인프라 보안 (Infra Security)
AWS상의 전체 인프라에 대한 통제와 데이터 보호 수준을 향상시키고 위협에 노출되는 부분을 최소화시켜 주는 기능과 관련된 영역입니다. 이 영역에 해당하는 AWS 보안 서비스들에는 다음과 같은 것들이 있습니다.
Amazon Systems Manager
OS 패치, 안전한 시스템 이미지 생성, 안전한 OS설정 등의 작업을 비롯하여 Amazon EC2 및 온프레미스 환경의 구성 및 관리 편의성을 향상시켜주는 기능을 제공합니다. Amazon System Manager를 보안 관점에서 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
Bookmark
- AWS Systems Manager의 보안
- AWS Systems Manager Incident Manager의 보안
- GIT - Amazon SSM Agent
- GIT - AwsApiActionDemo
- GIT - SSM Agent Toolkit - Windows
- GIT - SSM Agent Toolkit - Linux
- GIT - Operational Management: Inventory, Patching, and Compliance
- 동영상 - Manage Distribution of Software Packages with AWS Systems Manager Distributor
- 동영상 - Aggregate and Resolve Operational Issues Using AWS Systems Manager OpsCenter
- Support - AWS Systems Manager를 통해 SSH 터널을 사용하여 프라이빗 VPC 리소스에 액세스하려면 어떻게 해야 하나요?
- Support - 연결 끊김 상태의 관리형 인스턴스 문제 해결
- SUPPORT - Systems Manager 자동화를 사용하여 Amazon EC2 인스턴스에서 인스턴스 메타데이터에 액세스하는 데 IMDSv2만 사용하도록 하려면 어떻게 해야 합니까?
- Blog - Replacing a Bastion Host with Amazon EC2 Systems Manager – System Manager의 Run Command를 활용하여 Bastion Host를 대체하는 방법
- Blog - Streaming AWS Systems Manager Run Command output to Amazon CloudWatch Logs
- Blog - New – AWS Systems Manager Session Manager for Shell Access to EC2 Instances – System Manager의 Session Manager를 활용하여 인스턴스로 Shell세션을 만들수 있는 기능에 대한 소개를 하는 블로그
- Blog - Port Forwarding Using AWS System Manager Session Manager
- Blog - Managing Secrets for Amazon ECS Applications Using Parameter Store and IAM Roles for Tasks
- Blog - Manage Instances at Scale without SSH Access Using EC2 Run Command
- Blog - How to Remediate Amazon Inspector Security Findings Automatically
- Blog - Preventing blacklisted applications with AWS Systems Manager and AWS Config
- Blog - Providing temporary instance permissions with AWS Systems Manager Automations
- Blog - How do I create VPC endpoints so that I can use Systems Manager to manage private EC2 instances without internet access?
- Blog - Build your own software asset governance platform on AWS
- Blog - How to automate SCAP testing with AWS Systems Manager and Security Hub
- Blog - How Moody’s uses AWS Systems Manager to patch servers across multiple cloud providers
- Blog - Resolve IT Incidents Faster with Incident Manager, a New Capability of AWS Systems Manager
- Blog - AWS Systems Manager Incident Manager integration with Amazon CloudWatch
- Blog - Creating contacts, escalation plans, and response plans in AWS Systems Manager Incident Manager
- Blog - Configure Session Manager access for federated users using SAML session tags
- Blog - Configuring AWS Systems Manager Session Manager run as support for federated users using session tags
- Blog - Manage instances using AWS Systems Manager Quick Setup across AWS Organization
- Blog - New – Query for AWS Regions, Endpoints, and More Using AWS Systems Manager Parameter Store
- Blog - How Rackspace uses AWS Systems Manager for instance patching across multi-cloud and hybrid environments
- Blog - Operational insights in Systems Manager OpsCenter help you identify duplicate issues and noisy event sources
- Blog - How to automate incident response to security events with AWS Systems Manager Incident Manager
- Blog - Centralized multi-account and multi-Region patching with AWS Systems Manager Automation
- Blog - Avoid zero-day vulnerabilities with same-day security patching using AWS Systems Manager
- Blog - Simplifying Active Directory domain join with AWS Systems Manager
Amazon VPC(Virtual Private Cloud)
고객들이 본인의 AWS리소스들을 다른 고객과 완벽하게 분리된 환경에서 운영할 수 있도록 해주는 가상 사설 네트웍을 제공합니다. Amazon VPC를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
Bookmark
- VPC 보안
- VPC 피어링에 대한 자격 증명 및 액세스 관리
- What is Traffic Mirroring?
