AWS Security Group Configuration Options for DDoS Prevention

1. Restrict SSH Access to Specific IP Addresses

Instead of allowing SSH (port 22) from anywhere (0.0.0.0/0), specify only trusted IP addresses or IP ranges.

This limits access to only authorized users, preventing random connection attempts.

Inbound Rule:

Type: SSH
Protocol: TCP
Port Range: 22
Source: <Your IP address or IP range (e.g., 203.0.113.0/24)>

2. Use Non-Standard Ports for Remote Access

Consider using a custom port for SSH or other critical services. Update your instance configuration accordingly.

Inbound Rule:

Type: Custom TCP
Protocol: TCP
Port Range: 2222 (example)
Source:

Note: Configure the instance's SSH daemon to listen on this new port instead of 22.

3. Limit Web Traffic to HTTP(S) and Only Required IP Ranges (If Needed)

If your web application does not need to be accessible to the public, restrict access to only trusted IPs.

This limits potential DDoS entry points.

Inbound Rule:

Type: HTTP or HTTPS
Protocol: TCP
Port Range: 80 or 443
Source:

For publicly accessible websites, use a Web Application Firewall (WAF) to filter traffic.

4. Deny All Unnecessary Ports and Services

Remove or block all open ports that aren’t strictly necessary for your application.

This minimizes exposure and attack surfaces.

Example: Only allow HTTP, HTTPS, and SSH from specific sources, and deny all other ports by default.

5. Rate-Limit Connections with a Network ACL (NACL) at the VPC Level (Optional)

Security groups don’t natively support rate limiting, but Network ACLs can control traffic flow at the subnet level.

For example, allow limited connections on port 22 by setting "Allow" rules with specific conditions, and a "Deny" rule if hit count exceeds a threshold.

Rate limiting is best configured in combination with AWS WAF or third-party services for detailed control.

6. Use AWS WAF (Web Application Firewall) for Public Web Applications (Recommended)

AWS WAF provides advanced filtering options to protect against common attacks, including SQL injection and XSS, and allows for IP-based rate limiting.

Enable AWS WAF on CloudFront distributions, ALB, or API Gateway, and configure WAF rules as follows:

- IP Rate Limit: Set custom rate-based rules to limit requests from the same IP.

- Geo-Blocking: Restrict access to specific geographic regions if your app is region-specific.

- SQL Injection and XSS Protection: Use managed rules to protect against web vulnerabilities.

7. Enable AWS Shield Advanced for Enhanced DDoS Protection (Recommended for Enterprise)

AWS Shield Advanced provides dedicated DDoS protection, including always-on detection, automatic traffic monitoring, and attack mitigation.

Shield Advanced works automatically with services like CloudFront, Route 53, and Elastic Load Balancing.

It provides detailed attack diagnostics and additional protections for large-scale attacks.

8. Monitor with CloudWatch Alarms and AWS Config

Set up CloudWatch alarms to monitor unusual spikes in metrics like "NetworkIn" or "NetworkPacketsIn" to detect potential DDoS attacks early.

Example:

- Create alarms on metrics for unexpected increases in incoming traffic.

- Use AWS Config to enforce compliance by ensuring Security Groups only have the allowed ports open.

9. Log and Analyze Traffic with VPC Flow Logs

Enable VPC Flow Logs to capture information about the IP traffic going to and from network interfaces in your VPC.

VPC Flow Logs help identify suspicious activity patterns, like sudden spikes from certain IP addresses or unusual traffic to uncommon ports.

Steps:

- Go to VPC Console > Flow Logs > Create Flow Log.

- Enable logs and store them in CloudWatch Logs or an S3 bucket for analysis.

Summary

- Restrict access to known IPs for SSH and critical services.

- Use custom ports and limit exposure by removing unnecessary open ports.

- Use AWS WAF, Shield Advanced, CloudWatch, and VPC Flow Logs for comprehensive monitoring and protection.

devops-school/README.md

AWS Security Group Configuration Options for DDoS Prevention

1. Restrict SSH Access to Specific IP Addresses

Instead of allowing SSH (port 22) from anywhere (0.0.0.0/0), specify only trusted IP addresses or IP ranges.

This limits access to only authorized users, preventing random connection attempts.

2. Use Non-Standard Ports for Remote Access

Consider using a custom port for SSH or other critical services. Update your instance configuration accordingly.

Note: Configure the instance's SSH daemon to listen on this new port instead of 22.

3. Limit Web Traffic to HTTP(S) and Only Required IP Ranges (If Needed)

If your web application does not need to be accessible to the public, restrict access to only trusted IPs.

This limits potential DDoS entry points.

For publicly accessible websites, use a Web Application Firewall (WAF) to filter traffic.

4. Deny All Unnecessary Ports and Services

Remove or block all open ports that aren’t strictly necessary for your application.

This minimizes exposure and attack surfaces.

Example: Only allow HTTP, HTTPS, and SSH from specific sources, and deny all other ports by default.

5. Rate-Limit Connections with a Network ACL (NACL) at the VPC Level (Optional)

Security groups don’t natively support rate limiting, but Network ACLs can control traffic flow at the subnet level.

For example, allow limited connections on port 22 by setting "Allow" rules with specific conditions, and a "Deny" rule if hit count exceeds a threshold.

Rate limiting is best configured in combination with AWS WAF or third-party services for detailed control.

6. Use AWS WAF (Web Application Firewall) for Public Web Applications (Recommended)

AWS WAF provides advanced filtering options to protect against common attacks, including SQL injection and XSS, and allows for IP-based rate limiting.

Enable AWS WAF on CloudFront distributions, ALB, or API Gateway, and configure WAF rules as follows:

- IP Rate Limit: Set custom rate-based rules to limit requests from the same IP.

- Geo-Blocking: Restrict access to specific geographic regions if your app is region-specific.

- SQL Injection and XSS Protection: Use managed rules to protect against web vulnerabilities.

7. Enable AWS Shield Advanced for Enhanced DDoS Protection (Recommended for Enterprise)

AWS Shield Advanced provides dedicated DDoS protection, including always-on detection, automatic traffic monitoring, and attack mitigation.

Shield Advanced works automatically with services like CloudFront, Route 53, and Elastic Load Balancing.

It provides detailed attack diagnostics and additional protections for large-scale attacks.

8. Monitor with CloudWatch Alarms and AWS Config

Set up CloudWatch alarms to monitor unusual spikes in metrics like "NetworkIn" or "NetworkPacketsIn" to detect potential DDoS attacks early.

Example:

- Create alarms on metrics for unexpected increases in incoming traffic.

- Use AWS Config to enforce compliance by ensuring Security Groups only have the allowed ports open.

9. Log and Analyze Traffic with VPC Flow Logs

Enable VPC Flow Logs to capture information about the IP traffic going to and from network interfaces in your VPC.

VPC Flow Logs help identify suspicious activity patterns, like sudden spikes from certain IP addresses or unusual traffic to uncommon ports.

Steps:

- Go to VPC Console > Flow Logs > Create Flow Log.

- Enable logs and store them in CloudWatch Logs or an S3 bucket for analysis.

Summary

- Restrict access to known IPs for SSH and critical services.

- Use custom ports and limit exposure by removing unnecessary open ports.

- Use AWS WAF, Shield Advanced, CloudWatch, and VPC Flow Logs for comprehensive monitoring and protection.