B\u00e0i vi\u1ebft n\u00e0y s\u1ebd tr\u00ecnh b\u00e0y c\u00e1ch tri\u1ec3n khai c\u00e1c l\u1edbp ph\u00e1t hi\u1ec7n v\u00e0 b\u1ea3o v\u1ec7 egress b\u1eb1ng c\u00e1c d\u1ecbch v\u1ee5 c\u1ee7a AWS, gi\u00fap gi\u1ea3m thi\u1ec3u r\u1ee7i ro th\u1ea5t tho\u00e1t d\u1eef li\u1ec7u t\u1eeb c\u1ea3 \u1ee9ng d\u1ee5ng b\u1ecb x\u00e2m nh\u1eadp v\u00e0 AI agent b\u1ecb thao t\u00fang.<\/p>\n
T\u1ed5ng quan ki\u1ebfn tr\u00fac<\/h2>\n
Ki\u1ebfn tr\u00fac d\u01b0\u1edbi \u0111\u00e2y minh h\u1ecda m\u1ed9t c\u00e1ch ti\u1ebfp c\u1eadn tri\u1ec3n khai m\u00f4 h\u00ecnh m\u1ea1ng hub-and-spoke cho m\u00f4i tr\u01b0\u1eddng AWS \u0111a t\u00e0i kho\u1ea3n. C\u00e1c workload \u1ee9ng d\u1ee5ng n\u1eb1m trong c\u00e1c spoke virtual private clouds (VPC)<\/strong>, k\u1ebft n\u1ed1i v\u1edbi m\u1ed9t AWS Transit Gateway<\/strong> \u0111\u00f3ng vai tr\u00f2 l\u00e0 trung t\u00e2m \u0111\u1ecbnh tuy\u1ebfn. Lu\u1ed3ng traffic \u0111i ra Internet \u0111\u01b0\u1ee3c \u0111\u1ecbnh tuy\u1ebfn qua AWS Network Firewall<\/strong> \u0111\u1ec3 ki\u1ec3m tra v\u00e0 l\u1ecdc tr\u01b0\u1edbc khi ra ngo\u00e0i.<\/p>\n C\u00e1c th\u00e0nh ph\u1ea7n ch\u00ednh trong ki\u1ebfn tr\u00fac n\u00e0y bao g\u1ed3m:<\/p>\n Ki\u1ebfn tr\u00fac n\u00e0y \u00e1p d\u1ee5ng cho c\u1ea3 workload truy\u1ec1n th\u1ed1ng v\u00e0 workload AI. M\u1ed9t AI agent ch\u1ea1y tr\u00ean Amazon Bedrock<\/strong> c\u0169ng ph\u1ea3i tu\u00e2n th\u1ee7 c\u00e1c ch\u00ednh s\u00e1ch l\u1ecdc DNS, danh s\u00e1ch t\u00ean mi\u1ec1n cho ph\u00e9p v\u00e0 v\u00e0nh \u0111ai d\u1eef li\u1ec7u t\u01b0\u01a1ng t\u1ef1 nh\u01b0 m\u1ed9t m\u00e1y \u1ea3o Amazon EC2<\/strong> hay container.<\/p>\n \u0110\u00e2y l\u00e0 nh\u1eefng bi\u1ec7n ph\u00e1p ch\u1eb7n \u0111\u1ee9ng h\u00e0nh vi tr\u00edch xu\u1ea5t d\u1eef li\u1ec7u tr\u01b0\u1edbc khi n\u00f3 x\u1ea3y ra, \u0111\u01b0\u1ee3c \u00e1p d\u1ee5ng cho c\u00e1c ho\u1ea1t \u0111\u1ed9ng c\u00f3 nguy c\u01a1 g\u00e2y h\u1ea1i cao.<\/p>\n AWS Network Firewall ho\u1ea1t \u0111\u1ed9ng nh\u01b0 m\u1ed9t ch\u1ed1t ch\u1eb7n trung t\u00e2m, ki\u1ec3m tra s\u00e2u c\u00e1c g\u00f3i tin t\u1eeb L\u1edbp 3 \u0111\u1ebfn L\u1edbp 7. Trong k\u1ecbch b\u1ea3n m\u1ed9t m\u00e1y ch\u1ee7 EC2 b\u1ecb x\u00e2m nh\u1eadp ho\u1eb7c m\u1ed9t AI agent b\u1ecb chi\u1ebfm quy\u1ec1n, Network Firewall s\u1ebd