[{"data":1,"prerenderedAt":1946},["ShallowReactive",2],{"\u002F2026\u002Faws-vpc-guvenligi-derinlemesine-rehber\u002F":3,"surround-\u002F2026\u002Faws-vpc-guvenligi-derinlemesine-rehber":1937},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"categories":11,"tags":13,"image":19,"draft":6,"readingTime":20,"body":25,"_type":1930,"_id":1931,"_source":1932,"_file":1933,"_stem":1934,"_extension":1935,"_original_dir":1936},"\u002F2026\u002Faws-vpc-guvenligi-derinlemesine-rehber","2026",false,"","AWS VPC Güvenliği: Sanal Ağınızı Korumak İçin Derinlemesine Bir Rehber","Sysdig 2024 raporuna göre şirketler hızı güvenliğe tercih ediyor ve analiz edilen registry'lerin %66'sı public durumda. Bu rehber, VPC güvenliğini rota tablolarından DNS firewall'a kadar tüm katmanlarıyla ele alıyor.","2026-04-29T09:00:00.000Z",[12],"Cloud",[14,15,16,17,18],"AWS","VPC","Security","Networking","Cloud-Security","https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Faws-vpc-guvenligi-derinlemesine-rehber\u002F1.jpg",{"text":21,"minutes":22,"time":23,"words":24},"10 min read",9.93,595800,1986,{"type":26,"children":27,"toc":1914},"root",[28,37,52,57,88,94,106,111,133,411,416,422,435,481,494,687,692,701,707,719,746,756,766,915,924,930,942,947,964,1078,1086,1092,1104,1122,1127,1135,1141,1146,1177,1330,1336,1341,1348,1453,1472,1478,1483,1621,1627,1632,1699,1704,1710,1727,1736,1745,1754,1760,1896,1900,1908],{"type":29,"tag":30,"props":31,"children":33},"element","h2",{"id":32},"giriş",[34],{"type":35,"value":36},"text","Giriş",{"type":29,"tag":38,"props":39,"children":40},"p",{},[41,43,50],{"type":35,"value":42},"Bulut ortamında yaşanan güvenlik ihlallerinin önemli bir kısmı, sunuculara doğrudan sızılmasından değil, ağ yapılandırmalarındaki hatalardan kaynaklanıyor. Sysdig 2024 Cloud-Native Security and Usage Report, şirketlerin hız uğruna güvenlikten ödün verdiğini çarpıcı bir şekilde gösteriyor: analiz edilen registry'lerin %66'sı public durumda ve verilen izinlerin %98'i aslında hiç kullanılmıyor (",{"type":29,"tag":44,"props":45,"children":47},"badge",{"link":46},"https:\u002F\u002F2631050.fs1.hubspotusercontent-na1.net\u002Fhubfs\u002F2631050\u002FSysdig%202024-report-cloud-native-security-and-usage.pdf",[48],{"type":35,"value":49},"Sysdig",{"type":35,"value":51},"). Bu tablo, VPC güvenliğini \"opsiyonel bir iyileştirme\" olmaktan çıkarıp, her altyapı için en kritik zorunluluk haline getiriyor.",{"type":29,"tag":38,"props":53,"children":54},{},[55],{"type":35,"value":56},"AWS VPC, hesabınız içinde oluşturduğunuz yazılım tanımlı bir ağdır. Trafiğinizi diğer müşterilerden mantıksal olarak ayırır ve kendi IP aralıklarınızı tanımlamanıza izin verir. Fiziksel bir ağ cihazı yönetmezsiniz; her şey API çağrıları ve yapılandırma parametrelerinden ibarettir. Bu yapı bir yandan geniş bir esneklik sunarken, diğer yandan tek bir yanlış yapılandırmanın tüm ağı dış dünyaya açma riskini de beraberinde getiriyor.",{"type":29,"tag":58,"props":59,"children":62},"alert",{"title":60,"type":61},"Key Takeaways","info",[63],{"type":29,"tag":64,"props":65,"children":66},"ul",{},[67,73,78,83],{"type":29,"tag":68,"props":69,"children":70},"li",{},[71],{"type":35,"value":72},"VPC güvenliği, doğru rota tablosu ve güvenlik grubu yapılandırmasıyla başlar; IAM politikaları bu sistemin ayrılmaz bir parçasıdır.",{"type":29,"tag":68,"props":74,"children":75},{},[76],{"type":35,"value":77},"Security Group ve NACL birlikte kullanıldığında, savunma derinliği (defense-in-depth) artar ve yanal hareketi engeller.",{"type":29,"tag":68,"props":79,"children":80},{},[81],{"type":35,"value":82},"VPC Endpoint ve PrivateLink, hassas verilerin internete çıkmadan AWS servislerine erişmesini sağlayarak veri sızdırma riskini minimize eder.",{"type":29,"tag":68,"props":84,"children":85},{},[86],{"type":35,"value":87},"DNS, çoğu zaman gözden kaçan bir saldırı vektörüdür; DNS Firewall ve sorgu loglaması bu noktada ihmal edilmemelidir.",{"type":29,"tag":30,"props":89,"children":91},{"id":90},"vpc-nedir-ve-neden-doğrudan-bir-güvenlik-kontrolüdür",[92],{"type":35,"value":93},"VPC Nedir ve Neden Doğrudan Bir Güvenlik Kontrolüdür?",{"type":29,"tag":38,"props":95,"children":96},{},[97,99,104],{"type":35,"value":98},"AWS, VPC'nin \"hesabınız için mantıksal olarak izole edilmiş bir ağ bölümü\" olduğunu belirtiyor (",{"type":29,"tag":44,"props":100,"children":102},{"link":101},"https:\u002F\u002Fdocs.aws.amazon.com\u002Fvpc\u002Flatest\u002Fuserguide\u002Fwhat-is-amazon-vpc.html",[103],{"type":35,"value":14},{"type":35,"value":105},"). Bu izolasyon güvenliğin temelidir, ancak bazen yanıltıcı bir rahatlık yaratabilir. Kendi CIDR aralığınızı seçmek ve alt ağları bölgelere yaymak tamamen sizin kontrolünüzdedir. Fiziksel dünyada bir switch'in VLAN yapılandırmasını değiştirmek için konsol kablosu gerekirken, burada tek bir IAM politikası hatası tüm izolasyonu ortadan kaldırabilir.",{"type":29,"tag":38,"props":107,"children":108},{},[109],{"type":35,"value":110},"Bu yazılım tanımlı yapı, klasik ağ saldırılarına karşı bazı doğal bağışıklıklar sağlar. Örneğin ARP spoofing, VPC içinde çalışmaz; çünkü ARP tabloları yalnızca uyumluluk için görünür durumdadır, gerçek adres çözümlemesi farklı bir mekanizmayla yapılır. Ancak bu, VPC'nin saldırılara kapalı olduğu anlamına gelmiyor. Rota tablosuna yetkisiz bir Internet Gateway (IGW) rotası eklenmesi, private bir alt ağı kısa sürede dışarıya açabilir.",{"type":29,"tag":38,"props":112,"children":113},{},[114,116,123,125,131],{"type":35,"value":115},"AWS güvenlik modelinde VPC'nin rolü, ağ mühendisliğinin çok ötesine geçer. ",{"type":29,"tag":117,"props":118,"children":120},"code",{"className":119},[],[121],{"type":35,"value":122},"ec2:CreateRoute",{"type":35,"value":124},", ",{"type":29,"tag":117,"props":126,"children":128},{"className":127},[],[129],{"type":35,"value":130},"ec2:ModifyVpcAttribute",{"type":35,"value":132}," gibi IAM izinleri aslında etkili birer ağ güvenliği kontrolüdür. Bu izinleri kimin taşıdığını bilmeden VPC'nizi gerçekten güvene alamazsınız. Kısacası, IAM'i kontrol eden, ağı da kontrol eder.",{"type":29,"tag":134,"props":135,"children":139},"pre",{"className":136,"code":137,"language":138,"meta":7,"style":7},"language-mermaid shiki shiki-themes catppuccin-latte one-dark-pro","flowchart TB\n    subgraph Internet[\"🌐 Internet\"]\n        ATTACKER[\"Saldırgan\"]\n    end\n    \n    subgraph VPC[\"AWS VPC\"]\n        subgraph Public[\"Public Subnet\"]\n            WEB[\"Web Sunucusu\"]\n            IGW[\"Internet Gateway\"]\n        end\n        subgraph Private[\"Private Subnet\"]\n            DB[\"Veritabanı\"]\n            APP[\"Uygulama Sunucusu\"]\n        end\n        RT_PUB[\"Public Route Table\\n0.0.0.0\u002F0 → IGW\"]\n        RT_PRIV[\"Private Route Table\\n0.0.0.0\u002F0 → NAT\"]\n    end\n    \n    NAT[\"NAT Gateway\"]\n    \n    ATTACKER -->|\"doğrudan erişim\"| IGW\n    IGW -->|\"izin verilen\"| WEB\n    WEB -->|\"kontrollü\"| APP\n    APP -->|\"iç ağ\"| DB\n    RT_PUB -.->|\"yönlendirir\"| IGW\n    RT_PRIV -.->|\"yönlendirir\"| NAT\n    \n    style ATTACKER fill:#ff6b6b,color:#fff\n    style IGW fill:#ffd43b,color:#000\n    style DB fill:#51cf66,color:#000\n","mermaid",[140],{"type":29,"tag":117,"props":141,"children":142},{"__ignoreMap":7},[143,155,164,173,182,191,200,209,218,227,236,245,254,263,271,280,289,297,305,314,322,331,340,349,358,367,376,384,393,402],{"type":29,"tag":144,"props":145,"children":148},"span",{"class":146,"line":147},"line",1,[149],{"type":29,"tag":144,"props":150,"children":152},{"style":151},"--shiki-default:#4C4F69;--shiki-dark:#ABB2BF",[153],{"type":35,"value":154},"flowchart TB\n",{"type":29,"tag":144,"props":156,"children":158},{"class":146,"line":157},2,[159],{"type":29,"tag":144,"props":160,"children":161},{"style":151},[162],{"type":35,"value":163},"    subgraph Internet[\"🌐 Internet\"]\n",{"type":29,"tag":144,"props":165,"children":167},{"class":146,"line":166},3,[168],{"type":29,"tag":144,"props":169,"children":170},{"style":151},[171],{"type":35,"value":172},"        ATTACKER[\"Saldırgan\"]\n",{"type":29,"tag":144,"props":174,"children":176},{"class":146,"line":175},4,[177],{"type":29,"tag":144,"props":178,"children":179},{"style":151},[180],{"type":35,"value":181},"    