- Identity and access management for VPC Reachability Analyzer
- Transit Gateway의 인증 및 액세스 제어
- Identity and access management for AWS Network Manager
- VPC 엔드포인트 및 VPC 엔드포인트 서비스에 대한 ID 및 액세스 관리
- AWS Cloud WAN security
- 동영상 - How can I search CloudTrail event history to determine how a security group or resource was changed?
- Best Practice - Accessing VPC Endpoints From Remote Networks – 온프레미스 등 VPC 외부에서 VPC S3 Endpoint로의 안전하고 가용성 있는 접근 통로 구축에 대한 소개
- Best Practice - Controlling VPC Egress Traffic – VPC Outbound 트래픽 제어에 대한 AWS 제공 기능들 및 파트너 솔루션에 대한 소개
- Best Practice - VPC Security Capabilities – VPC가 제공하는 각종 보안 기능들과 WAF, Shield 및 활용가능한 네트웍 파트너 솔루션들에 대한 소개
- Best Practice - Single Region Multi-VPC Connectivity – 단일 리전에서 peering, DX 등을 이용하여 멀티 VPC에 대한 연결을 디자인 하기 위한 옵션들을 소개
- Best Practice - Multiple Region Multi-VPC Connectivity – 멀티 리전에서 VPN, DX, WAN 등을 이용하여 멀티 VPC에 대한 연결을 디자인 하기 위한 옵션들을 소개
- Best Practice - AWS Global Transit Network – 글로벌 Transit 네트워크를 구축할 수 있는 Cisco, Aviatrix 등 파트너 솔루션들에 대한 소개
- 백서 - Amazon Virtual Private Cloud Connectivity Options
- Support - 내 VPC에서 NAT 게이트웨이를 통해 트래픽에 대한 최고 원인 제공자를 찾으려면 어떻게 해야 합니까?
- Support - NAT 게이트웨이에 대한 인바운드 인터넷 트래픽 분석
- Quick Starts - 확장 가능한 모듈식 VPC 아키텍처
- GIT - aws-securitygroup-grapher
- GIT - aws-security-viz -- A tool to visualize aws security groups
- GIT - CloudMapper - VPC상의 환경 구성에 대해 Visualize하는 툴
- GIT - aws-vpc-flow-log-appender
- Blog - Analyzing VPC Flow Logs with Amazon Kinesis Firehose, Amazon Athena, and Amazon QuickSight
- Blog - Learn From Your VPC Flow Logs With Additional Meta-Data
- Blog - One to Many: Evolving VPC Design
- Blog - AWS networking capabilities give you choices for hybrid cloud connectivity, but which service works best for your use case?
- Blog - Automating AWS Transit Gateway attachments to a transit gateway in a central account
- Blog - VPC sharing: A new approach to multiple accounts and VPC management
- Blog - How to Address the PCI DSS Requirements for Data Encryption in Transit Using Amazon VPC
- Blog - New – VPC Ingress Routing – Simplifying Integration of Third-Party Appliances
- Blog - Overlay Multicast in Amazon Virtual Private Cloud
- Blog - How to set up an outbound VPC proxy with domain whitelisting and content filtering
- Blog - How to add DNS filtering to your NAT instance with Squid
- Blog - VPC Reachability Analyzer
- Blog - Securing ingress using security solutions and AWS Transit Gateway
- Blog - VPC sharing: key considerations and best practices
- Blog - Mirror production traffic to test environment with VPC Traffic Mirroring
- Blog - Automating connectivity assessments with VPC Reachability Analyzer
- Blog - Automating service discovery using AWS Transit Gateway Multicast with IGMP
- Blog - Monitoring AWS Transit Gateway route limits using a serverless architecture
- Blog - Integrating Network Connectivity Testing with Infrastructure Deployment
- Blog - Easily Manage Security Group Rules with the New Security Group Rule ID
- Blog - Leveraging AWS PrivateLink for volumetric data processing
- Blog - Inspect Subnet to Subnet traffic with Amazon VPC More Specific Routing
