Networking: New Capabilities for Amazon Virtual Private Cloud

AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015


Networking: New Capabilities for Amazon Virtual Private Cloud

Mark RylandChief Architect, [email protected]

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.


New capabilities for Amazon VPC

• VPC endpoints– Generic capability– First VPCE available is for S3

• VPC Flow Logs– Netflow-like data from elastic network

interfaces


Problem statement• AWS “abstracted services”[1] generally

have service endpoints on the public address side of an AWS region

• How best to reach those endpoints from inside your VPC?

[1] “AWS Security Best Practices” whitepaper, Nov 2013, p. 7


Reaching public endpointsPublic IPs and IGW

Pros• Highly available• Horizontally scalable• Can restrict dest. ports/

CIDRs

Cons• Public IPs; security

controls are limited• Can reach entire S3

service

NAT/PAT server(s)

Pros• Central control• All protocols

Cons• Availability risks• Scaling hard, limited• Lots of work to manage• Security limitations

similar to use of IGW

Proxy server(s)

Pros• Central control• Can scale fairly well• Many security options

Cons• Availability risks• Lots of work to manage

and scale• Works only with

HTTP/S


VPC endpoints to the rescue• No need for public IP addresses, NAT/PAT,

or proxies• Highly available; no SPOF• Practically infinite horizontal scalability• Rich security controls


Rich security controls• New route entry

– As many endpoints per VPC as you like, but maximum one assigned route per subnet

• New logical destination address for security group outbound traffic rules– Thus, instance-level control through security

groups


Rich security controls (cont.)• Policies on VPC endpoints

– Logically, resource policies (not IAM policies)– Constrain principals, actions, destination buckets, paths

within buckets

• S3 bucket policies – Constrain source VPCs, VPC endpoints, both

• All policies ANDed together (IAM, VPC endpoints, S3)


VPC endpoint policy example{ "Statement": [ { "Sid": "Access-to-specific-bucket-only", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"] } ]}


S3 bucket policy example #1{ "Version": "2012-10-17", "Statement": [ { "Sid": "Access-to-specific-VPCE-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"], "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-1a2b3c4d" } } } ]}


S3 bucket policy example #2{ "Version": "2012-10-17", "Statement": [ { "Sid": "Access-to-specific-VPC-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"], "Condition": { "StringNotEquals": { "aws:sourceVpc": "vpc-111bbb22" } } } ]}


VPC Flow Logs• Longstanding ask: greater visibility into

VPC network behavior– Specifically, what about those security group

and network ACL DENY cases?

• VPC Flow Logs provide the answer


VPC Flow Logs (cont.)• Enabled at the ENI, subnet, or VPC level• Traffic data surfaced as “flow log records” per ENI• Exposed as CloudWatch Log groups and streams• Data accumulated and published to CW Logs at ~10

minute intervals• Normal CloudWatch Logs groups/streams with all

related features– For example, new CloudWatch Logs -> Amazon Kinesis

stream integration


Flow Log record (text, space-delimited)Field Descriptionversion The VPC Flow Logs version.account-id The AWS account ID for the Flow Log.interface-id The ID of the network interface for which the log stream applies.srcaddr The source IP address. The IP address of the network interface is always its private IP address.dstaddr The destination IP address. The IP address of the network interface is always its private IP address.srcport The source port of the traffic.dstport The destination port of the traffic.protocol The IANA protocol number of the traffic. For more information, go to Assigned Internet Protocol Numbers.packets The number of packets transferred during the capture window.bytes The number of bytes transferred during the capture window.start The time, in Unix seconds, of the start of the capture window.end The time, in Unix seconds, of the end of the capture window.action The action associated with the traffic: ACCEPT: The recorded traffic was permitted by the security group or

network ACLs.REJECT: The recorded traffic was not permitted by the security groups or network ACLs.

log-status The logging status of the flow log:OK: Data is logging normally to CloudWatch Logs.NODATA: There was no network traffic to or from the network interface during the capture window.SKIPDATA: Some flow log records were skipped during the capture window.

http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml


Example recordsSSH traffic allowed

RDP traffic denied2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 49761 3389 6 1 231 1439530000 1439530060 REJECT OK

2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22 6 20 4249 1438530010 1438530070 ACCEPT OK

Version number

AWS account number

ENI identifier

Source address

Destin

ation address

Source port

Destin

ation port

Protocol number

Total p

ackets in flow

Sun, 02 Aug 2015 15:40:10 GMT

Sun, 02 Aug 2015 15:41:10 GMT

ActionLog status

Total b

ytes in flow


VPC networking• Continually advancing the state of the art• Focused on improving control and visibility• Integration with third-party monitoring and

management tools• Key element of the AWS increasingly

powerful security suite


Thank You.This presentation will be loaded to SlideShare the week following the Symposium.

http://www.slideshare.net/AmazonWebServices


Documents

Networking: New Capabilities for Amazon Virtual Private Cloud