end\n",{"type":29,"tag":144,"props":183,"children":185},{"class":146,"line":184},5,[186],{"type":29,"tag":144,"props":187,"children":188},{"style":151},[189],{"type":35,"value":190},"    \n",{"type":29,"tag":144,"props":192,"children":194},{"class":146,"line":193},6,[195],{"type":29,"tag":144,"props":196,"children":197},{"style":151},[198],{"type":35,"value":199},"    subgraph VPC[\"AWS VPC\"]\n",{"type":29,"tag":144,"props":201,"children":203},{"class":146,"line":202},7,[204],{"type":29,"tag":144,"props":205,"children":206},{"style":151},[207],{"type":35,"value":208},"        subgraph Public[\"Public Subnet\"]\n",{"type":29,"tag":144,"props":210,"children":212},{"class":146,"line":211},8,[213],{"type":29,"tag":144,"props":214,"children":215},{"style":151},[216],{"type":35,"value":217},"            WEB[\"Web Sunucusu\"]\n",{"type":29,"tag":144,"props":219,"children":221},{"class":146,"line":220},9,[222],{"type":29,"tag":144,"props":223,"children":224},{"style":151},[225],{"type":35,"value":226},"            IGW[\"Internet Gateway\"]\n",{"type":29,"tag":144,"props":228,"children":230},{"class":146,"line":229},10,[231],{"type":29,"tag":144,"props":232,"children":233},{"style":151},[234],{"type":35,"value":235},"        end\n",{"type":29,"tag":144,"props":237,"children":239},{"class":146,"line":238},11,[240],{"type":29,"tag":144,"props":241,"children":242},{"style":151},[243],{"type":35,"value":244},"        subgraph Private[\"Private Subnet\"]\n",{"type":29,"tag":144,"props":246,"children":248},{"class":146,"line":247},12,[249],{"type":29,"tag":144,"props":250,"children":251},{"style":151},[252],{"type":35,"value":253},"            DB[\"Veritabanı\"]\n",{"type":29,"tag":144,"props":255,"children":257},{"class":146,"line":256},13,[258],{"type":29,"tag":144,"props":259,"children":260},{"style":151},[261],{"type":35,"value":262},"            APP[\"Uygulama Sunucusu\"]\n",{"type":29,"tag":144,"props":264,"children":266},{"class":146,"line":265},14,[267],{"type":29,"tag":144,"props":268,"children":269},{"style":151},[270],{"type":35,"value":235},{"type":29,"tag":144,"props":272,"children":274},{"class":146,"line":273},15,[275],{"type":29,"tag":144,"props":276,"children":277},{"style":151},[278],{"type":35,"value":279},"        RT_PUB[\"Public Route Table\\n0.0.0.0\u002F0 → IGW\"]\n",{"type":29,"tag":144,"props":281,"children":283},{"class":146,"line":282},16,[284],{"type":29,"tag":144,"props":285,"children":286},{"style":151},[287],{"type":35,"value":288},"        RT_PRIV[\"Private Route Table\\n0.0.0.0\u002F0 → NAT\"]\n",{"type":29,"tag":144,"props":290,"children":292},{"class":146,"line":291},17,[293],{"type":29,"tag":144,"props":294,"children":295},{"style":151},[296],{"type":35,"value":181},{"type":29,"tag":144,"props":298,"children":300},{"class":146,"line":299},18,[301],{"type":29,"tag":144,"props":302,"children":303},{"style":151},[304],{"type":35,"value":190},{"type":29,"tag":144,"props":306,"children":308},{"class":146,"line":307},19,[309],{"type":29,"tag":144,"props":310,"children":311},{"style":151},[312],{"type":35,"value":313},"    NAT[\"NAT Gateway\"]\n",{"type":29,"tag":144,"props":315,"children":317},{"class":146,"line":316},20,[318],{"type":29,"tag":144,"props":319,"children":320},{"style":151},[321],{"type":35,"value":190},{"type":29,"tag":144,"props":323,"children":325},{"class":146,"line":324},21,[326],{"type":29,"tag":144,"props":327,"children":328},{"style":151},[329],{"type":35,"value":330},"    ATTACKER -->|\"doğrudan erişim\"| IGW\n",{"type":29,"tag":144,"props":332,"children":334},{"class":146,"line":333},22,[335],{"type":29,"tag":144,"props":336,"children":337},{"style":151},[338],{"type":35,"value":339},"    IGW -->|\"izin verilen\"| WEB\n",{"type":29,"tag":144,"props":341,"children":343},{"class":146,"line":342},23,[344],{"type":29,"tag":144,"props":345,"children":346},{"style":151},[347],{"type":35,"value":348},"    WEB -->|\"kontrollü\"| APP\n",{"type":29,"tag":144,"props":350,"children":352},{"class":146,"line":351},24,[353],{"type":29,"tag":144,"props":354,"children":355},{"style":151},[356],{"type":35,"value":357},"    APP -->|\"iç ağ\"| DB\n",{"type":29,"tag":144,"props":359,"children":361},{"class":146,"line":360},25,[362],{"type":29,"tag":144,"props":363,"children":364},{"style":151},[365],{"type":35,"value":366},"    RT_PUB -.->|\"yönlendirir\"| IGW\n",{"type":29,"tag":144,"props":368,"children":370},{"class":146,"line":369},26,[371],{"type":29,"tag":144,"props":372,"children":373},{"style":151},[374],{"type":35,"value":375},"    RT_PRIV -.->|\"yönlendirir\"| NAT\n",{"type":29,"tag":144,"props":377,"children":379},{"class":146,"line":378},27,[380],{"type":29,"tag":144,"props":381,"children":382},{"style":151},[383],{"type":35,"value":190},{"type":29,"tag":144,"props":385,"children":387},{"class":146,"line":386},28,[388],{"type":29,"tag":144,"props":389,"children":390},{"style":151},[391],{"type":35,"value":392},"    style ATTACKER fill:#ff6b6b,color:#fff\n",{"type":29,"tag":144,"props":394,"children":396},{"class":146,"line":395},29,[397],{"type":29,"tag":144,"props":398,"children":399},{"style":151},[400],{"type":35,"value":401},"    style IGW fill:#ffd43b,color:#000\n",{"type":29,"tag":144,"props":403,"children":405},{"class":146,"line":404},30,[406],{"type":29,"tag":144,"props":407,"children":408},{"style":151},[409],{"type":35,"value":410},"    style DB fill:#51cf66,color:#000\n",{"type":29,"tag":38,"props":412,"children":413},{},[414],{"type":35,"value":415},"Yukarıdaki diyagram, en yaygın VPC mimarilerinden birini gösteriyor. Saldırgan normal şartlarda yalnızca public subnet'teki web sunucusuna erişebilir. Ancak zincirin herhangi bir halkası, örneğin bir rota tablosu kuralı bozulduğunda, private alt ağdaki kaynaklar doğrudan hedef haline gelebilir.",{"type":29,"tag":30,"props":417,"children":419},{"id":418},"alt-ağlar-ve-rota-tabloları-publicprivate-ayrımının-ötesi",[420],{"type":35,"value":421},"Alt Ağlar ve Rota Tabloları: \"Public\u002FPrivate\" Ayrımının Ötesi",{"type":29,"tag":38,"props":423,"children":424},{},[425,427,433],{"type":35,"value":426},"Unit 42'nin 2025 analizine göre, 2024 yılında bulut ortamlarındaki yüksek önemdeki alarmlar %235 artış gösterdi ve saldırganlar özellikle IAM token'ları ile depolama verilerini hedefliyor (",{"type":29,"tag":44,"props":428,"children":430},{"link":429},"https:\u002F\u002Funit42.paloaltonetworks.com\u002F2025-cloud-security-alert-trends\u002F",[431],{"type":35,"value":432},"Unit 42",{"type":35,"value":434},"). Pek çok bulut mühendisi \"private subnet\" kavramını bir ayar olarak düşünüyor, ancak AWS'de bir alt ağı \"public\" veya \"private\" yapan teknik bir buton yoktur.",{"type":29,"tag":436,"props":437,"children":439},"quote",{"icon":438},"ph:shield-check-duotone",[440],{"type":29,"tag":38,"props":441,"children":442},{},[443,449,451,457,459,464,466,472,474,479],{"type":29,"tag":444,"props":445,"children":446},"strong",{},[447],{"type":35,"value":448},"Atıf Kapsülü:",{"type":35,"value":450}," AWS üzerinde bir subnet, internet gateway'e giden rotası olan bir route table'a bağlıysa ",{"type":29,"tag":452,"props":453,"children":454},"em",{},[455],{"type":35,"value":456},"public subnet",{"type":35,"value":458},", bağlı değilse ",{"type":29,"tag":452,"props":460,"children":461},{},[462],{"type":35,"value":463},"private subnet",{"type":35,"value":465}," olarak adlandırılır. Public subnet'in route table'ında ",{"type":29,"tag":117,"props":467,"children":469},{"className":468},[],[470],{"type":35,"value":471},"0.0.0.0\u002F0 → IGW",{"type":35,"value":473}," rotası bulunur (",{"type":29,"tag":44,"props":475,"children":477},{"link":476},"https:\u002F\u002Fdocs.aws.amazon.com\u002Fvpc\u002Flatest\u002Fuserguide\u002FVPC_Internet_Gateway.html",[478],{"type":35,"value":14},{"type":35,"value":480},"). Bu, ağ izolasyonunun bir ayar değil, aktif bir rota yönetimi disiplini olduğunu gösterir.",{"type":29,"tag":38,"props":482,"children":483},{},[484,486,492],{"type":35,"value":485},"Bu durumun güvenlik açısından anlamı nettir: Alt ağınızı \"private\" olarak tanımlasanız bile, rota tablosuna eklenecek hatalı bir kural tüm izolasyonu bozar. CloudTrail üzerinden ",{"type":29,"tag":117,"props":487,"children":489},{"className":488},[],[490],{"type":35,"value":491},"CreateRoute",{"type":35,"value":493}," çağrılarını izlemek ve