Every user action can and should be tracked. On cloud platforms like AWS, user actions and service events interact with the platform’s management interfaces, whether with the web console or the API, which allows most things that happen in your cloud environment to be logged. 

The transparency provided by comprehensive logging is one of the cloud’s most consequential security and compliance benefits. Using logs allows you to record all processing data so that you can track access and user actions to identify potential errors. Businesses that use AWS must also understand how to leverage the platform’s tools to achieve the visibility they need to improve security, compliance, and governance through logging. AWS CloudTrail is one of the foremost logging tools offered today to help you achieve that visibility. 

What Is AWS CloudTrail?

AWS CloudTrail is a logging service that records account activity across your AWS environment. When users, roles, or services carry out an action, it is recorded as a CloudTrail event. You can view events in the  CloudTrail console’s event history interface, and, by default, CloudTrail retains logs for the last 90 days. 

AWS CloudTrail Best Practices

As with all AWS services. users must configure AWS CloudTrail correctly to leverage its security, governance, and compliance capabilities. The best practice tips below will allow you to optimize your use of AWS CloudTrail.

Create a Trail

While CloudTrail provides some useful logging capabilities out of the box, creating a trail makes the service far more capable, comprehensive, and configurable. Trails allow you to specify where your monitored resources and recorded events will be sent.  These are sent as log files to an Amazon S3 bucket that you specify.  CloudTrail stores events as a JSON object with information such as the time at which an event occurred, who made the request, the resources that were affected, and more.

This is particularly important for companies that require a permanent long-term record of cloud activity for compliance purposes Without a trail, CloudTrail deletes logs after 90 days. 

Enable CloudTrail in All Regions

Unless a trail is intended to focus exclusively on a specific region, you should enable CloudTrail logging for all regions. Enabling CloudTrail for all regions maximizes insight into activity on your AWS environment and ensures that issues don’t go unnoticed because they occur in an unlogged region. 

Ensure CloudTrail Is Integrated With CloudWatch

CloudTrail is most useful if it is integrated with AWS CloudWatch. While CloudTrail generates and stores comprehensive logs, they aren’t actionable unless they are available to users in a form that is easy to interpret and analyze. That’s CloudWatch’s primary role; it allows users to visualize and analyze logs and provides sophisticated alerting and automation capabilities based on logged events. 

Store CloudTrail Logs in a Dedicated S3 Bucket

CloudTrail stores trails in an S3 bucket. As we’ll see in a moment, it’s essential to control access to this bucket because it contains information that could be useful to a malicious actor. Implementing an effective access policy for CloudTrail logs is easier if they are stored in a dedicated bucket used only for that purpose. 

Enable Logging on the CloudTrail S3 Bucket

Amazon S3’s server access logs record bucket access requests, helping administrators to understand who has accessed CloudTrail logs, information that may be useful during compliance audits, risk assessments, and security incident analysis. We recommend configuring the CloudTrail S3 bucket to generate server access logs and store them in a different bucket, which also has secure access controls. 

Configure Least Privileged Access to CloudTrail Logs

As we have discussed in previous articles on AWS security, S3 buckets are often misconfigured so that their contents are publicly accessible. Exposing sensitive log data in this way creates a critical vulnerability. S3 buckets that store CloudTrail logs should not be publicly accessible. Only AWS account users who have a well-defined reason to view logs should be given access to the bucket, and access permissions should be reviewed regularly. 

Encrypt CloudTrail Log With KMS CMKs

CloudTrail logs are encrypted by default using S3-managed encryption keys. To gain greater control over log security, you can instead use encryption with customer-created master keys (CMK) managed in AWS Key Management Services

There are several benefits to using CMKs instead of the S3’s default server-side encryption. CMK’s are under your control, so you can rotate and disable them. Additionally, CMK use can be logged by CloudTrail, providing a record of who used the keys and when they used them. 

Use CloudTrail Log File Integrity Validation

AWS CloudTrail logs play an essential role in the security and compliance of your AWS environment. As such, you must be able to determine the integrity of log files. If a bad actor gains access to AWS resources, they may delete or edit logs to obscure their presence. CloudTrail log file validation generates a digital signature of log files uploaded to your S3 bucket. The signature digest files can be used to verify that logs have not been edited or otherwise tampered with. 

Define a Retention Policy for Logs Stored in S3

CloudTrail trails are stored indefinitely, which may be the right approach for your business. However, if you have different compliance or administrative requirements, you can set a retention policy using S3’s object lifecycle management rules. Management rules can archive log files to an alternative storage service, such as Amazon Glacier, or automatically delete them once they exceed the required retention period. 

