NS-1 |
Network Security |
9.2 - Ensure Only Approved Ports, Protocols and Services Are Running |
3.12 - Segment Data Processing and Storage Based on Sensitivity |
AC-4: INFORMATION FLOW ENFORCEMENT |
1.1 |
Establish network segmentation boundaries |
Ensure that your virtual network deployment aligns to your enterprise segmentation strategy defined in the GS-2 security control. Any workload that could incur higher risk for the organization should be in isolated virtual networks. |
Create a virtual network (VNet) as a fundamental segmentation approach in your Azure network, so resources such as VMs can be deployed into the VNet within a network boundary. To further segment the network, you can create subnets inside VNet for smaller sub-networks. |
Azure Virtual Network concepts and best practices: |
Create a Virtual Private Cloud (VPC) as a fundamental segmentation approach in your AWS network, so resources such as EC2 instances can be deployed into the VPC within a network boundary. To further segment the network, you can create subnets inside VPC for smaller sub-networks. |
Control traffic to EC2 instances with security groups: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
9.4 - Apply Host-Based Firewalls or Port Filtering |
13.4 - Perform Traffic Filtering Between Network Segments |
SC-2: APPLICATION PARTITIONING |
1.2 |
|
Examples of high-risk workload include: |
|
https://docs.microsoft.com/azure/virtual-network/concepts-and-best-practices |
|
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html |
|
|
|
12.3 - Deny Communications with Known Malicious IP Addresses |
4.4 - Implement and Manage a Firewall on Severs |
SC-7: BOUNDARY PROTECTION |
1.3 |
|
- An application storing or processing highly sensitive data. |
Use network security groups (NSG) as a network layer control to restrict or monitor traffic by port, protocol, source IP address, or destination IP address. Refer to NS-7 Simplify network security configuration to use Adaptive Network Hardening to recommend NSG hardening rules based on threat intelligence and traffic analysis result. |
|
For EC2 instances, use Security Groups, as a stateful firewall to restrict traffic by port, protocol, source IP address, or destination IP address. At the VPC subnet level, use Network Access Control List (NACL) as a stateless firewall to have explicit rules for ingress and egress traffic to the subnet. |
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
12.4 - Deny Communication over Unauthorized Ports |
|
|
|
|
- An external network-facing application accessible by the public or users outside of your organization. |
|
Add, change, or delete a virtual network subnet: |
|
Compare security groups and network ACLs: |
|
|
|
14.1 - Segment the Network Based on Sensitivity |
|
|
|
|
- An application using insecure architecture or containing vulnerabilities that cannot be easily remediated. |
You can also use application security groups (ASGs) to simplify complex configuration. Instead of defining policy based on explicit IP addresses in network security groups, ASGs enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. |
https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-subnet |
Note: To control VPC traffic, Internet and NAT Gateway should be configured to ensure the traffic from/to the internet are restricted. |
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison |
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
14.2 - Enable Firewall Filtering Between VLANs |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To enhance your enterprise segmentation strategy, restrict or monitor traffic between internal resources using network controls. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach by restricting the ports, protocols, source, and destination IPs of the network traffic. If you have many applications and endpoints interacting with each other, blocking traffic may not scale well, and you may only be able to monitor traffic. |
|
How to create a network security group with security rules: |
|
Internet Gateway: |
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic |
|
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Understand and use application security groups: |
|
NAT Gateway: |
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview#application-security-groups |
|
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html |
|
NS-2 |
Network Security |
14.1 - Segment the Network Based on Sensitivity |
3.12 - Segment Data Processing and Storage Based on Sensitivity |
AC-4: INFORMATION FLOW ENFORCEMENT |
1.1 |
Secure cloud native services with network controls |
Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible. |
Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. Using Private Link will keep the private connection from routing through the public network. |
Understand Azure Private Link: |
Deploy VPC PrivateLink for all AWS resources that support the PrivateLink feature, to allow private connection to the supported AWS services or services hosted by other AWS accounts (VPC endpoint services). Using PrivateLink will keep the private connection from routing through the public network. |
AWS PrivateLink: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
|
4.4 - Implement and Manage a Firewall on Servers |
SC-2: APPLICATION PARTITIONING |
1.2 |
|
|
|
https://docs.microsoft.com/azure/private-link/private-link-overview |
|
https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service.html |
|
|
|
|
|
SC-7: BOUNDARY PROTECTION |
1.3 |
|
|
