을 차단하려면 어떻게 해야 합니까?
EXT. - Introduction to OWASP Top 10 2021(DRAFT FOR PEER REVIEW)
GIT - AWS WAF & TrendMicro DeepSecurity 연동 – DeepSecurity의 탐지 내역을 기반으로 WAF 룰셋과 연동하기
GIT - How to use AWS WAF to filter incoming traffic from embargoed countries
GIT - aws-waf-sample
QuickStart - AWS WAF Security Automations
Blog - How to use AWS WAF to filter incoming traffic from embargoed countries
Blog - Creating web access control lists using Fortinet Managed Rules set from AWS Marketplace
Blog - Trimming AWS WAF logs with Amazon Kinesis Firehose transformations
Blog - How to analyze AWS WAF logs using Amazon Elasticsearch Service
Blog - Amazon API Gateway adds support for AWS WAF
Blog - Protecting your API using Amazon API Gateway and AWS WAF — Part I
Blog - Protecting your API using Amazon API Gateway and AWS WAF — Part 2
Blog - How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking – 외부 싸이트의 허가받지 않은 링킹(Hot Linking)을 탐지/보호하는 법
Blog - Increase Security Posture and Troubleshoot Service Delivery with Splunk & New AWS WAF Full Logs Feature
Blog - Detect suspicious IP addresses with the Amazon SageMaker IP Insights algorithm
Blog - Enabling serverless security analytics using AWS WAF full logs, Amazon Athena, and Amazon QuickSight
Blog - How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts
Blog - How to think about Zero Trust architectures on AWS
Blog - Deploy a dashboard for AWS WAF with minimal effort
Blog - Migrating your rules from AWS WAF Classic to the new AWS WAF
Blog - Automatically updating AWS WAF Rule in real time using Amazon EventBridge
Blog - Defense in depth using AWS Managed Rules for AWS WAF (part 1)
Blog - Deploying defense in depth using AWS Managed Rules for AWS WAF (part 2)
Blog - How to enhance Amazon CloudFront origin security with AWS WAF and AWS Secrets Manager
Blog - Field Notes: How to Identify and Block Fake Crawler Bots Using AWS WAF
Blog - Field Notes: How OLX Europe Fights Millions of Bots with AWS
Blog - How to estimate your AWS WAF and AWS Shield Advanced cost?
Blog - Reduce Unwanted Traffic on Your Website with New AWS WAF Bot Control
Blog - Customize requests and responses with AWS WAF
Blog - Automatically update AWS WAF IP sets with AWS IP ranges
Blog - The three most important AWS WAF rate-based rules
Blog - How to improve visibility into AWS WAF with anomaly detection
Blog - How to customize behavior of AWS Managed Rules for AWS WAF
Blog - Fine-tune and optimize AWS WAF Bot Control mitigation capability
Blog - Blocking application attacks using AWS WAF at scale
Blog - Analyzing AWS WAF Logs in Amazon CloudWatch Logs
Blog - Easily protect your AWS CDK-defined infrastructure with AWS WAFv2

AWS Firewall Manager는 여러 계정과 리소스의 AWS WAF, AWS Shield Advanced, EC2 Security Group의 관리 및 유지 보수 작업을 간소화합니다. Firewall Manager를 사용하여 멀티 어카운트 환경에서 AWS WAF 방화벽 규칙과 Shield Advanced 보호, 또는 Security Group 규칙을 한번에 동시에 설정합니다. AWS Firewall Manager를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.

Bookmark

AWS Network Firewall

AWS Network Firewall은 여러분들의 VPC와 VPC 상의 모든 리소스들에 대한 네트워크 보호기능을 쉽게 구성할 수 있도록 해주는 관리형 서비스입니다. AWS Network Firewall을 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.

Bookmark

Route 53 Resolver DNS 방화벽

Bookmark

인프라 보안과 관련된 기타 유용한 링크들

AWS 환경에 대한 침투테스트 승인 요청
권장 스캐너 AMI 목록
동영상 [AWS Summit Seoul 2018] - 다양한 솔루션으로 만들어가는 AWS 네트워크 보안
동영상 [AWS Builders Online] - AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례
GIT - cloud-nuke - AWS 리소스들에 대한 일괄 삭제처리 기능 제공 CLI
Solution - AWS Perspective
Blog - Zero Trust architectures: An AWS perspective
Blog - Confidential computing: an AWS perspective
Blog - Creating a Multi-Region Application with AWS Services – Part 1, Compute and Security
Blog - Reduce security risks from IaC drift in multi-Region AWS deployments with Terraform

Remarks

이 사이트의 모든 내용은 바뀌거나 수정될 수 있습니다.
공식적인 상세한 내용은 http://aws.amazon.com 의 내용을 참조하십시오.
제공되는 내용에 이견이 있거나 잘못된 링크를 발견하시면, 관리자(gisunlim@amazon.com)에게 메일을 주시면 대단히 감사하겠습니다.