AWS Cloudtrail FAQs

What are Some Common Mistakes to Avoid When Setting Up CloudTrail?

When setting up CloudTrail, there are some common mistakes that affect its effectiveness. One common mistake is not enabling CloudTrail in all regions where AWS services are being used. It is important to enable CloudTrail in every region to ensure comprehensive coverage of API activity.

Another mistake is not regularly reviewing and analyzing CloudTrail logs. It is essential to regularly monitor the logs to detect any suspicious activity or unauthorized access.

Additionally, not setting up proper permissions and access controls for CloudTrail can lead to security vulnerabilities. It is crucial to restrict access to CloudTrail logs to only authorized personnel.

Lastly, not integrating CloudTrail logs with other security tools and services can limit its effectiveness in threat detection and incident response. By integrating CloudTrail with other tools, organizations can enhance their overall security posture.

By avoiding these common mistakes, organizations can maximize the benefits of CloudTrail in enhancing security and compliance within their AWS environments.

What Functionality Does CloudTrail Processing Library Provide?

The CloudTrail Processing Library offers a comprehensive set of features aimed at simplifying the processing of CloudTrail logs. It enables users to perform tasks like regularly checking an SQS queue, interpreting messages from SQS, retrieving log files stored on S3, and efficiently analyzing the events contained in these log files with a strong emphasis on fault tolerance.

For a deeper understanding of its capabilities and detailed usage instructions, readers are encouraged to refer to the user guide segment within the CloudTrail documentation.

How Can I Optimize My CloudTrail Setup for Cost Efficiency?

One way to optimize your CloudTrail setup for cost efficiency is to carefully configure the data events that you want to monitor. By selecting only the necessary data events, you can reduce the amount of logs generated and stored, ultimately lowering your costs. Additionally, you can set up log file validation to ensure that only valid log files are delivered to your S3 bucket, avoiding unnecessary charges for invalid or corrupted logs.

Another cost-saving measure is to utilize CloudTrail Insights, which automatically analyzes CloudTrail logs to identify and alert you to unusual activity. By proactively addressing potential security threats, you can prevent costly security breaches and minimize the impact on your organization.

Furthermore, consider enabling CloudTrail data event logging in specific AWS regions where your resources are located rather than globally. This targeted approach helps reduce unnecessary logging and storage costs associated with regions where you do not have any resources.

By implementing these cost optimization strategies, you can effectively manage your CloudTrail expenses while still maintaining a high level of security and compliance in your AWS environment.

How Does CloudTrail Help with Security and Compliance?

CloudTrail helps with security and compliance by providing a detailed history of API calls made within an AWS account. This audit trail can be used to track changes, investigate security incidents, and ensure compliance with regulations and internal policies. By monitoring and logging all API activity, CloudTrail helps organizations identify unauthorized access, detect unusual behavior, and maintain a secure environment.

Additionally, CloudTrail logs can be integrated with other security tools and services to enhance threat detection and incident response capabilities. Overall, CloudTrail plays a crucial role in enhancing the security posture of AWS environments and facilitating compliance with industry standards.

Are Your Business’s AWS CloudTrail Logs Secure and Compliant

As a licensed CPA firm specializing in information security auditing and consulting, KirkpatrickPrice can help your business verify its cloud configurations, including CloudTrail configurations, through the following services: 

  • AWS Security Scanner: an automated cloud security tool that performs over 50 checks on your AWS environment, including controls related to AWS CloudTrail security.
  • Cloud security assessments: expert assessments to verify your cloud environment is configured securely. 
  • Cloud security audits: Comprehensive cloud audits that test your AWS, GCP, or Azure environment against a framework based on the Center for Internet Security (CIS) benchmarks. 

Contact a cloud security specialist to learn more about how KirkpatrickPrice can help your business to enhance and verify the security, privacy, and compliance of its cloud infrastructure.

Information security in the cloud depends on properly managing secrets, including AWS access keys. Authorized users and code must authenticate to use cloud resources. Authentication relies on shared secrets, but shared credentials may create security vulnerabilities, especially when shared naively by embedding them in application code. 

Embedding AWS access keys in code seems an efficient solution when, for example, your code needs to interact with the S3 API to store data in a bucket. However, it exposes the keys to anyone who sees the code.

