Exam Cram Sheet920 words
AWS ANS-C01: Network Security & Compliance Cram Sheet
Implement and maintain network features to meet security and compliance needs and requirements
AWS Certified Advanced Networking Specialty (ANS-C01)
Domain 4: Network Security, Compliance, and Governance
This cram sheet focuses on Task 4.1: Implement and maintain network features to meet security and compliance needs. It covers the architecture, tools, and configurations required to secure AWS network environments according to corporate and regulatory standards.
Topic Weighting
- Domain 4 Total: ~18% of the exam.
- Task 4.1 Focus: High. Expect 6-8 questions specifically on implementing security controls (SGs, NACLs, Network Firewall, WAF) and maintaining compliance via automation.
Key Concepts Summary
1. The Perimeter VPC Pattern
For centralized security, AWS recommends a "Perimeter" or "Inspection" VPC. This pattern uses Gateway Load Balancers (GWLB) or Transit Gateway (TGW) to route traffic through security appliances or AWS Network Firewall before reaching application VPCs.
2. Security Groups (SG) vs. Network ACLs (NACL)
| Feature | Security Group (SG) | Network ACL (NACL) |
|---|---|---|
| Layer | Instance level (ENI) | Subnet level |
| State | Stateful (Return traffic allowed) | Stateless (Must allow both ways) |
| Rules | Allow only | Allow and Deny |
| Order | All rules evaluated | Evaluated in number order |
| Scope | Applies to resource | Applies to all resources in subnet |
3. AWS Network Firewall & Firewall Manager
- Network Firewall: Layer 3-7 protection. Supports stateful inspection, DPDK-based performance, and Suricata-compatible rules.
- Firewall Manager: Centralizes policy management across AWS Organizations. Use it to mandate that every VPC has a specific Security Group or WAF rule.
4. Inbound vs. Outbound Protection
- Inbound: AWS WAF (Layer 7), AWS Shield (DDoS), ELB + Security Groups.
- Outbound: NAT Gateway (not a security tool, but provides obfuscation), Network Firewall, or Forward Proxy (Squid) to filter URLs.
Visual Anchors
Centralized Inspection Architecture
Loading Diagram...
Security Group vs NACL Scope
\begin{tikzpicture}[node distance=2cm] \draw[thick, blue] (0,0) rectangle (6,4) node[above left] {Subnet}; \draw[thick, red] (1,1) rectangle (3,3) node[below] {EC2 Instance}; \draw[thick, red] (4,1) rectangle (5.5,2.5) node[below] {Lambda};
code
\draw[<->, thick] (-1,2) -- (0.5,2) node[midway, above] {NACL};
\draw[<->, thick] (0.5,2) -- (1.5,2) node[midway, above] {SG};
\node at (3,-1) {\textbf{NACL:} First line of defense (Subnet Boundary)};
\node at (3,-1.5) {\textbf{SG:} Last line of defense (Resource Boundary)};\end{tikzpicture}
Mnemonics / Memory Triggers
- "S-S": Security Groups are Stateful.
- "N-S": NACLs are Stateless (and Not friendly if you forget the return path!).
- "WAF-7": WAF works at Layer 7 (Application).
- "Shield-DDoS": Shield is for DDoS (Layer 3/4 for Standard, Layer 3-7 for Advanced).
Formula / Equation Sheet
| Concept | Rule / Constraint |
|---|---|
| NACL Rule Limit | Default 20 (up to 40) per direction |
| SG Rule Limit | Default 60 per Security Group |
| Default NACL | Allows ALL inbound and ALL outbound |
| Custom NACL | Denies ALL traffic until rules are added |
| Standard MTU | 1500 bytes (standard for internet traffic) |
| Jumbo Frames | 9001 bytes (only within VPC/Direct Connect) |
Common Pitfalls
[!WARNING] Stateless NACL Return Traffic: Forgetting to allow ephemeral ports ($1024-65535$) in the outbound NACL rules when allowing inbound web traffic. This is a classic exam distractor.
- Overlapping CIDRs: You cannot peer VPCs with overlapping IP ranges, even if you try to secure them later.
- Stateful SG Limit: SGs track connections. High-concurrency applications might hit connection tracking limits on smaller instance types.
- Global Accelerator vs CloudFront: Use Global Accelerator for non-HTTP (TCP/UDP) performance; use CloudFront for HTTP caching and WAF integration.
Worked Examples
Scenario: Securing Outbound Traffic to a Specific Domain
Requirement: EC2 instances in a private subnet must only be allowed to access repo.example.com for updates.
- Incorrect Approach: Using a Security Group. SGs only support IP addresses, not DNS names.
- Correct Approach: Use AWS Network Firewall in a centralized VPC or a forward proxy (Squid).
- Implementation:
- Route 0.0.0.0/0 from the private subnet to the Network Firewall endpoint.
- Configure a Stateful Rule Group with a "Domain List" containing
repo.example.com. - Set the action to
ALLOWand the default toDROPfor other domains.
Practice Set
- Which service allows you to centrally manage and deploy WAF rules across all ALBs in an AWS Organization? (Answer: AWS Firewall Manager)
- A user cannot connect to an EC2 instance via SSH. The SG allows port 22. The NACL inbound allows port 22. What is likely missing? (Answer: The NACL outbound rule for ephemeral ports)
- You need to inspect traffic between two VPCs. What is the most scalable attachment method? (Answer: Transit Gateway with an Appliance/Inspection VPC)
- What is the benefit of using an AWS Private CA for internal microservices? (Answer: Automates lifecycle of private certificates for TLS/mTLS without public trust requirements)
- Which tool helps verify if a path exists between a source and destination without sending actual packets? (Answer: VPC Reachability Analyzer)
Fact Recall Blanks
- Security Groups are ___________, meaning return traffic is automatically allowed. (Answer: Stateful)
- The ___________ is a managed service that provides L3-L7 protection for your entire VPC. (Answer: AWS Network Firewall)
- To prevent the "Confused Deputy" problem in cross-account DNS, use Route 53 ___________ ___________ Zones. (Answer: Private Hosted)
- AWS ___________ ___________ provides a unified dashboard for security alerts across GuardDuty, Inspector, and Macie. (Answer: Security Hub)
- ___________ ___________ allows you to mirror VPC traffic to an ENI for deep packet inspection by IDS/IPS tools. (Answer: Traffic Mirroring)