Note: Certain Azure services may also allow private communication through the service endpoint feature, though it is recommended to use Azure Private Link for secure and private access to services hosted on Azure platform. |
|
For certain services, you can choose to deploy the service instance into your own VPC to isolate the traffic. |
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
|
|
|
|
|
|
Integrate Azure services with virtual networks for network isolation: |
|
Blocking public access to your Amazon S3 storage: |
|
|
|
|
|
|
|
|
|
For certain services, you can choose to deploy VNet integration for the service where you can restrict/isolate the VNET to establish a private access point for the service. |
https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services |
You also have the option to configure the service native ACL rules to block access from the public network. For example, Amazon S3 allows you to block public access at the bucket or account level. |
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html |
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You also have the option to configure the service native network ACL rules or simply disable public network access to block access from the public network. |
|
When assigning IPs to your service resources in your VPC, unless there is a strong use case, you should avoid assigning public IPs/subnet directly to your resources and instead use private IPs/subnet. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For Azure VMs, unless there is a strong use case, you should avoid assigning public IPs/subnet directly to the VM interface and instead use gateway or load balancer services as the front-end for access by the public network. |
|
|
|
|
NS-3 |
Network Security |
9.2 - Ensure Only Approved Ports, Protocols and Services Are Running |
4.4 - Implement and Manage a Firewall on Servers |
AC-4: INFORMATION FLOW ENFORCEMENT |
1.1 |
Deploy firewall at the edge of enterprise network |
Deploy a firewall to perform advanced filtering on network traffic to and from external networks. You can also use firewalls between internal segments to support a segmentation strategy. If required, use custom routes for your subnet to override the system route when you need to force the network traffic to go through a network appliance for security control purpose. |
Use Azure Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology). |
How to deploy Azure Firewall: |
Use AWS Network Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology). |
AWS Network Firewall: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
9.4 - Apply Host-Based Firewalls or Port Filtering |
4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software |
SC-7: BOUNDARY PROTECTION |
1.2 |
|
|
|
https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal |
|
https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html |
|
|
|
12.3 - Deny Communications with Known Malicious IP Addresses |
13.10 Perform Application Layer Filtering |
CM-7: LEAST FUNCTIONALITY |
1.3 |
|
At a minimum, block known bad IP addresses and high-risk protocols, such as remote management (for example, RDP and SSH) and intranet protocols (for example, SMB and Kerberos). |
If you have a complex network topology, such as a hub/spoke setup, you may need to create user-defined routes (UDR) to ensure the traffic goes through the desired route. For example, you have the option to use an UDR to redirect egress internet traffic through a specific Azure Firewall or a network virtual appliance. |
|
If you have a complex network topology, such as a hub/spoke setup, you may need to create custom VPC route tables to ensure the traffic goes through the desired route. For example, you have the option to use a custom route to redirect egress internet traffic through a specific AWS Firewall or a network virtual appliance. |
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
12.4 - Deny Communication over Unauthorized Ports |
|
|
|
|
|
|
Virtual network traffic routing: |
|
AWS VPC configure custom route tables: |
|
|
|
14.1 - Segment the Network Based on Sensitivity |
|
|
|
|
|
|
https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-overview |
|
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html |
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
14.2 - Enable Firewall Filtering Between VLANs |
|
|
|
|
|
|
|
|
|
|
NS-4 |
Network Security |
12.6 - Deploy Network-Based IDS Sensors |
13.2 Deploy a Host-Based Intrusion Detection Solution |
SC-7: BOUNDARY PROTECTION |
11.4 |
Deploy intrusion detection/intrusion prevention systems (IDS/IPS) |
Use network intrusion detection and intrusion prevention systems (IDS/IPS) to inspect the network and payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alerts to your SIEM solution. |
Use Azure Firewall’s IDPS capability to protect your virtual network to alert on and/or block traffic to and from known malicious IP addresses and domains. |
Azure Firewall IDPS: |
Use AWS Network Firewall’s IPS capability to protect your VPC to alert on and/or block traffic to and from known malicious IP addresses and domains. |
IPS stateful rule groups in AWS Network Firewall: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
12.7 - Deploy Network-Based Intrusion Prevention Systems |
13.3 - Deploy a Network Intrusion Detection Solution |
SI-4: INFORMATION SYSTEM MONITORING |
|
|
|
|
https://docs.microsoft.com/azure/firewall/premium-features#idps |
|
https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-ips.html |
|
|
|
|
13.7 Deploy a Host-Based Intrusion Prevention Solution |