alarm kurmak bu yüzden hayati önem taşır.",{"type":29,"tag":134,"props":495,"children":497},{"className":136,"code":496,"language":138,"meta":7,"style":7},"flowchart LR\n    subgraph VPC[\"10.100.0.0\u002F21 VPC\"]\n        subgraph AZ_A[\"AZ-a\"]\n            PUB1[\"Public Subnet 1\\n10.100.1.0\u002F24\"]\n            PRIV1[\"Private Subnet 1\\n10.100.2.0\u002F24\"]\n        end\n        subgraph AZ_B[\"AZ-b\"]\n            PUB2[\"Public Subnet 2\\n10.100.3.0\u002F24\"]\n            PRIV2[\"Private Subnet 2\\n10.100.4.0\u002F24\"]\n        end\n    end\n    \n    PUB1 --> RT_PUB[\"Public RT\\n0.0.0.0\u002F0 → IGW\"]\n    PUB2 --> RT_PUB\n    PRIV1 --> RT_PRIV_A[\"Private RT A\\n0.0.0.0\u002F0 → NAT-GW-A\"]\n    PRIV2 --> RT_PRIV_B[\"Private RT B\\n0.0.0.0\u002F0 → NAT-GW-B\"]\n    \n    RT_PUB --> IGW_GW[\"Internet Gateway\"]\n    RT_PRIV_A --> NAT_A[\"NAT Gateway A\"]\n    RT_PRIV_B --> NAT_B[\"NAT Gateway B\"]\n    \n    style IGW_GW fill:#ffd43b,color:#000\n    style NAT_A fill:#74c0fc,color:#000\n    style NAT_B fill:#74c0fc,color:#000\n",[498],{"type":29,"tag":117,"props":499,"children":500},{"__ignoreMap":7},[501,509,517,525,533,541,548,556,564,572,579,586,593,601,609,617,625,632,640,648,656,663,671,679],{"type":29,"tag":144,"props":502,"children":503},{"class":146,"line":147},[504],{"type":29,"tag":144,"props":505,"children":506},{"style":151},[507],{"type":35,"value":508},"flowchart LR\n",{"type":29,"tag":144,"props":510,"children":511},{"class":146,"line":157},[512],{"type":29,"tag":144,"props":513,"children":514},{"style":151},[515],{"type":35,"value":516},"    subgraph VPC[\"10.100.0.0\u002F21 VPC\"]\n",{"type":29,"tag":144,"props":518,"children":519},{"class":146,"line":166},[520],{"type":29,"tag":144,"props":521,"children":522},{"style":151},[523],{"type":35,"value":524},"        subgraph AZ_A[\"AZ-a\"]\n",{"type":29,"tag":144,"props":526,"children":527},{"class":146,"line":175},[528],{"type":29,"tag":144,"props":529,"children":530},{"style":151},[531],{"type":35,"value":532},"            PUB1[\"Public Subnet 1\\n10.100.1.0\u002F24\"]\n",{"type":29,"tag":144,"props":534,"children":535},{"class":146,"line":184},[536],{"type":29,"tag":144,"props":537,"children":538},{"style":151},[539],{"type":35,"value":540},"            PRIV1[\"Private Subnet 1\\n10.100.2.0\u002F24\"]\n",{"type":29,"tag":144,"props":542,"children":543},{"class":146,"line":193},[544],{"type":29,"tag":144,"props":545,"children":546},{"style":151},[547],{"type":35,"value":235},{"type":29,"tag":144,"props":549,"children":550},{"class":146,"line":202},[551],{"type":29,"tag":144,"props":552,"children":553},{"style":151},[554],{"type":35,"value":555},"        subgraph AZ_B[\"AZ-b\"]\n",{"type":29,"tag":144,"props":557,"children":558},{"class":146,"line":211},[559],{"type":29,"tag":144,"props":560,"children":561},{"style":151},[562],{"type":35,"value":563},"            PUB2[\"Public Subnet 2\\n10.100.3.0\u002F24\"]\n",{"type":29,"tag":144,"props":565,"children":566},{"class":146,"line":220},[567],{"type":29,"tag":144,"props":568,"children":569},{"style":151},[570],{"type":35,"value":571},"            PRIV2[\"Private Subnet 2\\n10.100.4.0\u002F24\"]\n",{"type":29,"tag":144,"props":573,"children":574},{"class":146,"line":229},[575],{"type":29,"tag":144,"props":576,"children":577},{"style":151},[578],{"type":35,"value":235},{"type":29,"tag":144,"props":580,"children":581},{"class":146,"line":238},[582],{"type":29,"tag":144,"props":583,"children":584},{"style":151},[585],{"type":35,"value":181},{"type":29,"tag":144,"props":587,"children":588},{"class":146,"line":247},[589],{"type":29,"tag":144,"props":590,"children":591},{"style":151},[592],{"type":35,"value":190},{"type":29,"tag":144,"props":594,"children":595},{"class":146,"line":256},[596],{"type":29,"tag":144,"props":597,"children":598},{"style":151},[599],{"type":35,"value":600},"    PUB1 --> RT_PUB[\"Public RT\\n0.0.0.0\u002F0 → IGW\"]\n",{"type":29,"tag":144,"props":602,"children":603},{"class":146,"line":265},[604],{"type":29,"tag":144,"props":605,"children":606},{"style":151},[607],{"type":35,"value":608},"    PUB2 --> RT_PUB\n",{"type":29,"tag":144,"props":610,"children":611},{"class":146,"line":273},[612],{"type":29,"tag":144,"props":613,"children":614},{"style":151},[615],{"type":35,"value":616},"    PRIV1 --> RT_PRIV_A[\"Private RT A\\n0.0.0.0\u002F0 → NAT-GW-A\"]\n",{"type":29,"tag":144,"props":618,"children":619},{"class":146,"line":282},[620],{"type":29,"tag":144,"props":621,"children":622},{"style":151},[623],{"type":35,"value":624},"    PRIV2 --> RT_PRIV_B[\"Private RT B\\n0.0.0.0\u002F0 → NAT-GW-B\"]\n",{"type":29,"tag":144,"props":626,"children":627},{"class":146,"line":291},[628],{"type":29,"tag":144,"props":629,"children":630},{"style":151},[631],{"type":35,"value":190},{"type":29,"tag":144,"props":633,"children":634},{"class":146,"line":299},[635],{"type":29,"tag":144,"props":636,"children":637},{"style":151},[638],{"type":35,"value":639},"    RT_PUB --> IGW_GW[\"Internet Gateway\"]\n",{"type":29,"tag":144,"props":641,"children":642},{"class":146,"line":307},[643],{"type":29,"tag":144,"props":644,"children":645},{"style":151},[646],{"type":35,"value":647},"    RT_PRIV_A --> NAT_A[\"NAT Gateway A\"]\n",{"type":29,"tag":144,"props":649,"children":650},{"class":146,"line":316},[651],{"type":29,"tag":144,"props":652,"children":653},{"style":151},[654],{"type":35,"value":655},"    RT_PRIV_B --> NAT_B[\"NAT Gateway B\"]\n",{"type":29,"tag":144,"props":657,"children":658},{"class":146,"line":324},[659],{"type":29,"tag":144,"props":660,"children":661},{"style":151},[662],{"type":35,"value":190},{"type":29,"tag":144,"props":664,"children":665},{"class":146,"line":333},[666],{"type":29,"tag":144,"props":667,"children":668},{"style":151},[669],{"type":35,"value":670},"    style IGW_GW fill:#ffd43b,color:#000\n",{"type":29,"tag":144,"props":672,"children":673},{"class":146,"line":342},[674],{"type":29,"tag":144,"props":675,"children":676},{"style":151},[677],{"type":35,"value":678},"    style NAT_A fill:#74c0fc,color:#000\n",{"type":29,"tag":144,"props":680,"children":681},{"class":146,"line":351},[682],{"type":29,"tag":144,"props":683,"children":684},{"style":151},[685],{"type":35,"value":686},"    style NAT_B fill:#74c0fc,color:#000\n",{"type":29,"tag":38,"props":688,"children":689},{},[690],{"type":35,"value":691},"NAT Gateway, private alt ağdaki kaynakların internete çıkabilmesini sağlayan ve dışarıdan gelen bağlantıları kabul etmeyen bir güvenlik katmanıdır. Ancak yüksek erişilebilirlik için her AZ'de ayrı bir tane konumlandırılması gerekir. Aksi takdirde tek bir AZ'nin çökmesi, tüm internet çıkışınızı durdurabilir.",{"type":29,"tag":58,"props":693,"children":695},{"title":694,"type":61},"Saha Gözlemi",[696],{"type":29,"tag":38,"props":697,"children":698},{},[699],{"type":35,"value":700},"Geliştirme ortamlarında maliyet için tek NAT Gateway kullanıp, üretim ortamında da aynı yapıyı bırakmak yaygın bir hatadır. Bu durum \"tek hata noktası\" (single point of failure) yaratır ve olay müdahalesi sırasında yama depolarına erişmesi gereken güvenlik araçlarının çalışmasını engelleyebilir.",{"type":29,"tag":30,"props":702,"children":704},{"id":703},"security-group-ve-nacl-i̇ki-katmanlı-savunma-hattı",[705],{"type":35,"value":706},"Security Group ve NACL: İki Katmanlı Savunma Hattı",{"type":29,"tag":38,"props":708,"children":709},{},[710,712,717],{"type":35,"value":711},"AWS, security group'ları instance seviyesinde ve network ACL'leri (NACL) subnet seviyesinde birlikte kullanarak savunma derinliğini artırmayı öneriyor (",{"type":29,"tag":44,"props":713,"children":715},{"link":714},"https:\u002F\u002Fdocs.aws.amazon.com\u002Fvpc\u002Flatest\u002Fuserguide\u002Fvpc-security-best-practices.html",[716],{"type":35,"value":14},{"type":35,"value":718},"). Ancak bu iki mekanizma birbirinin alternatifi değildir; farklı katmanlarda ve mantıklarda çalışırlar.",{"type":29,"tag":436,"props":720,"children":721},{"icon":438},[722],{"type":29,"tag":38,"props":723,"children":724},{},[725,729,731,737,738,744],{"type":29,"tag":444,"props":726,"children":727},{},[728],{"type":35,"value":448},{"type":35,"value":730}," Security Group'lar sunucu seviyesinde \"stateful\" koruma sağlarken, NACL'ler alt ağ seviyesinde \"stateless\" bir