AWS keys are often exposed in this way when code is uploaded to version control services like GitHub. However, publicly exposed code isn’t the only vulnerability to embedded access keys. Anyone inside the company with code access can view credentials they may not be authorized to use, undermining authentication and access control strategies.

Like giving out copies of your house key or leaving a spare under the mat, using AWS access keys in your code might seem handy, but it’s risky. If your code gets shared online, it’s like telling everyone where that spare key is. And even at work, not everyone should have a key to every door.

Below, we explore secure alternatives to embedding AWS access keys and other secrets in code.

What is an AWS Access Key?

Access keys are AWS’s primary long-term credential for programmatic authentication.  An AWS access key consists of an access key ID and a secret access key; together, they authenticate requests to AWS APIs, allowing users to interact with AWS services from their code, including via AWS CLI clients and SDKs. 

AWS access keys are associated with users in the AWS Identity and Access Management (IAM) platform. Because they are the programmatic equivalent of a username and password, they should be protected with the same diligence. Just as you wouldn’t embed your password in code, you should not embed your access key. 

How to Manage AWS Access Keys Securely

We’ll look at two ways to manage AWS access keys securely. The first is to avoid using them altogether, instead using temporary security credentials associated with AWS roles. The second takes advantage of AWS features to use access keys without exposing them needlessly.

Before discussing secure key management, a word of warning about the root users’ access key: the IAM root user has unconstrained access to every AWS resource. A bad actor may shut down servers, delete data, create and destroy users, or any other AWS API capability with the root user’s key.

For this reason, you should not use the root access key, and you should disable root user access keys already in use. In fact, it is good practice to avoid using the root account unless it’s strictly necessary, as we discussed in 10 Top Tips For Better AWS Security Today.

IAM Roles vs. IAM Users

An IAM role is an AWS identity with a set of permissions for making requests to AWS resources, but, unlike AWS users, roles are not associated with an individual. Users and applications can “assume” an IAM role, which allows them to take on the role’s permissions. Essentially, roles enable AWS customers to delegate permissions to other entities.

Roles have a couple of major advantages. First, a role can be attached to entities such as EC2 instances. That means the EC2 instance can request resources in line with the role’s permissions, obviating the need to embed an IAM user’s AWS access key in the code.

Second, roles can be used to create temporary credentials. IAM access keys are permanent until they are deleted, whereas a role’s temporary credentials automatically become invalid once a configurable time has elapsed.

Secure Use of AWS Access Keys

In some cases, you may prefer to use an IAM user’s access key instead of an AWS role, but you should not embed credentials in the code. Instead, you can safely store the access key in a location your code can read.

One option is to create an environment variable within your code’s operating environment to store the key. Environment variables are managed by the environment’s operating system and can be accessed via system libraries or the AWS SDK for your preferred programming language. Several Amazon services can use AWS Secrets Manager to retrieve secrets to inject into the environment variables of containers and other resources.

Another option is the AWS credentials file. The credentials file is a text file containing an access key. AWS SDKs and the AWS CLI will look for a credentials file and use the access key when making requests for other resources.

These methods—roles, environment variables, and credential files—are appropriate for different scenarios, but the critical point is this: embedding the AWS access key into your code is a bad idea.

How to Rotate AWS Access Keys

Rotation replaces an old key with a new key and retires the old key. AWS access keys are long-lasting credentials. If exposed, they may be exploited until the user or key is deleted. Key rotation limits the usefulness of leaked keys to bad actors.

AWS users can rotate keys in IAM without interrupting their software’s access to resources. The preferred approach is to create a new access key, update software to use the new key, and then make the old key inactive.

Once the user is satisfied all software is using the new key, they can delete the original.  AWS access key rotation can be carried out in the IAM web console, the AWS CLI, and the AWS API. 

Mitigating Risk When AWS Access Keys are Exposed

While AWS users can prevent the exposure of AWS keys, what should they do if a key is exposed? First, you must immediately invalidate the key. However, doing so will also prevent legitimate use, which could result in service disruption. Leaked keys should be invalidated as soon as possible, but you may want to rotate mission-critical software keys first. 

The exposed key may already have been used, so you must also check all resources the key grants access to. Depending on the user’s access permissions, their key may have allowed a bad actor to exfiltrate sensitive data or infiltrate malicious software. 

Finally, use S3 logs and AWS CloudTrail to investigate whether the key was exploited and take action to mitigate potential risks and vulnerabilities. 

