--- title: "CTP Topic 31 Network Segregation and Secure Access to the New AWS Landing Zones" type: source tags: - AWS - Network-Security - Landing-Zone - CTP date: 2026-04-14 --- ## Source File - [[raw/Cloud & DevOps/Public-Cloud-Learning-Sessions/08_Networking/ctp-topic-31-network-segregation-and-secure-access-to-the-new-aws-landing-zones.md]] ## Summary - 核心主题:AWS Landing Zone 网络隔离与安全访问解决方案 - 问题域:内部系统(on-prem 和 VPN 用户)可直接访问生产环境 workloads 的安全合规问题 - 方法/机制:网络隔离(通过 Checkpoint 防火墙控制服务器间通信)+ 安全访问(通过 AWS Systems Manager (SSM) 替代 VPN) - 结论/价值:解决紧急安全风险,提供临时方案直到 SD-WAN 实施 ## Key Claims - 内部系统和 VPN 用户由于共享网络配置可访问 AWS 生产环境,存在安全合规风险 - 网络隔离通过 Checkpoint 启用 SPI(Stateful Packet Inspection)功能,默认拒绝仅允许必需服务和网络段 - SSM 通过浏览器会话或 AWS CLI 提供远程访问,用户通过扮演角色获得目标 EC2 实例的 SSM agent 访问权限 - SSM 方案成本低、部署快,但长期目标是基础设施即代码(IaC)以减少控制台访问 ## Key Quotes > "The primary driver for this initiative is to address security concerns related to internal systems accessing production workloads in the new AWS landing zones." > "Secure access will be facilitated through AWS Systems Manager (SSM), which provides remote access via a browser-based session or AWS CLI, eliminating the need for VPN." > "The long-term goal is to move towards infrastructure as code to minimize console access and enhance security, with break-glass access reserved for emergencies." ## Key Concepts - [[Network-Segregation]]:通过 Checkpoint 防火墙控制服务器间通信,阻断内部网络直接访问 AWS 网段 - [[SPI-Features]]:Stateful Packet Inspection,启用默认拒绝,仅允许必需服务和网络段 - [[SSM-Access]]:通过 AWS Systems Manager 实现安全的远程访问,替代传统 VPN - [[AWS-Landing-Zone]]:AWS 多账号基础架构框架,用于安全合规部署 - [[Zero-Trust-Access]]:零信任访问模式,通过角色扮演和双因素认证实现安全访问 - [[Break-Glass-Access]]:紧急访问,仅在紧急情况下使用,优先目标是 IaC 减少此类需求 ## Key Entities - [[AWS]]:云平台,提供 SSM、VPC 等服务 - [[Checkpoint-Firewall]]:云环境虚拟防火墙,用于网络隔离 ## Connections - [[CTP-Topic-35-AWS-Landing-Zone-Design-Refresher]] ← related_to ← [[CTP-Topic-31-Network-Segregation]] - [[CTP-Topic-18-Wide-Area-Networking-in-AWS-Cloud]] ← extends ← [[CTP-Topic-31-Network-Segregation]] - [[Gruntwork-Landing-Zone]] ← implements ← [[AWS-Landing-Zone]] ## Contradictions - (暂无)