Làm thế nào để bảo mật một ứng dụng web trên AWS từ đầu đến cuối? (WAF, Shield, GuardDuty, Security Hub)

Bảo mật theo layers (defense in depth):

Edge layer — CloudFront với AWS WAF để filter malicious requests (SQL injection, XSS, OWASP Top 10 rules), rate limiting, geo-blocking; Shield Standard (miễn phí, auto) chống DDoS L3/L4, Shield Advanced ($3000/month) cho L7 DDoS mitigation tự động với support team 24/7.

Network layer — VPC với public/private subnets, Security Groups strict, NACLs, VPC Flow Logs để audit traffic; không expose database ra public; dùng AWS Network Firewall cho stateful inspection.

Compute layer — EC2/Lambda trong private subnet, IMDSv2 (Instance Metadata Service v2) bắt buộc để chống SSRF, least privilege IAM roles, SSM Session Manager thay vì SSH (không cần port 22 mở).

Data layer — encrypt at rest bằng KMS (S3, RDS, DynamoDB), encrypt in transit (HTTPS, TLS 1.2+), Secrets Manager cho credentials, S3 Block Public Access account-level.

Identity layer — IAM least privilege, MFA, Cognito cho app authentication, no long-term credentials.

Monitoring — GuardDuty (threat detection ML-based, detect compromised EC2/credentials, crypto mining, unusual API calls), Security Hub (aggregate findings từ GuardDuty, Inspector, Macie, Config thành single dashboard với compliance score), AWS Config (resource configuration compliance, detect drift), CloudTrail (audit log mọi API call). Inspector — vulnerability scanning cho EC2 và Lambda packages tự động.

Security is applied in layers (defense in depth): Edge layer — CloudFront with AWS WAF to filter malicious requests (SQL injection, XSS, OWASP Top 10 rules), rate limiting, and geo-blocking; Shield Standard (free, automatic) for L3/L4 DDoS protection; Shield Advanced ($3,000/month) for automated L7 DDoS mitigation with 24/7 support team access.

Network layer — VPC with public/private subnets, strict Security Groups, NACLs, VPC Flow Logs to audit traffic; never expose databases publicly; use AWS Network Firewall for stateful inspection.
Compute layer — run EC2/Lambda in private subnets, enforce IMDSv2 (Instance Metadata Service v2) to prevent SSRF, apply least privilege IAM roles, use SSM Session Manager instead of SSH (no need to open port 22).
Data layer — encrypt at rest with KMS (S3, RDS, DynamoDB), encrypt in transit (HTTPS, TLS 1.2+), use Secrets Manager for credentials, enable S3 Block Public Access at the account level.
Identity layer — IAM least privilege, MFA, Cognito for application authentication, no long-term credentials.
Monitoring — GuardDuty (ML-based threat detection that identifies compromised EC2/credentials, crypto mining, and unusual API calls), Security Hub (aggregates findings from GuardDuty, Inspector, Macie, and Config into a single dashboard with a compliance score), AWS Config (resource configuration compliance and drift detection), CloudTrail (audit log of every API call).
Inspector — automatically scans EC2 instances and Lambda packages for vulnerabilities.

Xem toàn bộ AWS & Cloud cùng filter theo level & chủ đề con.

Mở danh sách AWS & Cloud

Bảo mật theo layers (defense in depth):

Data layer — encrypt at rest bằng KMS (S3, RDS, DynamoDB), encrypt in transit (HTTPS, TLS 1.2+), Secrets Manager cho credentials, S3 Block Public Access account-level.

Identity layer — IAM least privilege, MFA, Cognito cho app authentication, no long-term credentials.

Network layer — VPC with public/private subnets, strict Security Groups, NACLs, VPC Flow Logs to audit traffic; never expose databases publicly; use AWS Network Firewall for stateful inspection.
Compute layer — run EC2/Lambda in private subnets, enforce IMDSv2 (Instance Metadata Service v2) to prevent SSRF, apply least privilege IAM roles, use SSM Session Manager instead of SSH (no need to open port 22).
Data layer — encrypt at rest with KMS (S3, RDS, DynamoDB), encrypt in transit (HTTPS, TLS 1.2+), use Secrets Manager for credentials, enable S3 Block Public Access at the account level.
Identity layer — IAM least privilege, MFA, Cognito for application authentication, no long-term credentials.
Monitoring — GuardDuty (ML-based threat detection that identifies compromised EC2/credentials, crypto mining, and unusual API calls), Security Hub (aggregates findings from GuardDuty, Inspector, Macie, and Config into a single dashboard with a compliance score), AWS Config (resource configuration compliance and drift detection), CloudTrail (audit log of every API call).
Inspector — automatically scans EC2 instances and Lambda packages for vulnerabilities.