kontrol noktasıdır (",{"type":29,"tag":44,"props":732,"children":734},{"link":733},"https:\u002F\u002Fdocs.aws.amazon.com\u002Fvpc\u002Flatest\u002Fuserguide\u002Fvpc-security-groups.html",[735],{"type":35,"value":736},"AWS SG",{"type":35,"value":124},{"type":29,"tag":44,"props":739,"children":741},{"link":740},"https:\u002F\u002Fdocs.aws.amazon.com\u002Fvpc\u002Flatest\u002Fuserguide\u002Fvpc-network-acls.html",[742],{"type":35,"value":743},"AWS NACL",{"type":35,"value":745},"). Bu çift katmanlı yapı, savunma derinliğini artırarak olası bir sızma girişiminin etki alanını ciddi ölçüde daraltır.",{"type":29,"tag":38,"props":747,"children":748},{},[749,754],{"type":29,"tag":444,"props":750,"children":751},{},[752],{"type":35,"value":753},"Security Group",{"type":35,"value":755},", sunucu seviyesinde çalışır ve durumludur (stateful). İçeri izin verdiğiniz bir bağlantının cevabı otomatik olarak geçer. Kaynak olarak IP yerine başka bir Security Group ID'sini referans alabilmesi, dinamik kurallar yazmanıza olanak tanır.",{"type":29,"tag":38,"props":757,"children":758},{},[759,764],{"type":29,"tag":444,"props":760,"children":761},{},[762],{"type":35,"value":763},"NACL",{"type":35,"value":765},", alt ağ seviyesinde çalışır ve durumsuzdur (stateless). İçeri izin verseniz bile, dönüş trafiği için giden kuralını ayrıca yazmanız gerekir. \"Reddet\" (Deny) kurallarını desteklemesi, belirli IP bloklarını toptan engellemek için NACL'i tek seçenek haline getirir.",{"type":29,"tag":134,"props":767,"children":769},{"className":136,"code":768,"language":138,"meta":7,"style":7},"flowchart TD\n    TRAFIK[\"Gelen Paket\"] --> NACL_IN{\"NACL Inbound\\n(Subnet Seviyesi)\\nEn düşük numaralı kuraldan başlar\"}\n    NACL_IN -->|\"DENY\"| DROP1[\"❌ Paket Düşürüldü\"]\n    NACL_IN -->|\"ALLOW\"| SG{\"Security Group\\n(Instance Seviyesi)\\nTüm kurallar değerlendirilir\"}\n    SG -->|\"DENY (örtük)\"| DROP2[\"❌ Paket Düşürüldü\"]\n    SG -->|\"ALLOW\"| INSTANCE[\"✅ Instance'a Ulaştı\"]\n    \n    INSTANCE --> CEVAP[\"Dönüş Paketi\"]\n    CEVAP --> SG_OUT{\"SG Outbound Kontrolü\\n(Stateful: Otomatik İzin)\"}\n    SG_OUT --> NACL_OUT{\"NACL Outbound\\n(Stateless: Kural Gerektirir)\"}\n    NACL_OUT -->|\"DENY\"| DROP3[\"❌ Cevap Düşürüldü\"]\n    NACL_OUT -->|\"ALLOW\"| CIKIS[\"✅ Paket İletildi\"]\n    \n    style DROP1 fill:#ff6b6b,color:#fff\n    style DROP2 fill:#ff6b6b,color:#fff\n    style DROP3 fill:#ff6b6b,color:#fff\n    style INSTANCE fill:#51cf66,color:#000\n    style CIKIS fill:#51cf66,color:#000\n",[770],{"type":29,"tag":117,"props":771,"children":772},{"__ignoreMap":7},[773,781,789,797,805,813,821,828,836,844,852,860,868,875,883,891,899,907],{"type":29,"tag":144,"props":774,"children":775},{"class":146,"line":147},[776],{"type":29,"tag":144,"props":777,"children":778},{"style":151},[779],{"type":35,"value":780},"flowchart TD\n",{"type":29,"tag":144,"props":782,"children":783},{"class":146,"line":157},[784],{"type":29,"tag":144,"props":785,"children":786},{"style":151},[787],{"type":35,"value":788},"    TRAFIK[\"Gelen Paket\"] --> NACL_IN{\"NACL Inbound\\n(Subnet Seviyesi)\\nEn düşük numaralı kuraldan başlar\"}\n",{"type":29,"tag":144,"props":790,"children":791},{"class":146,"line":166},[792],{"type":29,"tag":144,"props":793,"children":794},{"style":151},[795],{"type":35,"value":796},"    NACL_IN -->|\"DENY\"| DROP1[\"❌ Paket Düşürüldü\"]\n",{"type":29,"tag":144,"props":798,"children":799},{"class":146,"line":175},[800],{"type":29,"tag":144,"props":801,"children":802},{"style":151},[803],{"type":35,"value":804},"    NACL_IN -->|\"ALLOW\"| SG{\"Security Group\\n(Instance Seviyesi)\\nTüm kurallar değerlendirilir\"}\n",{"type":29,"tag":144,"props":806,"children":807},{"class":146,"line":184},[808],{"type":29,"tag":144,"props":809,"children":810},{"style":151},[811],{"type":35,"value":812},"    SG -->|\"DENY (örtük)\"| DROP2[\"❌ Paket Düşürüldü\"]\n",{"type":29,"tag":144,"props":814,"children":815},{"class":146,"line":193},[816],{"type":29,"tag":144,"props":817,"children":818},{"style":151},[819],{"type":35,"value":820},"    SG -->|\"ALLOW\"| INSTANCE[\"✅ Instance'a Ulaştı\"]\n",{"type":29,"tag":144,"props":822,"children":823},{"class":146,"line":202},[824],{"type":29,"tag":144,"props":825,"children":826},{"style":151},[827],{"type":35,"value":190},{"type":29,"tag":144,"props":829,"children":830},{"class":146,"line":211},[831],{"type":29,"tag":144,"props":832,"children":833},{"style":151},[834],{"type":35,"value":835},"    INSTANCE --> CEVAP[\"Dönüş Paketi\"]\n",{"type":29,"tag":144,"props":837,"children":838},{"class":146,"line":220},[839],{"type":29,"tag":144,"props":840,"children":841},{"style":151},[842],{"type":35,"value":843},"    CEVAP --> SG_OUT{\"SG Outbound Kontrolü\\n(Stateful: Otomatik İzin)\"}\n",{"type":29,"tag":144,"props":845,"children":846},{"class":146,"line":229},[847],{"type":29,"tag":144,"props":848,"children":849},{"style":151},[850],{"type":35,"value":851},"    SG_OUT --> NACL_OUT{\"NACL Outbound\\n(Stateless: Kural Gerektirir)\"}\n",{"type":29,"tag":144,"props":853,"children":854},{"class":146,"line":238},[855],{"type":29,"tag":144,"props":856,"children":857},{"style":151},[858],{"type":35,"value":859},"    NACL_OUT -->|\"DENY\"| DROP3[\"❌ Cevap Düşürüldü\"]\n",{"type":29,"tag":144,"props":861,"children":862},{"class":146,"line":247},[863],{"type":29,"tag":144,"props":864,"children":865},{"style":151},[866],{"type":35,"value":867},"    NACL_OUT -->|\"ALLOW\"| CIKIS[\"✅ Paket İletildi\"]\n",{"type":29,"tag":144,"props":869,"children":870},{"class":146,"line":256},[871],{"type":29,"tag":144,"props":872,"children":873},{"style":151},[874],{"type":35,"value":190},{"type":29,"tag":144,"props":876,"children":877},{"class":146,"line":265},[878],{"type":29,"tag":144,"props":879,"children":880},{"style":151},[881],{"type":35,"value":882},"    style DROP1 fill:#ff6b6b,color:#fff\n",{"type":29,"tag":144,"props":884,"children":885},{"class":146,"line":273},[886],{"type":29,"tag":144,"props":887,"children":888},{"style":151},[889],{"type":35,"value":890},"    style DROP2 fill:#ff6b6b,color:#fff\n",{"type":29,"tag":144,"props":892,"children":893},{"class":146,"line":282},[894],{"type":29,"tag":144,"props":895,"children":896},{"style":151},[897],{"type":35,"value":898},"    style DROP3 fill:#ff6b6b,color:#fff\n",{"type":29,"tag":144,"props":900,"children":901},{"class":146,"line":291},[902],{"type":29,"tag":144,"props":903,"children":904},{"style":151},[905],{"type":35,"value":906},"    style INSTANCE fill:#51cf66,color:#000\n",{"type":29,"tag":144,"props":908,"children":909},{"class":146,"line":299},[910],{"type":29,"tag":144,"props":911,"children":912},{"style":151},[913],{"type":35,"value":914},"    style CIKIS fill:#51cf66,color:#000\n",{"type":29,"tag":58,"props":916,"children":918},{"title":917,"type":61},"Eşsiz Öngörü",[919],{"type":29,"tag":38,"props":920,"children":921},{},[922],{"type":35,"value":923},"Bir olay müdahale senaryosunda, saldırganın ele geçirdiği bir sunucudan NACL kurallarını değiştirmesi, Security Group kurallarını değiştirmesinden çok daha zordur. NACL alt ağ seviyesindedir ve genellikle daha sıkı IAM kontrollerine tabidir. Bu da NACL'i, saldırganın yanal hareketini engellemek için daha güvenilir bir kilit haline getirir.",{"type":29,"tag":30,"props":925,"children":927},{"id":926},"vpc-endpoint-ve-privatelink-trafiği-aws-i̇çinde-tutmak",[928],{"type":35,"value":929},"VPC Endpoint ve PrivateLink: Trafiği AWS İçinde Tutmak",{"type":29,"tag":38,"props":931,"children":932},{},[933,935,940],{"type":35,"value":934},"AWS verilerine göre, VPC Endpoint (PrivateLink) kullanımı, trafiğin internete çıkmadan AWS omurgası üzerinden servislerle konuşmasını sağlayarak, NAT Gateway kullanımına göre saldırı yüzeyini ciddi oranda azaltır (",{"type":29,"tag":44,"props":936,"children":938},{"link":937},"https:\u002F\u002Fdocs.aws.amazon.com\u002Fvpc\u002Flatest\u002Fprivatelink\u002Fwhat-is-privatelink.html",[939],{"type":35,"value":14},{"type":35,"value":941},"). Bunun temel nedeni, trafiğin hiçbir zaman genel internete çıkmaması ve AWS omurgasından ayrılmamasıdır.",{"type":29,"tag":38,"props":943,"children":944},{},[945],{"type":35,"value":946},"Private bir alt ağdaki sunucunun S3'e erişmesi gerektiğinde, klasik yöntem NAT Gateway üzerinden internete çıkmaktır. Bu yöntem hem ek maliyet getirir hem de trafiğinizi dış dünyaya maruz bırakır. VPC Endpoint ve PrivateLink ise bu sorunu kökten çözer.",{"type":29,"tag":38,"props":948,"children":949},{},[950,955,957,962],{"type":29,"tag":444,"props":951,"children":952},{},[953],{"type":35,"value":954},"Gateway Endpoint",{"type":35,"value":956}," (S3 ve DynamoDB): Ücretsizdir ve rota tablosuna eklenen bir kural ile çalışır. Bant genişliği sınırı yoktur.