Security best practices for your VPC - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security best practices for your VPC

The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

  • When you add subnets to your VPC to host your application, create them in multiple Availability Zones. An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an Amazon Region. Using multiple Availability Zones makes your production applications highly available, fault tolerant, and scalable. For more information, see Amazon VPC on Amazon.

  • Use security groups to control traffic to EC2 instances in your subnets. For more information, see Security groups.

  • Use network ACLs to control inbound and outbound traffic at the subnet level. For more information, see Control traffic to subnets using network ACLs.

  • Manage access to Amazon resources in your VPC using Amazon Identity and Access Management (IAM) identity federation, users, and roles. For more information, see Identity and access management for Amazon VPC.

  • Use VPC Flow Logs to monitor the IP traffic going to and from a VPC, subnet, or network interface. For more information, see VPC Flow Logs.

  • Use Network Access Analyzer to identify unintended network access to resources in our VPCs. For more information, see the Network Access Analyzer Guide.

  • Use Amazon Network Firewall to monitor and protect your VPC by filtering inbound and outbound traffic. For more information, see the Amazon Network Firewall Guide.

  • Use Amazon GuardDuty to detect potential threats to your accounts, containers, workloads, and data within your Amazon environment. The foundational threat detection includes monitoring the VPC flow logs associated with your Amazon EC2 instances. For more information, see VPC Flow Logs in the Amazon GuardDuty User Guide.

For answers to frequently asked questions related to VPC security, see Security and Filtering in the Amazon VPC FAQs.