- Blog - Building an egress VPC with AWS Transit Gateway and the AWS CDK
- Blog - Analyze VPC Flow Logs with point-and-click Amazon Athena integration
- Blog - How to solve Private IP exhaustion with Private NAT Solution
- Blog - Scale traffic using multiple Interface Endpoints
- Blog - Integrating AWS Transit Gateway with AWS PrivateLink and Amazon Route 53 Resolver
- Blog - How NLCHI provides hybrid access to their EHR system through AWS PrivateLink
- Blog - Amazon VPC Routing Enhancements Allow You to Inspect Traffic Between Subnets In a VPC
- Blog - Automatically update security groups for Amazon CloudFront IP ranges using AWS Lambda
- Blog - Automate Networking foundation in multi-account environments
- Blog - Optimize performance and reduce costs for network analytics with VPC Flow Logs in Apache Parquet format
- Blog - Amazon VPC Network Access Analyzer
- Blog - Automated VPC prefix list population for cross-Region and in-Region security group referencing
- Blog - Reduce Cost and Increase Security with Amazon VPC Endpoints
- Blog - Introduction to Traffic Mirroring to GWLB Endpoints as Target
- Blog - Introduction to Traffic Mirroring to GWLB Endpoints as Target
- Blog - Introducing VPC Flow Logs for AWS Transit Gateway
- Blog - Identifying publicly accessible resources with Amazon VPC Network Access Analyzer
- Blog - Introducing Amazon VPC Flow Logs to Kinesis Data Firehose
AWS Shield
AWS 상의 워크로드 환경을 디도스 공격으로 부터 방어하는 관리형 디도스 방어 서비스입니다. AWS Shield를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
Bookmark
- AWS Shield 의 보안
- Best Practice - Denial of Service Attack Mitigation on AWS – AWS 워크로드에 대한 디도스 방어 능력을 향상시키기 위한 아키텍쳐 설계 원칙들을 소개
- TIP - AWS Shield Engagement Lambda - SRT 에스컬레이션 람다 함수
- 동영상 [AWS Cloud 2017] - AWS Shield를 통한 DDoS 대비 복원성 강한 AWS 보안 아키텍처 구성
- 동영상 [AWS reInvent 2017] - Automating DDoS Response in the Cloud (SID324) - 리인벤트에 소개된 디도스 데모 영상
- 동영상 - Getting started with AWS Shield Advanced
- 동영상 - Validating your AWS Shield Advanced deployment and configuration
- Blog - How to Help Protect Dynamic Web Applications Against DDoS Attacks by Using Amazon CloudFront and Amazon Route 53
- Blog - How to defend games against DDoS attacks
- Blog - AWS 기반 게임 개발자를 위한 안내서 – 1부. DDoS 공격 방어 방법
- Blog - Set up centralized monitoring for DDoS events and auto-remediate noncompliant resources
- Blog - How to protect a self-managed DNS service against DDoS attacks using AWS Global Accelerator and AWS Shield Advanced
- Blog - How to estimate your AWS WAF and AWS Shield Advanced cost?
- Blog - AWS Shield threat landscape review: 2020 year-in-review
- Blog - Automatic Application Layer DDoS Mitigation
- Blog - Calculating data transfer leveraging Amazon VPC flow logs
AWS WAF(Web Application Firewall)
고객 웹 애플리케이션을 일반적인 웹 취약점 기반 공격들로 부터 보호하고 사용성과 보안을 향상시키는 기능을 제공합니다. AWS WAF를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다. AWS WAF API가 개선되었습니다. 이에따라, 기존 버전에 대한 안내는 아래에 Classic 이라는 Prefix를 붙여서 구분하였습니다.
Bookmark
- AWS WAF 의 보안
- AWS WAF 클래식의 보안
- MaxMind GeoIP2 - WAF GEO 기반 Rule에 사용되는 GeoIP정보 제공 싸이트
- Support - AWS WAF를 사용하여 사용자 에이전트 헤더가 포함되지 않은 HTTP 요청을 차단하려면 어떻게 해야 합니까?
