ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc0dde291fa7c19f90564e88e6a04ed4c26b5ba6
nexus/wiki/sources/ctp-topic-31-network-segregation-secure-access-aws-landing-zones.md
weishen a1636ec67a Auto-sync: 2026-04-19 06:32
2026-04-19 06:32:15 +08:00

52 lines
2.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: "CTP Topic 31 Network Segregation and Secure Access to the New AWS Landing Zones"
type: source
tags:
- AWS
- Network-Security
- Landing-Zone
- CTP
date: 2026-04-14
---
## Source File
- [[raw/Cloud & DevOps/Public-Cloud-Learning-Sessions/08_Networking/ctp-topic-31-network-segregation-and-secure-access-to-the-new-aws-landing-zones.md]]
## Summary
- 核心主题AWS Landing Zone 网络隔离与安全访问解决方案
- 问题域内部系统on-prem 和 VPN 用户)可直接访问生产环境 workloads 的安全合规问题
- 方法/机制:网络隔离(通过 Checkpoint 防火墙控制服务器间通信)+ 安全访问(通过 AWS Systems Manager (SSM) 替代 VPN
- 结论/价值:解决紧急安全风险,提供临时方案直到 SD-WAN 实施
## Key Claims
- 内部系统和 VPN 用户由于共享网络配置可访问 AWS 生产环境,存在安全合规风险
- 网络隔离通过 Checkpoint 启用 SPIStateful Packet Inspection功能默认拒绝仅允许必需服务和网络段
- SSM 通过浏览器会话或 AWS CLI 提供远程访问,用户通过扮演角色获得目标 EC2 实例的 SSM agent 访问权限
- SSM 方案成本低、部署快但长期目标是基础设施即代码IaC以减少控制台访问
## Key Quotes
> "The primary driver for this initiative is to address security concerns related to internal systems accessing production workloads in the new AWS landing zones."
> "Secure access will be facilitated through AWS Systems Manager (SSM), which provides remote access via a browser-based session or AWS CLI, eliminating the need for VPN."
> "The long-term goal is to move towards infrastructure as code to minimize console access and enhance security, with break-glass access reserved for emergencies."
## Key Concepts
- [[Network-Segregation]]:通过 Checkpoint 防火墙控制服务器间通信,阻断内部网络直接访问 AWS 网段
- [[SPI-Features]]Stateful Packet Inspection启用默认拒绝仅允许必需服务和网络段
- [[SSM-Access]]:通过 AWS Systems Manager 实现安全的远程访问,替代传统 VPN
- [[AWS-Landing-Zone]]AWS 多账号基础架构框架,用于安全合规部署
- [[Zero-Trust-Access]]:零信任访问模式,通过角色扮演和双因素认证实现安全访问
- [[Break-Glass-Access]]:紧急访问,仅在紧急情况下使用,优先目标是 IaC 减少此类需求
## Key Entities
- [[AWS]]:云平台,提供 SSM、VPC 等服务
- [[Checkpoint-Firewall]]:云环境虚拟防火墙,用于网络隔离
## Connections
- [[CTP-Topic-35-AWS-Landing-Zone-Design-Refresher]] ← related_to ← [[CTP-Topic-31-Network-Segregation]]
- [[CTP-Topic-18-Wide-Area-Networking-in-AWS-Cloud]] ← extends ← [[CTP-Topic-31-Network-Segregation]]
- [[Gruntwork-Landing-Zone]] ← implements ← [[AWS-Landing-Zone]]
## Contradictions
- (暂无)
Reference in New Issue View Git Blame Copy Permalink