Securely Storing other Secrets with AWS Secrets Manager

You may need to securely manage other secrets in addition to AWS access keys, including SSH keys, database credentials, and third-party API keys. AWS Secrets Manager provides a solution for storing, rotating, managing, and retrieving a wide variety of secrets. 

For example, to give an application access to a database, you would store database credentials encrypted in AWS Secrets Manager. The application can query Secrets Manager, which will decrypt and return the database credentials over an encrypted connection. Access to data stored in AWS Secrets Manager is controlled by IAM permissions policies for users, groups, and roles, providing fine-grained access control. 

Partner with an Expert to Strengthen Your Cloud Security

To learn more about AWS cloud security, visit KirkpatrickPrice’s AWS Security Services to find a wealth of cloud security and AWS audit educational content.

If you would like to discuss AWS audits with an experienced auditor, contact KirkpatrickPrice today.

Information security regulations and standards often require businesses to perform regular maintenance tasks to ensure compliance. For example, PCI DSS Requirement 6 says merchants must deploy critical patches within a month of release. Failure to complete these tasks on time risks non-compliance. 

Unfortunately, many security-related tasks are disruptive—updating a server operating system can take the server offline. Therefore, businesses prefer to carry out patching and other potentially disruptive activities during scheduled maintenance windows. These typically occur during low traffic periods or when redundant infrastructure is available.

AWS System Manager Maintenance Windows is a cloud service that helps businesses manage and automate maintenance windows. In this article, we’ll explore what AWS Systems Manager Maintenance Windows is and how you can use it to automate compliance tasks. 

What is AWS Systems Manager Maintenance Windows?

AWS Systems Manager Maintenance Windows is a capability of AWS Systems Manager, a cloud service that allows IT administrators to automate repetitive operations and management tasks.  We discussed Systems Manager in-depth in How to Get Started Using AWS Systems Manager, so in this article, we’ll focus exclusively on its Maintenance Windows capability. 

The Maintenance Windows service can schedule actions to be carried out at a specified time on a subset of your AWS infrastructure. It can automate actions on AWS services that include S3, EC2 nodes, Amazon DynoDB, and other services that can be used with AWS Resource Groups and Tag Editor.

Each maintenance window consists of:

  • A schedule that determines when to carry out tasks.
  • A maximum duration to limit the length of each maintenance window. 
  • Registered targets:  the cloud resources that actions will impact. 
  • Registered tasks: the actions the system will take within the scheduled period.

What Actions Does Maintenance Windows Support?

Maintenance Windows supports various task types that are part of other Systems Manager capabilities. These include:

  • Run Command for executing configuration commands and tasks on managed instances, including EC2 nodes and on-premises servers and VMs.
  • Workflows from AWS Systems Manager’s Automation capability. 
  • Serverless AWS Lambda functions.
  • AWS Step Function tasks. 

Together, these task types can schedule and automate a wide range of compliance activities, including application updating, OS patching, executing shell scripts, launching serverless functions that carry out further compliance tasks, altering node configurations, and much more. 

Setting Up an AWS Maintenance Window

AWS Maintenance Windows is a powerful automation tool with many different options. We can’t cover all of its features here, but to give you an idea of what’s involved in creating a maintenance window, let’s walk through a simple maintenance window set up that updates the SSM Agent installed on an EC2 instance.  

Assuming We assume you have already configured Systems Manager to work with your EC2 instance, as described in the Systems Manager documentation, the set up process would be as follows:

  1. Navigate to AWS Systems Manager and select Maintenance Windows from the sidebar menu.
  2. Click “Create Maintenance Window.” Provide a name and set up a schedule.  Maintenance Window provides an intuitive graphical schedule builder, but you can also use rate expressions and the crontab format
  3. Once the maintenance window is scheduled, select it from the list. You’ll be presented with a tabbed interface where you can register tasks and designate targets. 
  4. On the Tasks tab, select Register tasks and choose Register Run Command task from the dropdown menu. 
  5. Select AWS-UpdateSSMAgent from the Command Document section and choose your instance in the Targets section. 
  6. Click Register Run Command at the bottom of the page.

As you can see, setting up scheduled automations to take care of repetitive compliance tasks is straightforward. We’ve only scratched the surface of what you can do with Maintenance Windows, so be sure to check out the Guidebook for more information

State Manager vs. Maintenance Windows

AWS Systems Manager also has a capability called State Manager. There is some cross-over in the functionality of State Manager and Maintenance Windows. Both can be used to automate some tasks. However, State Manager may be a better choice for compliance tasks where the goal is to maintain managed node configurations in a consistent state and for compliance reporting. Before choosing a compliance automation service, read Choosing between State Manager and Maintenance Windows

Learn About AWS Compliance with KirkpatrickPrice

To learn more about AWS compliance, visit our cloud security and compliance resources, which provide expert guidance for cloud audits, regulatory compliance, and information security, or connect with an expert today.. 