|
|
|
For more in-depth host level detection and prevention capability, use host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution in conjunction with the network IDS/IPS. |
For more in-depth host-level detection and prevention capabilities, deploy host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution, such as Microsoft Defender for Endpoint, at the VM level in conjunction with the network IDS/IPS. |
|
For more in-depth host-level detection and prevention capabilities, deploy host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution, such as third-party solution for host-based IDS/IPS, at the VM level in conjunction with the network IDS/IPS. |
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
13.8 - Deploy a Network Intrusion Prevention Solution |
|
|
|
|
|
Microsoft Defender for Endpoint capability: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response |
|
https://aws.amazon.com/marketplace/search?searchTerms=IPS |
|
|
|
|
|
|
|
|
|
|
|
Note: If using a third-party IDS/IPS from marketplace, use Transit Gateway and Gateway Balancer to direct the traffic for in-line inspection. |
|
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
NS-5 |
Network Security |
9.5 - Implement Application Firewalls |
13.10 - Perform Application Layer Filtering |
SC-5: DENIAL OF SERVICE PROTECTION |
1.1 |
Deploy DDOS protection |
Deploy distributed denial of service (DDoS) protection to protect your network and applications from attacks. |
DDoS Protection Basic is automatically enabled to protect the Azure underlying platform infrastructure (e.g., Azure DNS) and requires no configuration from the users. |
Manage Azure DDoS Protection Standard using the Azure portal: |
AWS Shield Standard is automatically enabled with standard mitigations, to protect your workload from common network and transport layer (Layer 3 and 4) DDoS attacks |
AWS Shield Features: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
12.3 - Deny Communications with Known Malicious IP Addresses |
|
SC-7: BOUNDARY PROTECTION |
1.2 |
|
|
|
https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection |
|
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html |
|
|
|
|
|
|
1.3 |
|
|
For higher levels of protection of your application layer (Layer 7) attacks such as HTTP floods and DNS floods, enable the DDoS standard protection plan on your VNet to protect resources that are exposed to the public networks. |
|
For higher levels of protection of your applications against application layer (Layer 7) attack such as HTTPS floods, and DNS floods, enable AWS Shield Advanced protection on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. |
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
|
|
6.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
NS-6 |
Network Security |
9.5 - Implement Application Firewalls |
13.10 - Perform Application Layer Filtering |
SC-7: BOUNDARY PROTECTION |
1.1 |
Deploy web application firewall |
Deploy a web application firewall (WAF) and configure the appropriate rules to protect your web applications and APIs from application-specific attacks. |
Use web application firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services and APIs against application layer attacks at the edge of your network. |
How to deploy Azure WAF: |
Use AWS Web Application Firewall (WAF) in Amazon CloudFront distribution, Amazon API Gateway, Application Load Balancer, or AWS AppSync to protect your applications, services, and APIs against application layer attacks at the edge of your network. |
How AWS WAF works: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
12.3 - Deny Communications with Known Malicious IP Addresses |
|
|
1.2 |
|
|
|
https://docs.microsoft.com/azure/web-application-firewall/overview |
|
https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html |
|
|
|
12.9 - Deploy Application Layer Filtering Proxy Server |
|
|
1.3 |
|
|
Set your WAF in "detection" or "prevention mode," depending on your needs and threat landscape. |
|
Use AWS Managed Rules for WAF to deploy built-in baseline groups, and customize it to your application needs for the user-case rule groups. |
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
18.10 - Deploy Web Application Firewalls (WAFs) |
|
|
6.6 |
|
|
|
|
|
AWS WAF Security Automations: |
|
|
|
|
|
|
|
|
|
Choose a built-in ruleset, such as OWASP Top 10 vulnerabilities, and tune it to your application needs. |
|
To simplify the WAF rules deployment, you can also use the AWS WAF Security Automations solution to automatically deploy pre-defined AWS WAF rules that filters web-based attacks on your web ACL. |
https://docs.aws.amazon.com/solutions/latest/aws-waf3-security-automations/welcome.html |
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AWS Managed Rules for AWS WAF: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups.html |
|
NS-7 |
Network Security |
9.2 - Ensure Only Approved Ports, Protocols and Services Are Running |
4.4 - Implement and Manage a Firewall on Severs |
AC-4: INFORMATION FLOW ENFORCEMENT |
1.1 |
Simplify network security configuration |
When managing a complex network environment, use tools to simplify, centralize and enhance the network security management. |
Use the following features to simplify the implementation and management of the virtual network, NSG rules, and Azure Firewall rules: |
Adaptive Network Hardening in Microsoft Defender for Cloud: |
Use AWS Firewall Manager to centralize the network protection policy management across the following services. |