- EXT. - Introduction to OWASP Top 10 2021(DRAFT FOR PEER REVIEW)
- GIT - AWS WAF & TrendMicro DeepSecurity 연동 – DeepSecurity의 탐지 내역을 기반으로 WAF 룰셋과 연동하기
- GIT - How to use AWS WAF to filter incoming traffic from embargoed countries
- GIT - aws-waf-sample
- QuickStart - AWS WAF Security Automations
- Blog - How to use AWS WAF to filter incoming traffic from embargoed countries
- Blog - Creating web access control lists using Fortinet Managed Rules set from AWS Marketplace
- Blog - Trimming AWS WAF logs with Amazon Kinesis Firehose transformations
- Blog - How to analyze AWS WAF logs using Amazon Elasticsearch Service
- Blog - Amazon API Gateway adds support for AWS WAF
- Blog - Protecting your API using Amazon API Gateway and AWS WAF — Part I
- Blog - Protecting your API using Amazon API Gateway and AWS WAF — Part 2
- Blog - How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking – 외부 싸이트의 허가받지 않은 링킹(Hot Linking)을 탐지/보호하는 법
- Blog - Increase Security Posture and Troubleshoot Service Delivery with Splunk & New AWS WAF Full Logs Feature
- Blog - Detect suspicious IP addresses with the Amazon SageMaker IP Insights algorithm
- Blog - Enabling serverless security analytics using AWS WAF full logs, Amazon Athena, and Amazon QuickSight
- Blog - How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts
- Blog - How to think about Zero Trust architectures on AWS
- Blog - Deploy a dashboard for AWS WAF with minimal effort
- Blog - Migrating your rules from AWS WAF Classic to the new AWS WAF
- Blog - Automatically updating AWS WAF Rule in real time using Amazon EventBridge
- Blog - Defense in depth using AWS Managed Rules for AWS WAF (part 1)
- Blog - Deploying defense in depth using AWS Managed Rules for AWS WAF (part 2)
- Blog - How to enhance Amazon CloudFront origin security with AWS WAF and AWS Secrets Manager
- Blog - Field Notes: How to Identify and Block Fake Crawler Bots Using AWS WAF
- Blog - Field Notes: How OLX Europe Fights Millions of Bots with AWS
- Blog - How to estimate your AWS WAF and AWS Shield Advanced cost?
- Blog - Reduce Unwanted Traffic on Your Website with New AWS WAF Bot Control
- Blog - Customize requests and responses with AWS WAF
- Blog - Automatically update AWS WAF IP sets with AWS IP ranges
- Blog - The three most important AWS WAF rate-based rules
- Blog - How to improve visibility into AWS WAF with anomaly detection
- Blog - How to customize behavior of AWS Managed Rules for AWS WAF
- Blog - Fine-tune and optimize AWS WAF Bot Control mitigation capability
- Blog - Blocking application attacks using AWS WAF at scale
- Blog - Analyzing AWS WAF Logs in Amazon CloudWatch Logs
- Blog - Easily protect your AWS CDK-defined infrastructure with AWS WAFv2
AWS Firewall Manager
AWS Firewall Manager는 여러 계정과 리소스의 AWS WAF, AWS Shield Advanced, EC2 Security Group의 관리 및 유지 보수 작업을 간소화합니다. Firewall Manager를 사용하여 멀티 어카운트 환경에서 AWS WAF 방화벽 규칙과 Shield Advanced 보호, 또는 Security Group 규칙을 한번에 동시에 설정합니다. AWS Firewall Manager를 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
Bookmark
- AWS Firewall Manager의 보안
- Getting started with AWS Firewall Manager PaloAlto Cloud NGFW policies
- Solution - AWS Centralized WAF and VPC Security Group Management
- Solution - AWS Organizations용 AWS Firewall Manager 자동화
- Blog - AWS Firewall Manager: Central Management for Your Web Application Portfolio
- Blog - Use AWS Firewall Manager and VPC security groups to protect your applications hosted on EC2 instances
- Blog - Automate AWS Firewall Manager onboarding using AWS Centralized WAF and VPC Security Group Management solution
- Blog - Use AWS Firewall Manager to deploy protection at scale in AWS Organizations
- Blog - AWS Firewall Manager helps automate security group management: 3 scenarios
- Blog - Set up centralized monitoring for DDoS events and auto-remediate noncompliant resources
- Blog - Centrally manage AWS WAF (API v2) and AWS Managed Rules at scale with Firewall Manager
- Blog - Hands-on walkthrough of the AWS Network Firewall flexible rules engine – Part 1
- Blog - Hands-on walkthrough of the AWS Network Firewall flexible rules engine – Part 2
- Blog - Centrally manage AWS WAF (API v2) and AWS Managed Rules at scale with Firewall Manager
- Blog - New – Cloud NGFW for AWS
- Blog - How to deploy AWS Network Firewall by using AWS Firewall Manager
AWS Network Firewall
AWS Network Firewall은 여러분들의 VPC와 VPC 상의 모든 리소스들에 대한 네트워크 보호기능을 쉽게 구성할 수 있도록 해주는 관리형 서비스입니다. AWS Network Firewall을 이용하는데 참고할 만한 유용한 내용들은 아래와 같습니다.