\n",{"type":29,"tag":444,"props":958,"children":959},{},[960],{"type":35,"value":961},"Interface Endpoint \u002F PrivateLink",{"type":35,"value":963},": Alt ağınızda özel bir IP'ye sahip bir ENI oluşturur. Saatlik ücretlidir ancak 150'den fazla AWS servisini destekler.",{"type":29,"tag":134,"props":965,"children":967},{"className":136,"code":966,"language":138,"meta":7,"style":7},"flowchart LR\n    subgraph VPC[\"VPC\"]\n        subgraph Private_Subnet[\"Private Subnet\"]\n            EC2[\"EC2 Instance\\n10.100.1.5\"]\n        end\n        ENI[\"Interface Endpoint ENI\\n10.100.1.10\"]\n    end\n    \n    EC2 -->|\"Eski yol ❌\"| NAT[\"NAT Gateway\"] --> Internet[\"🌐 İnternet\"] --> AWS_PUB[\"AWS Public API\"]\n    EC2 -->|\"PrivateLink ✅\"| ENI -->|\"AWS Omurgası\\n(İnternete Çıkmaz)\"| AWS_PRIV[\"AWS Servisi\\n(Secrets Manager, KMS vb.)\"]\n    \n    style Internet fill:#ff6b6b,color:#fff\n    style AWS_PRIV fill:#51cf66,color:#000\n    style ENI fill:#74c0fc,color:#000\n",[968],{"type":29,"tag":117,"props":969,"children":970},{"__ignoreMap":7},[971,978,986,994,1002,1009,1017,1024,1031,1039,1047,1054,1062,1070],{"type":29,"tag":144,"props":972,"children":973},{"class":146,"line":147},[974],{"type":29,"tag":144,"props":975,"children":976},{"style":151},[977],{"type":35,"value":508},{"type":29,"tag":144,"props":979,"children":980},{"class":146,"line":157},[981],{"type":29,"tag":144,"props":982,"children":983},{"style":151},[984],{"type":35,"value":985},"    subgraph VPC[\"VPC\"]\n",{"type":29,"tag":144,"props":987,"children":988},{"class":146,"line":166},[989],{"type":29,"tag":144,"props":990,"children":991},{"style":151},[992],{"type":35,"value":993},"        subgraph Private_Subnet[\"Private Subnet\"]\n",{"type":29,"tag":144,"props":995,"children":996},{"class":146,"line":175},[997],{"type":29,"tag":144,"props":998,"children":999},{"style":151},[1000],{"type":35,"value":1001},"            EC2[\"EC2 Instance\\n10.100.1.5\"]\n",{"type":29,"tag":144,"props":1003,"children":1004},{"class":146,"line":184},[1005],{"type":29,"tag":144,"props":1006,"children":1007},{"style":151},[1008],{"type":35,"value":235},{"type":29,"tag":144,"props":1010,"children":1011},{"class":146,"line":193},[1012],{"type":29,"tag":144,"props":1013,"children":1014},{"style":151},[1015],{"type":35,"value":1016},"        ENI[\"Interface Endpoint ENI\\n10.100.1.10\"]\n",{"type":29,"tag":144,"props":1018,"children":1019},{"class":146,"line":202},[1020],{"type":29,"tag":144,"props":1021,"children":1022},{"style":151},[1023],{"type":35,"value":181},{"type":29,"tag":144,"props":1025,"children":1026},{"class":146,"line":211},[1027],{"type":29,"tag":144,"props":1028,"children":1029},{"style":151},[1030],{"type":35,"value":190},{"type":29,"tag":144,"props":1032,"children":1033},{"class":146,"line":220},[1034],{"type":29,"tag":144,"props":1035,"children":1036},{"style":151},[1037],{"type":35,"value":1038},"    EC2 -->|\"Eski yol ❌\"| NAT[\"NAT Gateway\"] --> Internet[\"🌐 İnternet\"] --> AWS_PUB[\"AWS Public API\"]\n",{"type":29,"tag":144,"props":1040,"children":1041},{"class":146,"line":229},[1042],{"type":29,"tag":144,"props":1043,"children":1044},{"style":151},[1045],{"type":35,"value":1046},"    EC2 -->|\"PrivateLink ✅\"| ENI -->|\"AWS Omurgası\\n(İnternete Çıkmaz)\"| AWS_PRIV[\"AWS Servisi\\n(Secrets Manager, KMS vb.)\"]\n",{"type":29,"tag":144,"props":1048,"children":1049},{"class":146,"line":238},[1050],{"type":29,"tag":144,"props":1051,"children":1052},{"style":151},[1053],{"type":35,"value":190},{"type":29,"tag":144,"props":1055,"children":1056},{"class":146,"line":247},[1057],{"type":29,"tag":144,"props":1058,"children":1059},{"style":151},[1060],{"type":35,"value":1061},"    style Internet fill:#ff6b6b,color:#fff\n",{"type":29,"tag":144,"props":1063,"children":1064},{"class":146,"line":256},[1065],{"type":29,"tag":144,"props":1066,"children":1067},{"style":151},[1068],{"type":35,"value":1069},"    style AWS_PRIV fill:#51cf66,color:#000\n",{"type":29,"tag":144,"props":1071,"children":1072},{"class":146,"line":265},[1073],{"type":29,"tag":144,"props":1074,"children":1075},{"style":151},[1076],{"type":35,"value":1077},"    style ENI fill:#74c0fc,color:#000\n",{"type":29,"tag":58,"props":1079,"children":1080},{"title":917,"type":61},[1081],{"type":29,"tag":38,"props":1082,"children":1083},{},[1084],{"type":35,"value":1085},"VPC Endpoint oluşturduğunuzda varsayılan politikanın \"tam erişim\" (Full Access) verdiğini unutmayın. Bu bir güvenlik açığına dönüşebilir. Endpoint politikasına yalnızca kendi S3 bucket'larınıza erişim izni veren kurallar ekleyerek, veri sızdırma girişimlerini henüz başlamadan engelleyebilirsiniz.",{"type":29,"tag":30,"props":1087,"children":1089},{"id":1088},"dns-güvenliği-sessiz-tehditlerin-i̇zini-sürmek",[1090],{"type":35,"value":1091},"DNS Güvenliği: Sessiz Tehditlerin İzini Sürmek",{"type":29,"tag":38,"props":1093,"children":1094},{},[1095,1097,1102],{"type":35,"value":1096},"Bulut saldırılarında DNS, komuta kontrol (C2) iletişimi ve veri sızdırma için en sık suistimal edilen protokollerden biri olarak öne çıkıyor (",{"type":29,"tag":44,"props":1098,"children":1100},{"link":1099},"https:\u002F\u002Faws.amazon.com\u002Fblogs\u002Fsecurity\u002Fautomatically-block-suspicious-dns-activity-with-amazon-guardduty-and-route-53-resolver-dns-firewall\u002F",[1101],{"type":35,"value":14},{"type":35,"value":1103},"). VPC içindeki her sunucu, varsayılan olarak Amazon'un sağladığı DNS sunucusunu kullanır. Bu trafik genellikle denetlenmez, bu da onu saldırganlar için ideal bir keşif yolu haline getirir.",{"type":29,"tag":436,"props":1105,"children":1106},{"icon":438},[1107],{"type":29,"tag":38,"props":1108,"children":1109},{},[1110,1114,1116,1120],{"type":29,"tag":444,"props":1111,"children":1112},{},[1113],{"type":35,"value":448},{"type":35,"value":1115}," AWS Route 53 Resolver DNS Firewall, domain tabanlı filtreleme ile DNS üzerinden yapılabilecek saldırıları kontrol altına alır (",{"type":29,"tag":44,"props":1117,"children":1118},{"link":1099},[1119],{"type":35,"value":14},{"type":35,"value":1121},"). Bu sistem, yalnızca güvenilen alan adlarına sorgu yapılmasına izin vererek veri sızdırma riskini azaltır.",{"type":29,"tag":38,"props":1123,"children":1124},{},[1125],{"type":35,"value":1126},"Amazon Route 53 Resolver DNS Firewall ile hangi alan adlarına sorgu yapılabileceğini sınırlayabilirsiniz. Örneğin, yalnızca şirket içi domainlerinize ve AWS servislerine izin verip diğer her şeyi engelleyebilirsiniz. Bu sayede bir sunucu ele geçirilse bile, saldırganın dışarıdaki bir sunucuyla haberleşmesi veya ağ yapınızı haritalaması oldukça zorlaşır.",{"type":29,"tag":58,"props":1128,"children":1129},{"title":917,"type":61},[1130],{"type":29,"tag":38,"props":1131,"children":1132},{},[1133],{"type":35,"value":1134},"DNS Firewall kurarken yapılan en kritik hata, \"Allow\" listesini oluşturup sona \"Deny all\" kuralını eklemeyi unutmaktır. AWS konsolu varsayılan olarak listede olmayan her şeye izin verir. Bu kuralı eklemediğiniz sürece güvenlik duvarınız aslında pasif durumdadır.",{"type":29,"tag":30,"props":1136,"children":1138},{"id":1137},"vpc-i̇zleme-flow-logs-traffic-mirroring-ve-guardduty",[1139],{"type":35,"value":1140},"VPC İzleme: Flow Logs, Traffic Mirroring ve GuardDuty",{"type":29,"tag":38,"props":1142,"children":1143},{},[1144],{"type":35,"value":1145},"AWS ağında görünürlük sağlamak için VPC Flow Logs, Traffic Mirroring ve GuardDuty üçlüsü temel direkleri oluşturur. Her biri farklı bir derinlikte analiz sunar.",{"type":29,"tag":38,"props":1147,"children":1148},{},[1149,1154,1156,1161,1163,1168,1170,1175],{"type":29,"tag":444,"props":1150,"children":1151},{},[1152],{"type":35,"value":1153},"VPC Flow Logs",{"type":35,"value":1155},": Paket başlıklarını loglar. Hangi IP'nin hangi porttan veri gönderdiğini gösterir. S3 ve Athena ile analiz etmek oldukça maliyet-etkindir.