AWS Firewall Manager: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
|
4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software |
SC-2: APPLICATION PARTITIONING |
1.2 |
|
|
- Use Azure Virtual Network Manager to group, configure, deploy, and manage virtual networks and NSG rules across regions and subscriptions. |
https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening |
- AWS WAF policies |
https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-fms-intro.html |
|
|
|
|
|
SC-7: BOUNDARY PROTECTION |
1.3 |
|
|
- Use Microsoft Defender for Cloud Adaptive Network Hardening to recommend NSG hardening rules that further limit ports, protocols and source IPs based on threat intelligence and traffic analysis result. |
|
- AWS Shield Advanced policies |
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
|
|
|
|
|
- Use Azure Firewall Manager to centralize the firewall policy and route management of the virtual network. To simplify the firewall rules and network security groups implementation, you can also use the Azure Firewall Manager Azure Resource Manager (ARM) template. |
Azure Firewall Manager: |
- VPC security group policies |
https://docs.aws.amazon.com/waf/latest/developerguide/fms-findings.html |
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/firewall-manager/overview |
- Network Firewall policies |
|
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
|
|
AWS Firewall Manager can automatically analyze your firewall-related policies and create findings for non-compliant resources and for detected attacks and sends them to AWS Security Hub for investigation. |
|
|
|
|
|
|
|
|
|
|
|
Create an Azure Firewall and a firewall policy - ARM template |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/firewall-manager/quick-firewall-policy |
|
|
|
NS-8 |
Network Security |
9.2 - Ensure Only Approved Ports, Protocols and Services Are Running |
4.4 - Implement and Manage a Firewall on Severs |
CM-2: BASELINE CONFIGURATION |
4.1 |
Detect and disable insecure services and protocols |
Detect and disable insecure services and protocols at the OS, application, or software package layer. Deploy compensating controls if disabling insecure services and protocols are not possible. |
Use Microsoft Sentinel’s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols such as SSL/TLSv1, SSHv1, SMBv1, LM/NTLMv1, wDigest, weak ciphers in Kerberos, and Unsigned LDAP Binds. Disable insecure services and protocols that do not meet the appropriate security standard. |
Azure Sentinel insecure protocols workbook: |
Enable VPC Flow Logs and use GuardDuty to analyze the VPC Flow Logs to identify the possible insecure services and protocols that do not meet the appropriate security standard. |
Use GuardDuty with VPC Flow Logs as the data source: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
|
4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software |
CM-6: CONFIGURATION SETTINGS |
A2.1 |
|
|
|
https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks |
|
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html#guardduty_vpc |
|
|
|
|
|
CM-7: LEAST FUNCTIONALITY |
A2.2 |
|
|
Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through network security groups, Azure Firewall, or Azure Web Application Firewall to reduce the attack surface. |
|
If the logs in the AWS environment can be forwarded to Microsoft Sentinel, you can also use Microsoft Sentinel’s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols |
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
|
|
A2.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through security groups, AWS Network Firewall, or AWS Web Application Firewall to reduce the attack surface. |
|
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
NS-9 |
Network Security |
nan |
12.7 - Ensure Remote Devices Utilize a VPN and are Connecting to |
CA-3: SYSTEM INTERCONNECTIONS |
nan |
Connect on-premises or cloud network privately |
Use private connections for secure communication between different networks, such as cloud service provider datacenters and on-premises infrastructure in a colocation environment. |
For lightweight site-to-site or point-to-site connectivity, use Azure virtual private network (VPN) to create a secure connection between your on-premises site or end-user device and the Azure virtual network. |
Azure VPN overview: |
For lightweight site-to-site or point-to-site connectivity, use AWS VPN to create a secure connection (when IPsec overhead is not a concern) between your on-premises site or end-user device to the AWS network. |
AWS Direct Connect introduction: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
|
an Enterprise’s AAA Infrastructure |
AC-17: REMOTE ACCESS |
|
|
|
|
https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways |
|
https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html |
|
|
|
|
|
AC-4: INFORMATION FLOW ENFORCEMENT |
|
|
|
For enterprise-level high performance connections, use Azure ExpressRoute (or Virtual WAN) to connect Azure datacenters and on-premises infrastructure in a co-location environment. |
|
For enterprise-level high performance connections, use AWS Direct Connect to connect AWS VPCs and resources with your on-premises infrastructure in a co-location environment. |
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
|
|
|
|
|
|
What are the ExpressRoute connectivity models: |
|
AWS VPN introduction: |
|
|
|
|
|
|
|
|
|
When connecting two or more Azure virtual networks together, use virtual network peering. Network traffic between peered virtual networks is private and is kept on the Azure backbone network. |
