Isolation AWS resources with multiple subnets vs multiple VPCs

Information Security Asked by sdgfsdh on February 2, 2021

I have AWS resources (e.g. EC2s, RDS instances) that I would like to isolate from each other so that if one is compromised, the potential damage is limited. I am most concerned about data leakage / exfiltration. I can group these resources into logical "areas". Some of the resources need access to the public internet. Some of the resources need API access to other resources in different areas. Occasionally, developers will need to make SSH connections to the resources via OpenVPN, so those keys might also be a security risk.

My understanding is that I can split my resources in a few ways:

  • A single VPC and a single subnet with communication controlled by security groups (I understand this is not recommended, buy why?)
  • A single VPC with multiple subnets and controlled communication between them
  • Multiple VPCs each containing multiple subnets, with controlled communication between them

What are the security implications of each approach?

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP