AWS Network Security Services cheat sheet
AWS Firewall Manager:
AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. As new applications are created, Firewall Manager makes it easier to bring new applications and resources into compliance by enforcing a common set of security rules.
Route 53 Resolver DNS Firewall
Route 53 Resolver DNS Firewall lets you control access to sites and block DNS-level threats for DNS queries going out from your VPC through the Route 53 Resolver. With DNS Firewall, you define domain name filtering rules in rule groups that you associate with your VPCs. You can specify lists of domain names to allow or block, and you can customize the responses for the DNS queries that you block.
DNS Firewall only filters on the domain name. It does not resolve that name to an IP address to be blocked. Additionally, DNS Firewall filters DNS/UDP traffic, but it doesn't filter other application layer protocols, such as HTTPS, SSH, TLS, FTP, and so on.
AWS Network Firewall:
With AWS Network Firewall, you can define firewall rules that provide fine-grained control over network traffic. Network Firewall works together with AWS Firewall Manager so you can build policies based on Network Firewall rules and then centrally apply those policies across your virtual private clouds (VPCs) and accounts.
VPC Security Group
A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance. You can associate a security group only with resources in the VPC for which it is created.
When you create a VPC, it comes with a default security group. You can create additional security groups for each VPC.
There is no additional charge for using security groups.
The following diagram shows a VPC with subnets in two Availability Zones, an internet gateway, and an Application Load Balancer. Each Availability Zone has a public subnet for web servers and a private subnet for database servers. There are separate security groups for the load balancer, the web servers, and the database servers. You can add rules to the security group for the load balancer to allow HTTP and HTTPS traffic from the internet. You can add rules to the security group for the web servers to allow traffic only from the load balancer. You can add rules to the security group for the database servers to allow only database requests from the web servers.
AWS WAF
AWS WAF helps you protect against common web exploits and bots that can affect availability, compromise security, or consume excessive resources.
AWS Shield Advance
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS.
AWS Network ACL
A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level. You can use the default network ACL for your VPC, or you can create a custom network ACL for your VPC with rules that are similar to the rules for your security groups to add a layer of security to your VPC.
There is no additional charge for using network ACLs.
The following diagram shows a VPC with two subnets. Each subnet has a network ACL. When traffic enters the VPC (for example, from a peered VPC, VPN connection, or the internet), the router sends the traffic to its destination. Network ACL A determines which traffic destined for Subnet 1 is allowed to enter Subnet 1, and which traffic destined for a location outside Subnet 1 is allowed to leave Subnet 1. Similarly, network ACL B determines which traffic is allowed to enter and leave subnet 2.