ch\u1eb7n k\u1ebft n\u1ed1i \u0111\u1ebfn m\u00e1y ch\u1ee7 \u0111\u1ed9c h\u1ea1i b\u00ean ngo\u00e0i v\u00ec \u0111\u1ecba ch\u1ec9 \u0111\u00f3 kh\u00f4ng n\u1eb1m trong danh s\u00e1ch t\u00ean mi\u1ec1n \u0111\u01b0\u1ee3c ph\u00ea duy\u1ec7t. C\u00e1c kh\u1ea3 n\u0103ng ch\u00ednh bao g\u1ed3m:<\/p>\n \u0110\u1ed1i v\u1edbi m\u00f4i tr\u01b0\u1eddng \u0111a t\u00e0i kho\u1ea3n, AWS Firewall Manager<\/strong> gi\u00fap tri\u1ec3n khai v\u00e0 qu\u1ea3n l\u00fd Network Firewall m\u1ed9t c\u00e1ch nh\u1ea5t qu\u00e1n. Ngo\u00e0i ra, AWS Network Firewall Proxy<\/strong> (\u0111ang trong giai \u0111o\u1ea1n preview) cung c\u1ea5p kh\u1ea3 n\u0103ng l\u1ecdc HTTP\/HTTPS chi ti\u1ebft h\u01a1n.<\/p>\n K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 m\u00e3 h\u00f3a d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m v\u00e0o c\u00e1c truy v\u1ea5n DNS \u0111\u1ec3 g\u1eedi ra ngo\u00e0i, m\u1ed9t k\u1ef9 thu\u1eadt g\u1ecdi l\u00e0 DNS tunneling<\/em> (\u0111\u01b0\u1eddng h\u1ea7m DNS), v\u1ed1n c\u00f3 th\u1ec3 v\u01b0\u1ee3t qua c\u00e1c t\u01b0\u1eddng l\u1eeda th\u00f4ng th\u01b0\u1eddng. Route 53 Resolver DNS Firewall<\/strong> gi\u1ea3i quy\u1ebft l\u1ed7 h\u1ed5ng n\u00e0y b\u1eb1ng c\u00e1ch l\u1ecdc v\u00e0 ch\u1eb7n c\u00e1c truy v\u1ea5n DNS \u0111\u00e1ng ng\u1edd ngay t\u1ea1i t\u1ea7ng resolver, tr\u01b0\u1edbc khi b\u1ea5t k\u1ef3 k\u1ebft n\u1ed1i m\u1ea1ng n\u00e0o \u0111\u01b0\u1ee3c thi\u1ebft l\u1eadp. C\u00e1c t\u00ednh n\u0103ng ch\u00ednh:<\/p>\n V\u00e0nh \u0111ai d\u1eef li\u1ec7u l\u00e0 m\u1ed9t t\u1eadp h\u1ee3p c\u00e1c quy t\u1eafc ph\u00f2ng ng\u1eeba \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o ch\u1ec9 nh\u1eefng danh t\u00ednh \u0111\u00e1ng tin c\u1eady m\u1edbi c\u00f3 th\u1ec3 truy c\u1eadp t\u00e0i nguy\u00ean \u0111\u00e1ng tin c\u1eady t\u1eeb c\u00e1c m\u1ea1ng d\u1ef1 ki\u1ebfn. Ngay c\u1ea3 khi k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 \u0111\u01b0\u1ee3c th\u00f4ng tin \u0111\u0103ng nh\u1eadp h\u1ee3p l\u1ec7, ch\u00fang c\u0169ng kh\u00f4ng th\u1ec3 s\u1eed d\u1ee5ng API c\u1ee7a d\u1ecbch v\u1ee5 AWS \u0111\u1ec3 chuy\u1ec3n d\u1eef li\u1ec7u ra ngo\u00e0i t\u1ed5 ch\u1ee9c. C\u00e1c c\u00f4ng c\u1ee5 ch\u00ednh \u0111\u1ec3 x\u00e2y d\u1ef1ng v\u00e0nh \u0111ai d\u1eef li\u1ec7u bao g\u1ed3m:<\/p>\n C\u00e1c bi\u1ec7n ph\u00e1p n\u00e0y gi\u00fap ph\u00e1t hi\u1ec7n c\u00e1c n\u1ed7 l\u1ef1c tr\u00edch xu\u1ea5t d\u1eef li\u1ec7u sau khi ch\u00fang x\u1ea3y ra, cung c\u1ea5p th\u00f4ng tin \u0111\u1ec3 \u0111i\u1ec1u tra v\u00e0 c\u1ea3i thi\u1ec7n c\u00e1c bi\u1ec7n ph\u00e1p ph\u00f2ng ng\u1eeba.