Everyday system management tasks can be time consuming and get in the way of the efficiency of your business operations.   These tasks include  OS and software patching, script execution, and service maintenance windows.  Failure to complete these tasks can lead to non-compliance with information security regulations and standards. 

AWS Systems Manager is a cloud service that allows businesses to automate many everyday system management tasks.  Automating these tasks is a great way to ensure your organization is remaining secure and compliant without sacrificing extra time.   

Using AWS Systems Manager, businesses can:

  • Automate time-consuming compliance activities.
  • Improve control over and visibility of IT assets.
  • Reduce the cost of compliance.
  • Ensure that compliance tasks are completed on schedule.
  • Run tasks automatically in response to CloudWatch events and other triggers.

AWS Systems Manager can automate tasks on EC2, AWS’s native cloud server hosting platform, and servers hosted on other cloud platforms and on-premises data centers to save your organization time and help you achieve your compliance goals.  Let’s discuss what the AWS System Manager is, how it can help your organization,  and how you can start using it today.  

What Is the AWS Systems Manager?

AWS Systems Manager provides capabilities that can be configured to carry out actions on remote servers. Capabilities are divided into several categories, including:

  • Application management
  • Change management
  • Node management
  • Operations management

Each of these categories contains several capabilities. To focus on just one category,  node management capabilities include compliance, which can scan nodes for inconsistent configuration; patch manager, which automates security patching and updating;  and the “run command” capability, which allows users to automate the execution of scripts on managed nodes. 

How Does AWS Systems Manager Work?

AWS Systems Manager is primarily an agent-based service. It depends on a software agent—the AWS Systems Manager Agent (AWS SSM)—which runs on managed nodes, including EC2 systems manager nodes, Internet of Things devices,  and on-premises physical servers and virtual machines. 

The user configures  AWS Systems Manager capabilities via the web interface or AWS CLI. The service then interacts with the AWS SSM Agent installed on each node, which carries out the intended action, whether that is applying OS patches, verifying configurations, or any other capability. 

Once an action has been performed, AWS Systems Manager can send operations data to other configured AWS services for logging, monitoring, and alerting, including CloudWatch, S3, EventBridge, and Cloud Trail. 

As you can see, AWS Systems Manager can be a valuable compliance tool, allowing AWS users to schedule, automate, and enforce essential compliance tasks that might otherwise be missed. It gives businesses confidence that compliance actions are carried out in line with security and compliance policies, as well as helping them to identify potential compliance gaps and challenges.

Setting Up AWS Systems Manager for Your Cloud Environment

The set-up process for AWS Systems Manager differs depending on the capabilities you would like to use and the resources you would like to manage.  However, let’s take a high-level look at setting up AWS Systems Manager for EC2 instances.

  1. Create IAM users and groups for use with Systems Manager. Users and groups with the AmazonSSMFullAccess policy have complete access to Systems Manager capabilities, but you should configure users, groups, and roles to meet the specific needs of your organization. We strongly advise against using the AWS root user or users in the administrator’s group. 
  2. Create an IAM instance profile to permit AWS Systems Manager to perform actions on your EC2 instances. 
  3. Attach the IAM instance profile to the EC2 instances you would like to manage.
  4. Verify that AWS SSM is installed on your EC2 instance. If you are using Amazon Machine Images (AMIs), SSM Agent is likely installed by default. You may have to manually install AWS SSM for other instances or servers. 
  5. Create a VPC endpoint for AWS Systems Manager to use. This is an essential security step, as we explain in Using VPC Endpoints to Access Systems Manager

Be Sure Your AWS Environment is Secure

Automation is a great tool for increasing efficiency in your organization, but it is also wise to check these automation configurations regularly to ensure they are working like you intended. Let KirkpatrickPrice run a free scan of your AWS environment today so you can be sure it is secure and effective. 

 You can learn more about configuring and using AWS Systems Manager and SSM Agent from Amazon’s AWS Systems Manager documentation. For more information about using Systems Manager and other AWS services to improve your company’s security and compliance, visit our comprehensive cloud security resources.