Bookmark
- Security in AWS Network Firewall
- EXT. - Suricata Rule - 5.0.0
- EXT. - Suricata Rule - Protocol Anomalies Detection
- Ext. - Trend Micro CloudOne - Share threat intelligence with AWS
- Ext. - FortiGurad Labs. - Managed IPS Rules for AWS Network Firewall
- Solution - AWS Network Firewall Deployment Automations for AWS Transit Gateway
- Solution - Dynamic Object and Rule Extensions for AWS Network Firewall
- GIT - AWS Network Firewall CloudFormation Templates
- GIT - AWS Network Firewall - Terraform Sample
- GIT - AWS Network Firewall Automation Sample
- GIT - aws-networkfirewall-cfn-templates
- Ext. - Emerging Threats Botnet Command and Control drop rules for suricata
- Blog - AWS Network Firewall – New Managed Firewall Service in VPC
- Blog - Enforce your AWS Network Firewall protections at scale with AWS Firewall Manager
- Blog - Automatically block suspicious traffic with AWS Network Firewall and Amazon GuardDuty
- Blog - Use Contributor Insights to analyze AWS Network Firewall
- Blog - Hands-on walkthrough of the AWS Network Firewall flexible rules engine
- Blog - Deploy centralized traffic filtering using AWS Network Firewall
- Blog - Scaling threat prevention on AWS with Suricata
- Blog - Securely scale multi-account architecture with AWS Network Firewall and AWS Control Tower
- Blog - Migrating from Squid Web Proxy to AWS Network Firewall
- Blog - Deployment models for AWS Network Firewall
- Blog - Deployment models for AWS Network Firewall with VPC routing enhancements
- Blog - Integrate AWS Network Firewall with your ISV Firewall Rulesets
- Blog - Design your firewall deployment for Internet ingress traffic flows
- Blog - Securing SAP with AWS Network Firewall: Part 1 – Architecture design patterns
- Blog - 인터넷을 통해 유입되는 트래픽을 보호하기 위한 AWS 기반 방화벽 배포방식 설계
Route 53 Resolver DNS 방화벽
Bookmark
- Route 53 Resolver DNS 방화벽의 작동 방식
- Blog - How to Get Started with Amazon Route 53 Resolver DNS Firewall for Amazon VPC
- Blog - Secure your Amazon VPC DNS resolution with Amazon Route 53 Resolver DNS Firewall
- Blog - Using Route 53 Resolver DNS Firewall Logs with CloudWatch Contributor Insights and Anomaly Detection
인프라 보안과 관련된 기타 유용한 링크들
- AWS 환경에 대한 침투테스트 승인 요청
- 권장 스캐너 AMI 목록
- 동영상 [AWS Summit Seoul 2018] - 다양한 솔루션으로 만들어가는 AWS 네트워크 보안
- 동영상 [AWS Builders Online] - AWS 네트워크 보안을 위한 계층별 보안 구성 모범 사례
- GIT - cloud-nuke - AWS 리소스들에 대한 일괄 삭제처리 기능 제공 CLI
- Solution - AWS Perspective
- Blog - Zero Trust architectures: An AWS perspective
- Blog - Confidential computing: an AWS perspective
- Blog - Creating a Multi-Region Application with AWS Services – Part 1, Compute and Security
- Blog - Reduce security risks from IaC drift in multi-Region AWS deployments with Terraform
Remarks
- 이 사이트의 모든 내용은 바뀌거나 수정될 수 있습니다.
- 공식적인 상세한 내용은 http://aws.amazon.com 의 내용을 참조하십시오.
- 제공되는 내용에 이견이 있거나 잘못된 링크를 발견하시면, 관리자(gisunlim@amazon.com)에게 메일을 주시면 대단히 감사하겠습니다.
개인 정보 보호 정책 | 사이트 이용 약관 | © 2020, Amazon Web Services, Inc. 또는 자회사. All rights reserved.