https://docs.microsoft.com/azure/expressroute/expressroute-connectivity-models |
You have the option to use VPC Peering or Transit Gateway to establish connectivity between two or more VPCs within or across regions. Network traffic between peered VPC is private and is kept on the AWS backbone network. When you need to join multiple VPCs to create a large flat subnet, you also have the option to use VPC Sharing. |
https://docs.aws.amazon.com/vpn/ |
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Virtual network peering: |
|
Transit Gateway: |
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/virtual-network/virtual-network-peering-overview |
|
https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Create and accept VPC peering connections: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
VPC Sharing: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/amazon-vpc-sharing.html |
|
NS-10 |
Network Security |
7.7 - Use of DNS Filtering Services |
4.9 - Configure Trusted DNS Servers on Enterprise Assets |
SC-20: SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) |
nan |
Ensure Domain Name System (DNS) security |
Ensure that Domain Name System (DNS) security configuration protects against known risks: |
Use Azure recursive DNS (usually assigned to your VM through DHCP or preconfigured in the service) or a trusted external DNS server in your workload recursive DNS setup, such as in the VM's operating system or in the application. |
Azure DNS overview: |
Use the Amazon DNS Server (i.e. Amazon Route 53 Resolver server which is usually assigned to you through DHCP or preconfigured in the service) or a centralized trusted DNS resolver server in your workload recursive DNS setup, such as in the VM's operating system or in the application. |
Amazon Route 53 DNSSEC configuration: |
Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture |
|
|
|
9.2 - Use DNS Filtering Services |
SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) |
|
|
- Use trusted authoritative and recursive DNS services across your cloud environment to ensure the client (such as operating systems and applications) receive the correct resolution result. |
|
https://docs.microsoft.com/azure/dns/dns-overview |
|
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html |
|
|
|
|
|
|
|
|
- Separate the public and private DNS resolution so the DNS resolution process for the private network can be isolated from the public network. |
Use Azure Private DNS for a private DNS zone setup where the DNS resolution process does not leave the designated virtual network. Use a custom DNS to restrict the DNS resolution to only allow trusted resolution to your client. |
|
Use Amazon Route 53 to create a private hosted zone setup where the DNS resolution process does not leave the designated VPCs. Use Amazon Route 53 firewall to regulate and filter the outbound DNS/UDP traffic in your VPC for the following use cases: |
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management |
|
|
|
|
|
|
|
- Ensure your DNS security strategy also includes mitigations against common attacks, such as dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, and so on. |
|
Secure Domain Name System (DNS) Deployment Guide: |
- Prevent attacks such as DNS exfiltration in your VPC |
Amazon Route 53 firewall: |
|
|
|
|
|
|
|
|
|
Use Microsoft Defender for DNS for the advanced protection against the following security threats to your workload or your DNS service: |
https://csrc.nist.gov/publications/detail/sp/800-81/2/final |
- Set up allow or deny lists for the domains that your applications can query |
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html |
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops |
|
|
|
|
|
|
|
|
- Data exfiltration from your Azure resources using DNS tunneling |
|
|
|
|
|
|
|
|
|
|
|
|
- Malware communicating with a command-and-control server |
Azure Private DNS: |
Configure Domain Name System Security Extensions (DNSSEC) feature in Amazon Route 53 to secure DNS traffic to protect your domain from DNS spoofing or a man-in-the-middle attack. |
Amazon Route 53 domain registration: |
|
|
|
|
|
|
|
|
|
- Communication with malicious domains such as as phishing and crypto mining |
https://docs.microsoft.com/azure/dns/private-dns-overview |
|
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html |
|
|
|
|
|
|
|
|
|
- DNS attacks in communication with malicious DNS resolvers |
|
Amazon Route 53 also provides a DNS registration service where Route 53 can be used as the authoritative name servers for your domains. The following best practices should be followed to ensure the security of your domain names: |
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for DNS: |
- Domain names should be automatically renewed by the Amazon Route 53 service. |
|
|
|
|
|
|
|
|
|
|
You can also use Microsoft Defender for App Service to detect dangling DNS records if you decommission an App Service website without removing its custom domain from your DNS registrar. |
https://docs.microsoft.com/azure/security-center/defender-for-dns-introduction |
- Domain names should have the Transfer Lock feature enabled in order to keep them secure. |
|
|
|
|
|
|
|
|
|
|
|
|
- he Sender Policy Framework (SPF) is should be used to stop spammers from spoofing your domain. |
|
|
|
|
|
|
|
|
|
|
|
Prevent dangling DNS entries and avoid subdomain takeover: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/security/fundamentals/subdomain-takeover |
|
|
|