DeepDefence
Blog - How to set up data perimeter in AWS
AWS data perimeter

  • What is data perimeter

  • In your software solution, you have databases, servers, network components and so on. Who can access your database? Which components can connect to your servers? You define a set of permissions and indicate that only those defined identities can access your trusted resources. Those permissions (which are acting as guardrails) is your data perimeter.

  • Why is it required

  • Setting up data perimeter helps improve your security strategy and work as coarse-grained access controls.

  • How to set up data perimeter in AWS

  • Enable Flow-Logs at VPC level to diagnose too permissive security groups. Configure the Flow-Logs to publish to CloudWatch.
  • Use 'Network Access Analyzer' to know about the possible network paths to your resources. Based on the findings, you can adjust the network configuration to restrict the traffic.
  • Create a Network Firewall in the VPC and direct all traffic through it. AWS Network Firewall can detect and protect from intrusion, block unwanted domains, malware and common network threats. You can write rules upon which traffic can be controlled.
  • Create your services such as EC2, RDS in private subnets of the VPC, with no inbound access from internet.
  • Configure subnet routing tables with minimum network routes required for connectivity.
  • Use VPC endpoints (AWS Private Link) to connect to AWS services (such as S3) using private IP addresses (e.g. from EC2). The traffic stays within AWS private network. This way, you don't need Internet gateway or NAT device.
  • Properly configuring security groups and Network ACLs greatly enhances security of your environment.
  • Consider adding multiple security groups for EC2. One for data traffic and another for EC2 management traffic. This way, implementing IAM policies for change control and also auditing becomes easier.

Set up a network perimeter

Ensure your identities and resources can be used from expected networks only. The expected networks could be your corporate network IP CIDR, VPC, your third-party partners trusted networks or other AWS services.

  • For example, to set up a network perimeter on a critical S3 bucket, following policy could be set on the bucket. The bucket has a tag "data-perimeter-include" set to true.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnforceNetworkPerimeter",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::<my-data-bucket>",
        "arn:aws:s3:::<my-data-bucket>/*"
      ],
      "Condition": {
        "NotIpAddressIfExists": {
          "aws:SourceIp": "<allowed-corporate-ip-cidr>"
        },
        "StringNotEqualsIfExists": {
          "aws:SourceVpc": "<my-vpc>",
          "aws:PrincipalAccount": [
            "<third-party-account-a>"
          ]
        },
        "BoolIfExists": {
          "aws:PrincipalIsAWSService": "false",
          "aws:ViaAWSService": "false"
        },
        "ArnNotLikeIfExists": {
          "aws:PrincipalArn": "arn:aws:iam::<my-account-id>:role/aws-service-role/*"
        },
        "StringEquals": {
          "aws:PrincipalTag/data-perimeter-include": "true"
        }
      }
    }
  ]
}
  • If you are using AWS organizations, set SCP policies to achieve the network perimeter for data access.

You need to have deeper understanding of AWS security controls to properly set up your data perimeter. DeepDefence with its vast experience in cloud security can help you achieve that. Contact us now!! We offer a free security assessment to new customers.

Back to Blogs