<\/p>\n GuardDuty l\u00e0 l\u1edbp ph\u00e1t hi\u1ec7n quan tr\u1ecdng, li\u00ean t\u1ee5c gi\u00e1m s\u00e1t c\u00e1c h\u00e0nh vi b\u1ea5t th\u01b0\u1eddng v\u00e0 c\u00e1c m\u1eabu t\u1ea5n c\u00f4ng cho th\u1ea5y n\u1ed7 l\u1ef1c tr\u00edch xu\u1ea5t d\u1eef li\u1ec7u \u0111ang di\u1ec5n ra. C\u00e1c kh\u1ea3 n\u0103ng ph\u00e1t hi\u1ec7n t\u1eadp trung v\u00e0o egress bao g\u1ed3m:<\/p>\n IAM Access Analyzer<\/strong> gi\u00fap x\u00e1c \u0111\u1ecbnh c\u00e1c \u0111\u01b0\u1eddng d\u1eabn r\u00f2 r\u1ec9 d\u1eef li\u1ec7u ti\u1ec1m \u1ea9n b\u1eb1ng c\u00e1ch ph\u00e1t hi\u1ec7n c\u00e1c t\u00e0i nguy\u00ean c\u00f3 th\u1ec3 truy c\u1eadp t\u1eeb b\u00ean ngo\u00e0i t\u00e0i kho\u1ea3n ho\u1eb7c t\u1ed5 ch\u1ee9c AWS c\u1ee7a b\u1ea1n. N\u00f3 li\u00ean t\u1ee5c gi\u00e1m s\u00e1t c\u00e1c ch\u00ednh s\u00e1ch v\u00e0 x\u00e1c \u0111\u1ecbnh t\u00e0i nguy\u00ean n\u00e0o \u0111ang \u0111\u01b0\u1ee3c chia s\u1ebb v\u1edbi c\u00e1c th\u1ef1c th\u1ec3 b\u00ean ngo\u00e0i v\u00f9ng tin c\u1eady.<\/p>\n AWS Security Hub<\/strong> t\u1ed5ng h\u1ee3p c\u00e1c ph\u00e1t hi\u1ec7n t\u1eeb nhi\u1ec1u d\u1ecbch v\u1ee5 b\u1ea3o m\u1eadt c\u1ee7a AWS (GuardDuty, Amazon Inspector, Amazon Macie) \u0111\u1ec3 cung c\u1ea5p m\u1ed9t c\u00e1i nh\u00ecn to\u00e0n di\u1ec7n v\u1ec1 c\u00e1c r\u1ee7i ro b\u1ea3o m\u1eadt. V\u00ed d\u1ee5, Security Hub c\u00f3 th\u1ec3 x\u00e1c \u0111\u1ecbnh m\u1ed9t bucket S3 ch\u1ee9a d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m \u0111ang b\u1ecb ph\u01a1i b\u00e0y c\u00f4ng khai v\u00e0 ch\u01b0a \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a, \u0111\u00e1nh d\u1ea5u \u0111\u00e2y l\u00e0 m\u1ed9t r\u1ee7i ro th\u1ea5t tho\u00e1t d\u1eef li\u1ec7u c\u1ea7n \u0111\u01b0\u1ee3c x\u1eed l\u00fd ngay l\u1eadp t\u1ee9c.