AWS re:Invent 2025 - Robust network security with perimeter protection and zero trust (NET326)

Robust Network Security with Perimeter Protection and Zero Trust

Securing Applications on AWS

• Customers have two types of applications on AWS:
  • Public applications (e.g. retail website, API gateway) that need to be protected from internet threats
  • Private applications (e.g. HR system, financial dashboards) that need to be accessed securely by employees and contractors
• Applications run on various AWS services like EC2, containers, RDS, etc. and need robust perimeter protection.

Perimeter Protection Needs

• Protect internet ingress traffic from malicious actors, DDoS, etc.
• Secure outbound traffic from applications to the internet (e.g. GitHub, code uploads)
• Inspect east-west traffic between applications to prevent lateral movement
• Control access for employees and contractors to applications and resources

CloudFront and Edge Security

• CloudFront is AWS's content delivery network that provides scale and security at the edge.
• CloudFront can:
  • Absorb and diffuse large-scale DDoS attacks using its global edge network
  • Terminate TLS connections and enforce advanced cipher suites, including post-quantum crypto
  • Implement mutual TLS with client applications for strong authentication
  • Integrate with AWS WAF to provide configurable rules for bot mitigation, DDoS protection, etc.
• CloudFront offers managed rules for common security threats like OWASP Top 10, bots, DDoS, etc. to simplify configuration.
• CloudFront can also restrict access to private origin servers in VPCs, removing internet exposure.

Network Firewall for Traffic Inspection

• Network Firewall is a managed service that provides stateful inspection of network traffic.
• It can be integrated with AWS gateways (IGW, TGW, VPN, DX) to inspect north-south and east-west traffic.
• Network Firewall supports Suricata-based rules for deep packet inspection and protocol checking.
• It provides detailed logging to S3, Kinesis, and CloudWatch for analysis and auditing.
• Network Firewall also integrates with AWS Firewall Manager for centralized policy management across accounts.
• Managed rules from AWS's global honeypot network (MADB) provide protection against emerging threats.

Zero Trust Access with AWS Verified Access

• Employees and contractors need secure remote access to applications, with granular control.
• AWS Verified Access (AVA) is a reverse proxy that provides zero trust access based on identity and device posture.
• AVA integrates with identity providers (e.g. IAM Identity Center) and device trust providers for multi-factor authentication.
• It provides a public internet endpoint for private applications, with WAF protection at the edge.
• AVA logs detailed trust context information that can be used to fine-tune access policies.
• The launch policy assistant in AVA allows testing and iterating on access policies before deployment.

Securing the Secure Shop Enterprise

• Secure Shop deployed the following security measures:
  • CloudFront and AWS WAF for public-facing retail website protection
  • AWS Verified Access with identity and device trust for internal finance application access
  • Network Firewall to inspect north-south and east-west traffic, including managed threat rules
  • Route 53 DNS Firewall for additional egress traffic inspection and control

Key Takeaways

• AWS provides a comprehensive set of managed security services (CloudFront, Network Firewall, Verified Access) to build robust perimeter protection.
• These services offer scalability, advanced security features, and simplified management through managed rules and integrations.
• Combining these services allows enterprises like Secure Shop to secure public-facing applications, internal resources, and employee access in a holistic manner.
• The use of AI-powered tools like Kiro CLI can further streamline the deployment and configuration of these security measures.