Isolation AWS resources with multiple subnets vs multiple VPCs

Information Security Asked by sdgfsdh on February 2, 2021

I have AWS resources (e.g. EC2s, RDS instances) that I would like to isolate from each other so that if one is compromised, the potential damage is limited. I am most concerned about data leakage / exfiltration. I can group these resources into logical "areas". Some of the resources need access to the public internet. Some of the resources need API access to other resources in different areas. Occasionally, developers will need to make SSH connections to the resources via OpenVPN, so those keys might also be a security risk.

My understanding is that I can split my resources in a few ways:

A single VPC and a single subnet with communication controlled by security groups (I understand this is not recommended, buy why?)
A single VPC with multiple subnets and controlled communication between them
Multiple VPCs each containing multiple subnets, with controlled communication between them

What are the security implications of each approach?

aws network

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Peter Machado on Why fry rice before boiling?
Lex on Does Google Analytics track 404 page responses as valid page views?
Jon Church on Why fry rice before boiling?
Joshua Engel on Why fry rice before boiling?
haakon.io on Why fry rice before boiling?