<\/p>\n Doanh nghi\u1ec7p kh\u00f4ng c\u1ea7n ph\u1ea3i tri\u1ec3n khai t\u1ea5t c\u1ea3 c\u00e1c bi\u1ec7n ph\u00e1p ki\u1ec3m so\u00e1t c\u00f9ng m\u1ed9t l\u00fac. AWS \u0111\u1ec1 xu\u1ea5t m\u1ed9t c\u00e1ch ti\u1ebfp c\u1eadn theo t\u1eebng giai \u0111o\u1ea1n \u0111\u1ec3 x\u00e2y d\u1ef1ng h\u1ec7 th\u1ed1ng b\u1ea3o m\u1eadt egress m\u1ed9t c\u00e1ch t\u1eeb t\u1eeb, ph\u00f9 h\u1ee3p v\u1edbi m\u1ee9c \u0111\u1ed9 tr\u01b0\u1edfng th\u00e0nh v\u00e0 kh\u1ea3 n\u0103ng ch\u1ea5p nh\u1eadn r\u1ee7i ro c\u1ee7a t\u1ed5 ch\u1ee9c.<\/p>\n B\u1ea3o m\u1eadt egress kh\u00f4ng ph\u1ea3i l\u00e0 m\u1ed9t c\u00f4ng c\u1ee5 duy nh\u1ea5t m\u00e0 l\u00e0 m\u1ed9t chi\u1ebfn l\u01b0\u1ee3c nhi\u1ec1u l\u1edbp. B\u1eb1ng c\u00e1ch \u0111\u00e1nh gi\u00e1 hi\u1ec7n tr\u1ea1ng, x\u00e1c \u0111\u1ecbnh c\u00e1c l\u1ed7 h\u1ed5ng v\u00e0 tri\u1ec3n khai d\u1ea7n c\u00e1c bi\u1ec7n ph\u00e1p ki\u1ec3m so\u00e1t, doanh nghi\u1ec7p c\u00f3 th\u1ec3 bi\u1ebfn c\u00e1c \u0111i\u1ec3m m\u00f9 trong lu\u1ed3ng d\u1eef li\u1ec7u \u0111i ra th\u00e0nh c\u00e1c tr\u1ea1m ki\u1ec3m so\u00e1t \u0111\u01b0\u1ee3c gi\u00e1m s\u00e1t ch\u1eb7t ch\u1ebd.<\/p>","protected":false},"excerpt":{"rendered":" Trong khi c\u00e1c doanh nghi\u1ec7p t\u1eadp trung b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng kh\u1ecfi c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng t\u1eeb b\u00ean ngo\u00e0i, lu\u1ed3ng d\u1eef li\u1ec7u \u0111i ra (egress) th\u01b0\u1eddng b\u1ecb xem nh\u1eb9, t\u1ea1o ra m\u1ed9t \u0111i\u1ec3m m\u00f9 b\u1ea3o m\u1eadt nghi\u00eam tr\u1ecdng. Vi\u1ec7c b\u1ecf qua ki\u1ec3m so\u00e1t egress c\u00f3 th\u1ec3 d\u1eabn \u0111\u1ebfn r\u00f2 r\u1ec9 d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m, d\u00f9…<\/p>","protected":false},"author":22,"featured_media":66849,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-66851","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctelers-blogs"],"acf":[],"yoast_head":"\n![\"S\u01a1](\"https:\/\/aws.cmctelecom.vn\/wp-content\/uploads\/2026\/06\/ffe2e35fd9.png\")
\n<\/figure>\n\n
C\u00e1c bi\u1ec7n ph\u00e1p ph\u00f2ng ng\u1eeba ch\u1ee7 \u0111\u1ed9ng (Preventive Controls)<\/h2>\n
AWS Network Firewall<\/h3>\n
\n
Route 53 Resolver DNS Firewall<\/h3>\n
\n
V\u00e0nh \u0111ai d\u1eef li\u1ec7u (Data Perimeters)<\/h3>\n
\n
C\u00e1c bi\u1ec7n ph\u00e1p ph\u00e1t hi\u1ec7n (Detective Controls)<\/h2>\n
Amazon GuardDuty<\/h3>\n
\n
IAM Access Analyzer v\u00e0 AWS Security Hub<\/h3>\n
Chi\u1ebfn l\u01b0\u1ee3c tri\u1ec3n khai b\u1ea3o m\u1eadt Egress<\/h2>\n
\n