\n",{"type":29,"tag":444,"props":1157,"children":1158},{},[1159],{"type":35,"value":1160},"VPC Traffic Mirroring",{"type":35,"value":1162},": Trafiğin tam kopyasını alır. Derinlemesine inceleme için Suricata veya Zeek gibi IDS araçlarına veri sağlar (",{"type":29,"tag":44,"props":1164,"children":1166},{"link":1165},"https:\u002F\u002Fdocs.aws.amazon.com\u002Fvpc\u002Flatest\u002Fmirroring\u002Fwhat-is-traffic-mirroring.html",[1167],{"type":35,"value":14},{"type":35,"value":1169},").\n",{"type":29,"tag":444,"props":1171,"children":1172},{},[1173],{"type":35,"value":1174},"Amazon GuardDuty",{"type":35,"value":1176},": Makine öğrenimi ile Flow Logs ve DNS loglarını analiz ederek şüpheli aktiviteleri (port tarama, kripto madenciliği vb.) tespit eder.",{"type":29,"tag":134,"props":1178,"children":1180},{"className":136,"code":1179,"language":138,"meta":7,"style":7},"flowchart TD\n    VPC_TRAFIK[\"VPC Ağ Trafiği\"] --> FLOW[\"VPC Flow Logs\\n(Paket Başlıkları)\"]\n    VPC_TRAFIK --> MIRROR[\"Traffic Mirroring\\n(Tam Paket Kopyası)\"]\n    \n    FLOW --> S3[\"S3 + Athena\\n(Ucuz, Uzun Vadeli)\"]\n    FLOW --> CW[\"CloudWatch Logs\\n(Gerçek Zamanlı Alarm)\"]\n    \n    MIRROR --> IDS[\"IDS\u002FIPS\\n(Suricata \u002F Zeek)\"]\n    \n    FLOW --> GUARDDUTY[\"Amazon GuardDuty\\n(ML + Threat Intel)\"]\n    DNS_LOGS[\"DNS Sorgu Logları\"] --> GUARDDUTY\n    CLOUDTRAIL[\"CloudTrail Logları\"] --> GUARDDUTY\n    \n    GUARDDUTY --> BULGU[\"🔴 Bulgular\\n(Port Tarama, Veri Sızdırma,\\nKripto Mining vb.)\"]\n    BULGU --> EVENTBRIDGE[\"EventBridge\"] --> SOAR[\"Otomatik Yanıt\\n(Lambda \u002F Security Hub)\"]\n    \n    style GUARDDUTY fill:#845ef7,color:#fff\n    style BULGU fill:#ff6b6b,color:#fff\n    style SOAR fill:#51cf66,color:#000\n",[1181],{"type":29,"tag":117,"props":1182,"children":1183},{"__ignoreMap":7},[1184,1191,1199,1207,1214,1222,1230,1237,1245,1252,1260,1268,1276,1283,1291,1299,1306,1314,1322],{"type":29,"tag":144,"props":1185,"children":1186},{"class":146,"line":147},[1187],{"type":29,"tag":144,"props":1188,"children":1189},{"style":151},[1190],{"type":35,"value":780},{"type":29,"tag":144,"props":1192,"children":1193},{"class":146,"line":157},[1194],{"type":29,"tag":144,"props":1195,"children":1196},{"style":151},[1197],{"type":35,"value":1198},"    VPC_TRAFIK[\"VPC Ağ Trafiği\"] --> FLOW[\"VPC Flow Logs\\n(Paket Başlıkları)\"]\n",{"type":29,"tag":144,"props":1200,"children":1201},{"class":146,"line":166},[1202],{"type":29,"tag":144,"props":1203,"children":1204},{"style":151},[1205],{"type":35,"value":1206},"    VPC_TRAFIK --> MIRROR[\"Traffic Mirroring\\n(Tam Paket Kopyası)\"]\n",{"type":29,"tag":144,"props":1208,"children":1209},{"class":146,"line":175},[1210],{"type":29,"tag":144,"props":1211,"children":1212},{"style":151},[1213],{"type":35,"value":190},{"type":29,"tag":144,"props":1215,"children":1216},{"class":146,"line":184},[1217],{"type":29,"tag":144,"props":1218,"children":1219},{"style":151},[1220],{"type":35,"value":1221},"    FLOW --> S3[\"S3 + Athena\\n(Ucuz, Uzun Vadeli)\"]\n",{"type":29,"tag":144,"props":1223,"children":1224},{"class":146,"line":193},[1225],{"type":29,"tag":144,"props":1226,"children":1227},{"style":151},[1228],{"type":35,"value":1229},"    FLOW --> CW[\"CloudWatch Logs\\n(Gerçek Zamanlı Alarm)\"]\n",{"type":29,"tag":144,"props":1231,"children":1232},{"class":146,"line":202},[1233],{"type":29,"tag":144,"props":1234,"children":1235},{"style":151},[1236],{"type":35,"value":190},{"type":29,"tag":144,"props":1238,"children":1239},{"class":146,"line":211},[1240],{"type":29,"tag":144,"props":1241,"children":1242},{"style":151},[1243],{"type":35,"value":1244},"    MIRROR --> IDS[\"IDS\u002FIPS\\n(Suricata \u002F Zeek)\"]\n",{"type":29,"tag":144,"props":1246,"children":1247},{"class":146,"line":220},[1248],{"type":29,"tag":144,"props":1249,"children":1250},{"style":151},[1251],{"type":35,"value":190},{"type":29,"tag":144,"props":1253,"children":1254},{"class":146,"line":229},[1255],{"type":29,"tag":144,"props":1256,"children":1257},{"style":151},[1258],{"type":35,"value":1259},"    FLOW --> GUARDDUTY[\"Amazon GuardDuty\\n(ML + Threat Intel)\"]\n",{"type":29,"tag":144,"props":1261,"children":1262},{"class":146,"line":238},[1263],{"type":29,"tag":144,"props":1264,"children":1265},{"style":151},[1266],{"type":35,"value":1267},"    DNS_LOGS[\"DNS Sorgu Logları\"] --> GUARDDUTY\n",{"type":29,"tag":144,"props":1269,"children":1270},{"class":146,"line":247},[1271],{"type":29,"tag":144,"props":1272,"children":1273},{"style":151},[1274],{"type":35,"value":1275},"    CLOUDTRAIL[\"CloudTrail Logları\"] --> GUARDDUTY\n",{"type":29,"tag":144,"props":1277,"children":1278},{"class":146,"line":256},[1279],{"type":29,"tag":144,"props":1280,"children":1281},{"style":151},[1282],{"type":35,"value":190},{"type":29,"tag":144,"props":1284,"children":1285},{"class":146,"line":265},[1286],{"type":29,"tag":144,"props":1287,"children":1288},{"style":151},[1289],{"type":35,"value":1290},"    GUARDDUTY --> BULGU[\"🔴 Bulgular\\n(Port Tarama, Veri Sızdırma,\\nKripto Mining vb.)\"]\n",{"type":29,"tag":144,"props":1292,"children":1293},{"class":146,"line":273},[1294],{"type":29,"tag":144,"props":1295,"children":1296},{"style":151},[1297],{"type":35,"value":1298},"    BULGU --> EVENTBRIDGE[\"EventBridge\"] --> SOAR[\"Otomatik Yanıt\\n(Lambda \u002F Security Hub)\"]\n",{"type":29,"tag":144,"props":1300,"children":1301},{"class":146,"line":282},[1302],{"type":29,"tag":144,"props":1303,"children":1304},{"style":151},[1305],{"type":35,"value":190},{"type":29,"tag":144,"props":1307,"children":1308},{"class":146,"line":291},[1309],{"type":29,"tag":144,"props":1310,"children":1311},{"style":151},[1312],{"type":35,"value":1313},"    style GUARDDUTY fill:#845ef7,color:#fff\n",{"type":29,"tag":144,"props":1315,"children":1316},{"class":146,"line":299},[1317],{"type":29,"tag":144,"props":1318,"children":1319},{"style":151},[1320],{"type":35,"value":1321},"    style BULGU fill:#ff6b6b,color:#fff\n",{"type":29,"tag":144,"props":1323,"children":1324},{"class":146,"line":307},[1325],{"type":29,"tag":144,"props":1326,"children":1327},{"style":151},[1328],{"type":35,"value":1329},"    style SOAR fill:#51cf66,color:#000\n",{"type":29,"tag":30,"props":1331,"children":1333},{"id":1332},"vpc-bağlantısallığı-güvenli-köprüler-kurmak",[1334],{"type":35,"value":1335},"VPC Bağlantısallığı: Güvenli Köprüler Kurmak",{"type":29,"tag":38,"props":1337,"children":1338},{},[1339],{"type":35,"value":1340},"VPC'leri birbirine veya şirket içi ağlara bağlarken güvenlik modelinize en uygun yöntemi seçmek gerekir.",{"type":29,"tag":1342,"props":1343,"children":1345},"h3",{"id":1344},"site-to-site-vpn-vs-direct-connect",[1346],{"type":35,"value":1347},"Site-to-Site VPN vs Direct Connect",{"type":29,"tag":1349,"props":1350,"children":1351},"table",{},[1352,1376],{"type":29,"tag":1353,"props":1354,"children":1355},"thead",{},[1356],{"type":29,"tag":1357,"props":1358,"children":1359},"tr",{},[1360,1366,1371],{"type":29,"tag":1361,"props":1362,"children":1363},"th",{},[1364],{"type":35,"value":1365},"Özellik",{"type":29,"tag":1361,"props":1367,"children":1368},{},[1369],{"type":35,"value":1370},"Site-to-Site VPN",{"type":29,"tag":1361,"props":1372,"children":1373},{},[1374],{"type":35,"value":1375},"Direct Connect",{"type":29,"tag":1377,"props":1378,"children":1379},"tbody",{},[1380,1399,1417,1435],{"type":29,"tag":1357,"props":1381,"children":1382},{},[1383,1389,1394],{"type":29,"tag":1384,"props":1385,"children":1386},"td",{},[1387],{"type":35,"value":1388},"Bağlantı Tipi",{"type":29,"tag":1384,"props":1390,"children":1391},{},[1392],{"type":35,"value":1393},"İnternet üzerinden IPSec",{"type":29,"tag":1384,"props":1395,"children":1396},{},[1397],{"type":35,"value":1398},"Fiziksel fiber hat",{"type":29,"tag":1357,"props":1400,"children":1401},{},[1402,1407,1412],{"type":29,"tag":1384,"props":1403,"children":1404},{},[1405],{"type":35,"value":1406},"Şifreleme",{"type":29,"tag":1384,"props":1408,"children":1409},{},[1410],{"type":35,"value":1411},"Evet (IPSec)",{"type":29,"tag":1384,"props":1413,"children":1414},{},[1415],{"type":35,"value":1416},"MACsec veya VPN (L3)",{"type":29,"tag":1357,"props":1418,"children":1419},{},[1420,1425,1430],{"type":29,"tag":1384,"props":1421,"children":1422},{},[1423],{"type":35,"value":1424},"Bant Genişliği",{"type":29,"tag":1384,"props":1426,"children":1427},{},[1428],{"type":35,"value":1429},"İnternet hızına bağlı",{"type":29,"tag":1384,"props":1431,"children":1432},{},[1433],{"type":35,"value":1434},"1-100 Gbps",{"type":29,"tag":1357,"props":1436,"children":1437},{},[1438,1443,1448],{"type":29,"tag":1384,"props":1439,"children":1440},{},[1441],{"type":35,"value":1442},"Kurulum",{"type":29,"tag":1384,"props":1444,"children":1445},{},[1446],{"type":35,"value":1447},"Dakikalar",{"type":29,"tag":1384,"props":1449,"children":1450},{},[1451],{"type":35,"value":1452},"Haftalar",{"type":29,"tag":436,"props":1454,"children":1455},{"icon":438},[1456],{"type":29,"tag":38,"props":1457,"children":1458},{},[1459,1463,1465,1470],{"type":29,"tag":444,"props":1460,"children":1461},{},[1462],{"type":35,"value":448},{"type":35,"value":1464}," Hibrit bulut bağlantılarında veri aktarımının şifrelenmesi en önemli önceliktir. AWS Direct Connect, seçili lokasyonlarda 10 Gbps ve 100 Gbps bağlantılar için IEEE 802.1AE MACsec şifrelemesini destekleyerek Layer 2 seviyesinde donanımsal koruma sunar (",{"type":29,"tag":44,"props":1466,"children":1468},{"link":1467},"https:\u002F\u002Faws.amazon.com\u002Fabout-aws\u002Fwhats-new\u002F2021\u002F03\u002Faws-direct-connect-announces-macsec-encryption-for-dedicated-10gbps-and-100gbps-connections-at-select-locations\u002F",[1469],{"type":35,"value":14},{"type":35,"value":1471},").",{"type":29,"tag":1342,"props":1473,"children":1475},{"id":1474},"vpc-peering-ve-transit-gateway",[1476],{"type":35,"value":1477},"VPC Peering ve Transit Gateway",{"type":29,"tag":38,"props":1479,"children":1480},{},[1481],{"type":35,"value":1482},"VPC Peering birebir bağlantılar için idealdir ancak transitive (geçişli) değildir. Transit Gateway ise merkezi bir yönetim noktası sunarak tüm VPC trafiğini tek bir hub üzerinden yönetmenize ve izlemenize olanak tanır.",{"type":29,"tag":134,"props":1484,"children":1486},{"className":136,"code":1485,"language":138,"meta":7,"style":7},"flowchart TD\n    subgraph Peering[\"VPC Peering (Non-Transitive)\"]\n        VPC_A[\"VPC-A\"] \u003C-->|\"Peering\"| VPC_B[\"VPC-B\"]\n        VPC_B \u003C-->|\"Peering\"| VPC_C[\"VPC-C\"]\n        VPC_A -.-|\"❌ Konuşamaz\"| VPC_C\n    end\n    \n    subgraph TGW[\"Transit Gateway (Transitive)\"]\n        TGW_CORE[\"Transit Gateway\\n(Merkezi Router)\"]\n        VPC_X[\"VPC-X\"] \u003C--> TGW_CORE\n        VPC_Y[\"VPC-Y\"] \u003C--> TGW_CORE\n        VPC_Z[\"VPC-Z\"] \u003C--> TGW_CORE\n        ON_PREM[\"Şirket İçi\\n(VPN\u002FDC)\"] \u003C--> TGW_CORE\n    end\n    \n    style VPC_C fill:#ff6b6b,color:#fff\n    style TGW_CORE fill:#845ef7,color:#fff\n",[1487],{"type":29,"tag":117,"props":1488,"children":1489},{"__ignoreMap":7},[1490,1497,1505,1513,1521,1529,1536,1543,1551,1559,1567,1575,1583,1591,1598,1605,1613],{"type":29,"tag":144,"props":1491,"children":1492},{"class":146,"line":147},[1493],{"type":29,"tag":144,"props":1494,"children":1495},{"style":151},[1496],{"type":35,"value":780},{"type":29,"tag":144,"props":1498,"children":1499},{"class":146,"line":157},[1500],{"type":29,"tag":144,"props":1501,"children":1502},{"style":151},[1503],{"type":35,"value":1504},"    subgraph Peering[\"VPC Peering (Non-Transitive)\"]\n",{"type":29,"tag":144,"props":1506,"children":1507},{"class":146,"line":166},[1508],{"type":29,"tag":144,"props":1509,"children":1510},{"style":151},[1511],{"type":35,"value":1512},"        VPC_A[\"VPC-A\"] \u003C-->|\"Peering\"| VPC_B[\"VPC-B\"]\n",{"type":29,"tag":144,"props":1514,"children":1515},{"class":146,"line":175},[1516],{"type":29,"tag":144,"props":1517,"children":1518},{"style":151},[1519],{"type":35,"value":1520},"        VPC_B \u003C-->|\"Peering\"| VPC_C[\"VPC-C\"]\n",{"type":29,"tag":144,"props":1522,"children":1523},{"class":146,"line":184},[1524],{"type":29,"tag":144,"props":1525,"children":1526},{"style":151},[1527],{"type":35,"value":1528},"        VPC_A -.-|\"❌ Konuşamaz\"| VPC_C\n",{"type":29,"tag":144,"props":1530,"children":1531},{"class":146,"line":193},[1532],{"type":29,"tag":144,"props":1533,"children":1534},{"style":151},[1535],{"type":35,"value":181},{"type":29,"tag":144,"props":1537,"children":1538},{"class":146,"line":202},[1539],{"type":29,"tag":144,"props":1540,"children":1541},{"style":151},[1542],{"type":35,"value":190},{"type":29,"tag":144,"props":1544,"children":1545},{"class":146,"line":211},[1546],{"type":29,"tag":144,"props":1547,"children":1548},{"style":151},[1549],{"type":35,"value":1550},"    subgraph TGW[\"Transit Gateway (Transitive)\"]\n",{"type":29,"tag":144,"props":1552,"children":1553},{"class":146,"line":220},[1554],{"type":29,"tag":144,"props":1555,"children":1556},{"style":151},[1557],{"type":35,"value":1558},"        TGW_CORE[\"Transit Gateway\\n(Merkezi Router)\"]\n",{"type":29,"tag":144,"props":1560,"children":1561},{"class":146,"line":229},[1562],{"type":29,"tag":144,"props":1563,"children":1564},{"style":151},[1565],{"type":35,"value":1566},"        VPC_X[\"VPC-X\"] \u003C--> TGW_CORE\n",{"type":29,"tag":144,"props":1568,"children":1569},{"class":146,"line":238},[1570],{"type":29,"tag":144,"props":1571,"children":1572},{"style":151},[1573],{"type":35,"value":1574},"        VPC_Y[\"VPC-Y\"] \u003C--> TGW_CORE\n",{"type":29,"tag":144,"props":1576,"children":1577},{"class":146,"line":247},[1578],{"type":29,"tag":144,"props":1579,"children":1580},{"style":151},[1581],{"type":35,"value":1582},"        VPC_Z[\"VPC-Z\"] \u003C--> TGW_CORE\n",{"type":29,"tag":144,"props":1584,"children":1585},{"class":146,"line":256},[1586],{"type":29,"tag":144,"props":1587,"children":1588},{"style":151},[1589],{"type":35,"value":1590},"        ON_PREM[\"Şirket İçi\\n(VPN\u002FDC)\"] \u003C--> TGW_CORE\n",{"type":29,"tag":144,"props":1592,"children":1593},{"class":146,"line":265},[1594],{"type":29,"tag":144,"props":1595,"children":1596},{"style":151},[1597],{"type":35,"value":181},{"type":29,"tag":144,"props":1599,"children":1600},{"class":146,"line":273},[1601],{"type":29,"tag":144,"props":1602,"children":1603},{"style":151},[1604],{"type":35,"value":190},{"type":29,"tag":144,"props":1606,"children":1607},{"class":146,"line":282},[1608],{"type":29,"tag":144,"props":1609,"children":1610},{"style":151},[1611],{"type":35,"value":1612},"    style VPC_C fill:#ff6b6b,color:#fff\n",{"type":29,"tag":144,"props":1614,"children":1615},{"class":146,"line":291},[1616],{"type":29,"tag":144,"props":1617,"children":1618},{"style":151},[1619],{"type":35,"value":1620},"    style TGW_CORE fill:#845ef7,color:#fff\n",{"type":29,"tag":30,"props":1622,"children":1624},{"id":1623},"sonuç",[1625],{"type":35,"value":1626},"Sonuç",{"type":29,"tag":38,"props":1628,"children":1629},{},[1630],{"type":35,"value":1631},"VPC güvenliği statik bir hedef değil, sürekli yaşayan bir süreçtir. Katmanlı bir yaklaşım, tek bir halkadaki zayıflığın tüm ağı çökertmesini engeller:",{"type":29,"tag":1633,"props":1634,"children":1635},"card-list",{},[1636],{"type":29,"tag":64,"props":1637,"children":1638},{},[1639,1649,1659,1669,1679,1689],{"type":29,"tag":68,"props":1640,"children":1641},{},[1642,1647],{"type":29,"tag":444,"props":1643,"children":1644},{},[1645],{"type":35,"value":1646},"Ağ Segmentasyonu",{"type":35,"value":1648},": Public\u002Fprivate ayrımını doğru yapın ve IAM politikalarını sıkı denetleyin.",{"type":29,"tag":68,"props":1650,"children":1651},{},[1652,1657],{"type":29,"tag":444,"props":1653,"children":1654},{},[1655],{"type":35,"value":1656},"Erişim Kontrolü",{"type":35,"value":1658},": Security Group'u birincil, NACL'i ise ikincil savunma hattı olarak kullanın.",{"type":29,"tag":68,"props":1660,"children":1661},{},[1662,1667],{"type":29,"tag":444,"props":1663,"children":1664},{},[1665],{"type":35,"value":1666},"Trafik İzolasyonu",{"type":35,"value":1668},": VPC Endpoint ile trafiği AWS omurgasında tutarak internet risklerini azaltın.",{"type":29,"tag":68,"props":1670,"children":1671},{},[1672,1677],{"type":29,"tag":444,"props":1673,"children":1674},{},[1675],{"type":35,"value":1676},"DNS Güvenliği",{"type":35,"value":1678},": DNS Firewall ile yanal hareketleri henüz keşif aşamasında