What are the security settings that can be configured at different levels like vpc level, security group, network level and operating system level

Hi Experts,

Launching about 10 windows instances on aws vpc. Configuring security group, network ACL etc.,
Please guide on what other secuirty can be configured at OS level to VPC level. Instances are in workgroup. Need to have restrictions to other users other than system admins. Please guide.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
This really depends upon what you are using these virtual machines for. A web server obviously needs port 80 / 443 with no restrictions port 3389 can be restricted to your company's public ip address.  if this web server communicates with a sql server instance located also on a vpc then you only need port 3389 to be available outside of AWS and port 1433 available within ... This question is just too open to provide a realistic answer .. The only real caveat is you have to allow at minimum 1 ip address to have port 3389 access
btanExec ConsultantCommented:
A good guide is from "Controlling Access to Amazon VPC Resources" as overview on specific steps. You can catch
"Example 5. Launching instances into a specific VPC"
grants users permission to launch instances into any subnet within a specific VPC.
"Example 6. Managing security groups in a VPC"
grants users permission to create and delete inbound and outbound rules for any security group within a specific VPC.
"Example 8. Creating and managing VPC endpoints"
grants users permission to create, modify, view, and delete VPC endpoints.

But to have full oversight on the "checklist" I do see the summary of good practices in the article is useful guidance and specifically on
- Practice 6) IAM your Amazon VPC
- Practice 8) Use security groups and Network ACLs wisely
- Practice 9) Tier your Security Groups
- Practice 10 ) Standardize your Security Group Naming conventions
- Practice 12) Control your outgoing traffic in Amazon VPC
- Practice 17) Plan your Tunnel between On-Premise DC to Amazon VPC
- Practice 21) Allow and Deny Network ACL
- Practice 22 ) Restricting Network ACL

As a whole, I see a minimal of check to confirm in aspects covering. They are covered in the a/m resources as well.
a) from user, identity should sync with AWS IAM and the AD used for the setup
b) from OS, the usual AD GPO on the group ACL applies, regardless of it being in the AWS EC2 etc. Key is AD policy has to deployed into each domain joined instance. Also consider disk encryption (bitlocker) and application whitelisting (running applocker) and ensure host intrusion inclusive of host AV and FW is running fine with latest update timely
c) from network, it is you premise FW (if applicable esp for AD federation using ADFS2) and AWS VPC FW

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.