AWS Network Firewall is a flexible managed firewall and intrusion detection service. It allows AWS users to control network access to resources within an AWS Virtual Private Cloud (VPC). We explored AWS Network Firewall and how it complements other AWS firewalls in What is AWS Network Firewall? In this article, we’ll dig a little deeper and show you how to deploy an AWS Network Firewall instance within a VPC hosted on your AWS cloud environment. 

At a high level, the process for deploying AWS Network Firewall involves the following four steps:

  1. Create rule groups with networking filtering rules.
  2. Create a firewall policy that includes your rule groups.
  3. Create a firewall that uses your firewall policy. 
  4. Configure VPC route tables so the firewall endpoint can process traffic as it moves between an internet gateway and subnets within your VPC. 

The details of Step 4 differ depending on how your VPC is configured, so we’ll focus on the first three steps here. 

AWS Network Firewall is a highly configurable service, and secure configuration depends on factors unique to your environment, including how your VPC, subnets, and gateways are configured. This article should not be taken as a guide to setting up a secure firewall for your AWS infrastructure. 

AWS Network Firewall Prerequisites

To follow the steps outlined here, you will need an AWS VPC with the following characteristics:

  • At least two subnets, one of which will be used only for the AWS Network Firewall. 
  • An Internet Gateway with routing configured to send incoming traffic to the other subnet, which should be configured to send outgoing traffic through the gateway. 

The firewall subnet must have at least one available IP address. Amazon calls this configuration a simple single zone architecture with an internet gateway.

Configure Firewall Security Rules 

Protecting Your AWS Cloud Infrastructure with AWS Network Firewall

The first step is to create firewall rules groups to contain your traffic filtering rules. For example, you might want to block incoming SSH traffic to your subnet. To do so, you would create a rule telling the firewall to drop SSH connections. 

  1. Open the AWS VPC console and select Network Firewall Rule Groups from the Network Firewall section of the sidebar menu. 
  2. Click the Create Network Firewall rule group button and give the group a name. 
  3. In the Capacity field, enter a number that represents the number of rules you expect to add to this group. If you’re experimenting, 10 should be sufficient, but be aware that you cannot change this number if you want to add more rules later. 
  4. Choose whether to create a stateless or stateful rule group. 
  5. Scroll down to the Add Rule section and enter the new rule’s protocol, name, and source and destination IP and port. 
  6. Choose whether packets matching the rule are dropped or passed. 
  7. Click the Add Rule button. 
  8. Add additional rules as required, and then click Create Stateful/Stateless Rule Group at the bottom of the page. 

Learn more about how to create security rules from Amazon’s documentation. 

Create a Firewall Policy

Now that you have created a rule, you can add it to a Firewall Policy. 

  1. Select Firewall Policies from the Network Firewall section of the VPC console. 
  2. Click the Create firewall policy button. 
  3. Enter a name and optional description before clicking Next. 
  4. Scroll down to the Stateless rule group or Stateful rule group forms. 
  5. Click the Add Rules Groups button, then Add my own stateful/stateless rule groups. 
  6. Choose the rule group you created in the previous step. 
  7. Click through the subsequent dialogs and then click Create firewall policy on the Review and create page. 

Learn more about firewall policies from Firewall policies in AWS Network Firewall.

Deploy AWS Firewall on Your Virtual Private Cloud

The next step is to create a firewall that uses the firewall policy created in the previous step. Once the firewall is configured, it will be deployed into the firewall subnet of the VPC. 

  1. Select Firewalls from the Network Firewall section of the VPC console. 
  2. Click the Create Firewall button. 
  3. Give the firewall a name and choose your VPC from the drop-down menu. 
  4. Select the availability zone that contains your firewall subnet and then the subnet itself. 
  5. In the Associated firewall policy section, choose Associate an existing firewall policy and then choose the policy created in the previous section from the dropdown. 
  6. At the bottom of the page, click Create Firewall. 

AWS will now deploy your firewall into the chosen subnet. However, the firewall does not automatically begin filtering content. To use the firewall, you must configure the VPC’s routing tables so that incoming and outgoing traffic is sent through the firewall’s endpoints. The specifics depend on how your VPC and subnets are configured, but you can learn more about VPC routing tables in Managing route tables for your VPC

Cloud Security and Compliance with KirkpatrickPrice

KirkpatrickPrice can help your business to secure its cloud infrastructure. Our cloud security audits and remote cloud security configuration assessments ensure your AWS infrastructure is configured for optimal security and compliance. To learn more, contact a cloud security and compliance specialist or visit our cloud security resources.