- Newest
- Most votes
- Most comments
Hello, there are 3 options for you to perform instance isolation:
1 - Security Group-level containment: a. Create a dedicated “Isolation” security group b. Create a single rule of 0.0.0.0/0 (0-65535) for all traffic in both the inbound rules and outbound rules c. Application of these rules will convert all existing (and new) traffic to “untracked” d. Remove the existing security group association from the instance and associate the “Isolation” security group with the instance e. Delete both rules of 0.0.0.0/0 (0-65535) for all traffic from both the inbound rules and outbound rules of the “Isolation” security group
2 - Subnet-level containment: a. Identify the subnet associated with the instance b. Identify the NACL associated with the subnet c. Add a DENY ALL NACL rule to both the inbound and outbound rules as rule number 1 for all traffic (0.0.0.0/0) d. If you need to delete an existing rule to make space, ensure you record the details of the deleted rule in order to restore it in the future
3 - VPC-level containment: a. Remove all the IGW routes from all route tables b. Attach a custom route table with no routes to all subnets within the VPC c. Options available depending on your needs and the situation d. This is a big hammer: Use it wisely
https://docs.aws.amazon.com/vpc/latest/userguide/infrastructure-security.html
Relevant content
- asked 6 months ago
- asked a year ago
- asked 5 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago