3.1 KiB
title, type, source-type, category, tags, date-added, video-source, audio-source, status
| title | type | source-type | category | tags | date-added | video-source | audio-source | status | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CTP Topic 31 Network segregation and secure access to the new AWS landing zones | cloud-learning | video | DevOps & SRE/08_Networking |
|
2026-04-14 | nas:///volume2/work/Public Cloud Learning Sessions/CTP _ Topic 31_ Network segregation and secure access to the new AWS landing zones.mp4 | summarized (Gemini 摘要) |
CTP Topic 31 Network segregation and secure access to the new AWS landing zones
Source: NAS /volume2/work/Public Cloud Learning Sessions/CTP _ Topic 31_ Network segregation and secure access to the new AWS landing zones.mp4
Type: VIDEO | Category: 08_Networking
Status: 🟡 Awaiting Whisper transcription → Summary
摘要
Network Segregation and Secure Access to AWS Landing Zones
The primary driver for this initiative is to address security concerns related to internal systems accessing production workloads in the new AWS landing zones. Currently, on-prem systems and VPN users have access due to shared network configurations, raising security and compliance issues. The goal is to segregate network access while maintaining necessary access for run teams.
The proposed solution involves two main parts: network segregation and secure access. Network segregation will be implemented using checkpoints to control server-to-server communications and block direct access from internal networks to AWS segments. The SPI features will be enabled with default deny enabled and allowances made for require services and network segments into the landing zones. Secure access will be facilitated through AWS Systems Manager (SSM), which provides remote access via a browser-based session or AWS CLI, eliminating the need for VPN.
Authenticated users will assume roles granting access to the SSM agent on the target EC2 instance, leveraging existing access controls. This approach offers enhanced security with two-factor authentication and a secure connection within the AWS network. While this solution is considered temporary or a backup until SD-WAN is implemented, it offers cost and speed advantages by removing reliance on third-party management. SSM gives users remote access via a browser based session. The implementation is in progress, with testing planned to address urgent security risks associated with production workloads on AWS landing zones.
Concerns were raised about the SSM agent's presence in all AWS-derived AMIs, with some suggesting it may need explicit installation on certain systems. The long-term goal is to move towards infrastructure as code to minimize console access and enhance security, with break-glass access reserved for emergencies. The current solution doesn't address credential theft but isolates the network. A question was raised about how users with multiple accounts for different roles can use SSM, as the current setup is designed for individual accounts. This edge case will be examined further.
关键概念
行动项
相关视频
配对视频笔记链接(生成后填入)
最后更新: 2026-04-14