Shield Your Network- Mastering AWS VPC Block Public Access
Discover how the new AWS VPC Block Public Access feature enhances your network security by preventing unintended internet exposure. This blog post explores the importance of maintaining isolated VPC subnets, the functionality of the VPC Block Public Access feature, and best practices for managing exclusions and ensuring compliance. Learn how to leverage this feature to safeguard your AWS environment and maintain robust security standards.
Published Dec 20, 2024
Introduction
Imagine discovering that your supposedly secure, private AWS VPC subnet, designed to be isolated from the internet, has inadvertently gained internet access. During routine operations, unintentional configurations can expose your VPC private subnets to the internet, despite your efforts to block such access. This exposure can lead to unnoticed traffic, malicious activities, threat downloads, and remote command and control exploits . Such vulnerabilities can compromise your entire network landscape, potentially leading to data breaches, unauthorized access, and other security incidents.
The VPC Block Public Access feature is designed to prevent these risks by ensuring that your VPCs and subnets remain isolated from the internet, even if accidental routes are created. This feature helps maintain the integrity and security of your network, providing peace of mind and compliance with security standards. This feature ensure compliance with their organization’s security and compliance requirements by centrally blocking Internet access.
Brief about this new feature
The VPC Block Public Access feature provides a declarative control that authoritatively blocks both incoming (ingress) and outgoing (egress) VPC traffic through AWS-provided internet paths. This feature offers two configuration options:
- Bi-directional Block: This option blocks all traffic to the internet (egress) and from the internet to your VPC (ingress), ensuring complete isolation from public web access.
- Ingress-only Block: This option authoritatively blocks inbound internet traffic (ingress) while allowing outbound traffic (egress) from the VPC, but only through NAT Gateways and Egress-Only Internet Gateways (EIGWs).
These settings can be applied at both the account and regional levels, providing robust security and compliance controls for your AWS environment.
How VPC Block Public Access Works
Once you enable the Block Public Access (BPA) feature for Amazon VPC in a specific region, it authoritatively blocks all inbound (ingress) and outbound (egress) communication to and from the internet. This ensures that your VPC subnets remain isolated from any unintended internet access.
Below is a visual representation of how BPA works in Bi-Directional Block:
Managing Exclusions for VPC Block Public Access
In many scenarios, certain VPCs or subnets require internet access or need to be accessible from the internet, such as for web publishing via Application Load Balancers (ALB) or Network Load Balancers (NLB). To accommodate these needs, you can define exclusions for specific VPCs or subnet as shown below.
Steps to Manage Exclusions:
- Identify the VPCs/Subnets: Determine which VPCs or subnets need internet access or need to be accessible from the internet.
- Define Exclusions: Configure the BPA settings to exclude these identified VPCs or subnets. This can be done through the AWS Management Console, AWS CLI, or AWS SDKs.
- Apply Exclusions: Once exclusions are defined, the specified VPCs or subnets will be allowed to establish internet connections, bypassing the BPA restrictions.
By managing exclusions, you can ensure that critical services requiring internet access continue to function while maintaining the overall security posture of your AWS environment
Few best practices
- Always ensure there is at least one Test VPC available as an exclusion in each account.
- Regularly monitor the exclusion list to ensure it does not contain any critical or isolated subnets.
- Leverage BPA capabilities to enforce your defined Secured Network Architecture.
- Enable VPC BPA at the organizational level through AWS Organizations' declarative policy to enforce VPC BPA across all accounts in the organization.
- Ensure that no AWS IAM user accounts have VPCBPAFullAccess to prevent unauthorized configuration changes.
- Create CloudTrail logs to identify and notify if any VPCBPA actions are performed.
Conclusion
The new VPC feature of BPA consistently ensures reliable internet access and maintains compliance, making it an essential upgrade for any organization.