sınırlayın.",{"type":29,"tag":68,"props":1680,"children":1681},{},[1682,1687],{"type":29,"tag":444,"props":1683,"children":1684},{},[1685],{"type":35,"value":1686},"Kesintisiz İzleme",{"type":35,"value":1688},": Flow Logs ve GuardDuty'yi etkinleştirerek anomali tespitini otomatize edin.",{"type":29,"tag":68,"props":1690,"children":1691},{},[1692,1697],{"type":29,"tag":444,"props":1693,"children":1694},{},[1695],{"type":35,"value":1696},"Varsayılanları Kullanımdan Kaldırın",{"type":35,"value":1698},": AWS'nin otomatik oluşturduğu \"default VPC\" yapısını kullanmamak veya kullanımdan kaldırmak, saldırı yüzeyini küçültmek için atılacak en basit ama etkili adımdır.",{"type":29,"tag":38,"props":1700,"children":1701},{},[1702],{"type":35,"value":1703},"Bulut ağınızı bir kale gibi değil, her katmanında farklı bir savunma stratejisi olan yaşayan bir organizma gibi kurgulamanız, modern tehditlere karşı en güçlü kalkanınız olacaktır.",{"type":29,"tag":30,"props":1705,"children":1707},{"id":1706},"sıkça-sorulan-sorular",[1708],{"type":35,"value":1709},"Sıkça Sorulan Sorular",{"type":29,"tag":1711,"props":1712,"children":1714},"folding",{"title":1713},"Public ve private subnet arasındaki tek fark rota tablosu mudur?",[1715],{"type":29,"tag":38,"props":1716,"children":1717},{},[1718,1720,1725],{"type":35,"value":1719},"Evet. AWS'de bir alt ağı public veya private yapan tek şey, bağlı olduğu rota tablosunda Internet Gateway'e (",{"type":29,"tag":117,"props":1721,"children":1723},{"className":1722},[],[1724],{"type":35,"value":471},{"type":35,"value":1726},") bir rota bulunup bulunmamasıdır. Sunucuya public IP atamak bağlantı için yeterli değildir; trafiğin yönlendirilebilmesi için IGW şarttır.",{"type":29,"tag":1711,"props":1728,"children":1730},{"title":1729},"NACL kullanmak gerçekten zorunlu mu?",[1731],{"type":29,"tag":38,"props":1732,"children":1733},{},[1734],{"type":35,"value":1735},"Teknik olarak hayır, ancak iyi bir pratik olarak evet. NACL, Security Group'un kaçırdığı veya ele geçirilmiş bir sunucudan değiştirilebilecek kurallara karşı ikinci bir kilit işlevi görür. Özellikle belirli IP bloklarını toptan engellemek için vazgeçilmezdir.",{"type":29,"tag":1711,"props":1737,"children":1739},{"title":1738},"VPC Endpoint maliyet tasarrufu sağlar mı?",[1740],{"type":29,"tag":38,"props":1741,"children":1742},{},[1743],{"type":35,"value":1744},"S3 ve DynamoDB için Gateway Endpoint ücretsizdir ve NAT Gateway maliyetlerini düşürür. Diğer servisler için kullanılan Interface Endpoint'ler saatlik ücretlidir, ancak güvenlik ve düşük gecikme avantajları genellikle bu maliyeti karşılar.",{"type":29,"tag":1711,"props":1746,"children":1748},{"title":1747},"Default VPC'yi neden kullanımdan kaldırmalıyım?",[1749],{"type":29,"tag":38,"props":1750,"children":1751},{},[1752],{"type":35,"value":1753},"Default VPC'ler genel erişime daha açık yapılandırılmıştır ve saldırganlar için tanıdık bir zemindir. Kendi CIDR aralıklarınızla oluşturduğunuz özel VPC'ler, saldırı yüzeyini azaltır ve daha kontrollü bir ağ yönetimi sağlar.",{"type":29,"tag":30,"props":1755,"children":1757},{"id":1756},"kaynakça",[1758],{"type":35,"value":1759},"Kaynakça",{"type":29,"tag":64,"props":1761,"children":1762},{},[1763,1775,1787,1799,1811,1823,1835,1847,1859,1871,1884],{"type":29,"tag":68,"props":1764,"children":1765},{},[1766,1768],{"type":35,"value":1767},"AWS Documentation, “What is Amazon VPC” - ",{"type":29,"tag":144,"props":1769,"children":1770},{},[1771],{"type":29,"tag":44,"props":1772,"children":1773},{"link":101},[1774],{"type":35,"value":14},{"type":29,"tag":68,"props":1776,"children":1777},{},[1778,1780],{"type":35,"value":1779},"AWS Documentation, “Internet Gateway” - ",{"type":29,"tag":144,"props":1781,"children":1782},{},[1783],{"type":29,"tag":44,"props":1784,"children":1785},{"link":476},[1786],{"type":35,"value":14},{"type":29,"tag":68,"props":1788,"children":1789},{},[1790,1792],{"type":35,"value":1791},"AWS Documentation, “Security Best Practices for Your VPC” - ",{"type":29,"tag":144,"props":1793,"children":1794},{},[1795],{"type":29,"tag":44,"props":1796,"children":1797},{"link":714},[1798],{"type":35,"value":14},{"type":29,"tag":68,"props":1800,"children":1801},{},[1802,1804],{"type":35,"value":1803},"AWS Documentation, “Security groups” - ",{"type":29,"tag":144,"props":1805,"children":1806},{},[1807],{"type":29,"tag":44,"props":1808,"children":1809},{"link":733},[1810],{"type":35,"value":14},{"type":29,"tag":68,"props":1812,"children":1813},{},[1814,1816],{"type":35,"value":1815},"AWS Documentation, “Network ACLs” - ",{"type":29,"tag":144,"props":1817,"children":1818},{},[1819],{"type":29,"tag":44,"props":1820,"children":1821},{"link":740},[1822],{"type":35,"value":14},{"type":29,"tag":68,"props":1824,"children":1825},{},[1826,1828],{"type":35,"value":1827},"AWS Documentation, “AWS PrivateLink” - ",{"type":29,"tag":144,"props":1829,"children":1830},{},[1831],{"type":29,"tag":44,"props":1832,"children":1833},{"link":937},[1834],{"type":35,"value":14},{"type":29,"tag":68,"props":1836,"children":1837},{},[1838,1840],{"type":35,"value":1839},"AWS Documentation, “Traffic Mirroring” - ",{"type":29,"tag":144,"props":1841,"children":1842},{},[1843],{"type":29,"tag":44,"props":1844,"children":1845},{"link":1165},[1846],{"type":35,"value":14},{"type":29,"tag":68,"props":1848,"children":1849},{},[1850,1852],{"type":35,"value":1851},"AWS, “Direct Connect MACsec Announcement” - ",{"type":29,"tag":144,"props":1853,"children":1854},{},[1855],{"type":29,"tag":44,"props":1856,"children":1857},{"link":1467},[1858],{"type":35,"value":14},{"type":29,"tag":68,"props":1860,"children":1861},{},[1862,1864],{"type":35,"value":1863},"Palo Alto Networks Unit 42, “Cloud Threats on the Rise: Alert Trends” - ",{"type":29,"tag":144,"props":1865,"children":1866},{},[1867],{"type":29,"tag":44,"props":1868,"children":1869},{"link":429},[1870],{"type":35,"value":432},{"type":29,"tag":68,"props":1872,"children":1873},{},[1874,1876],{"type":35,"value":1875},"Sysdig, “2024 Cloud-Native Security and Usage Report” - ",{"type":29,"tag":144,"props":1877,"children":1878},{},[1879],{"type":29,"tag":44,"props":1880,"children":1882},{"link":1881},"https:\u002F\u002Fwww.sysdig.com\u002F2024-cloud-native-security-and-usage-report",[1883],{"type":35,"value":49},{"type":29,"tag":68,"props":1885,"children":1886},{},[1887,1889],{"type":35,"value":1888},"AWS Security Blog, “Block suspicious DNS activity with DNS Firewall” - ",{"type":29,"tag":144,"props":1890,"children":1891},{},[1892],{"type":29,"tag":44,"props":1893,"children":1894},{"link":1099},[1895],{"type":35,"value":14},{"type":29,"tag":1897,"props":1898,"children":1899},"hr",{},[],{"type":29,"tag":38,"props":1901,"children":1902},{},[1903],{"type":29,"tag":452,"props":1904,"children":1905},{},[1906],{"type":35,"value":1907},"Bu makale, AWS VPC güvenliğini hem savunmacı hem de saldırgan perspektifinden ele alarak pratik öneriler sunmayı amaçlamıştır. Sorularınızı yorumlarda paylaşabilirsiniz.",{"type":29,"tag":1909,"props":1910,"children":1911},"style",{},[1912],{"type":35,"value":1913},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":175,"depth":175,"links":1915},[1916,1917,1918,1919,1920,1921,1922,1923,1927,1928,1929],{"id":32,"depth":157,"text":36},{"id":90,"depth":157,"text":93},{"id":418,"depth":157,"text":421},{"id":703,"depth":157,"text":706},{"id":926,"depth":157,"text":929},{"id":1088,"depth":157,"text":1091},{"id":1137,"depth":157,"text":1140},{"id":1332,"depth":157,"text":1335,"children":1924},[1925,1926],{"id":1344,"depth":166,"text":1347},{"id":1474,"depth":166,"text":1477},{"id":1623,"depth":157,"text":1626},{"id":1706,"depth":157,"text":1709},{"id":1756,"depth":157,"text":1759},"markdown","content:posts:2026:aws-vpc-guvenligi-derinlemesine-rehber.md","content","posts\u002F2026\u002Faws-vpc-guvenligi-derinlemesine-rehber.md","posts\u002F2026\u002Faws-vpc-guvenligi-derinlemesine-rehber","md","\u002Fposts",[1938,1942],{"_path":1939,"title":1940,"date":1941},"\u002F2026\u002Faws-ec2-guvenlik-rehberi","AWS EC2 Güvenlik Rehberi: 2026'da Bulut Sunucularınızı Nasıl Korumalısınız?","2026-04-28T21:00:00.000Z",{"_path":1943,"title":1944,"date":1945},"\u002F2026\u002Faws-lambda-guvenlik-rehberi","AWS Lambda Gerçekten Güvenli mi? Sunucusuz Mimaride Sizi Bekleyen 7 Risk","2026-05-10T21:00:00.000Z",1780419439834]