SEC 7. How are you enforcing network and host-level boundary protection?

In on-premises datacenters, a DMZ approaches separate systems into trusted and untrusted zones using firewalls. On AWS, both stateful and stateless firewalls are used. Stateful firewalls are called security groups, and stateless firewalls are called network Access Control Lists (ACL) that protect the subnets in an Amazon Virtual Private Cloud (VPC). The current best practice is to run a system in a VPC, and define the role-based security in Security Groups (e.g., web tier, app tier, etc.), and the location-based security in network ACLs (e.g., Elastic Load Balancing tier in one subnet per Availability Zone , web tier in another subnet per Availability Zone, etc.).

Best practices:
 Security groups with minimal authorizations are used to enforce role-based access.
 The system runs in one or more VPCs.
 Trusted VPC access is via a private mechanism (e.g., Virtual Private Network (VPN), IPsec tunnel, AWS Direct Connect, AWS Marketplace solution, etc.).
 Subnets and network ACLs are used appropriately.
 Host-based firewalls with minimal authorizations are used.
 Service-specific access controls are used (e.g., bucket policies).
 Private connectivity to a VPC is used (e.g., VPN, AWS Direct Connect, VPC peering, etc.)

 Bastion host technique is used to manage the instances.
 Security testing is performed regularly.
 AWS Trusted Advisor checks are regularly reviewed.