Study Guide1,184 words
AWS Network Security Validation and Auditing Study Guide
Validate and audit security by using network monitoring and logging services
AWS Network Security Validation and Auditing Study Guide
This guide covers the critical aspects of Domain 4.2 of the AWS Certified Advanced Networking - Specialty (ANS-C01) exam. It focuses on using native AWS monitoring and logging services to maintain a secure and compliant network posture.
Learning Objectives
By the end of this study guide, you should be able to:
- Identify and configure appropriate AWS network monitoring and logging services (CloudWatch, CloudTrail, VPC Flow Logs).
- Implement log delivery solutions using Amazon Kinesis and S3.
- Design a network audit strategy across single and multi-account environments.
- Execute deep packet analysis using VPC Traffic Mirroring.
- Configure automated alerting mechanisms using CloudWatch Alarms to respond to security anomalies.
Key Terms & Glossary
- VPC Flow Logs: A feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
- AWS CloudTrail: A service that enables governance, compliance, operational auditing, and risk auditing of your AWS account by logging API actions.
- VPC Traffic Mirroring: A feature that allows you to copy network traffic from an elastic network interface (ENI) of Amazon EC2 instances and send it to out-of-band security and monitoring appliances.
- CloudWatch Insights: A powerful, interactive log analytics service used to search and analyze log data in CloudWatch Logs.
- AWS Config: A service that provides a detailed inventory of your AWS resources and tracks changes to these resources over time for compliance auditing.
The "Big Idea"
In the AWS shared responsibility model, visibility is the foundation of security. You cannot protect what you cannot see. Auditing and validation are not one-time events but continuous processes. By integrating logging (recording what happened), monitoring (watching what is happening), and auditing (verifying against a standard), you create a "closed-loop" security environment where anomalies are detected and remediated automatically.
Formula / Concept Box
| Concept | Key Logic / Formula | Use Case |
|---|---|---|
| VPC Flow Log Action | ACCEPT vs REJECT | Identify if traffic is blocked by NACLs or Security Groups. |
| CloudWatch Alarm | Metric + Threshold + Period | Trigger an SNS notification or Lambda when traffic spikes. |
| Traffic Mirroring Filter | Rule + Action + Direction | Selectively capture only port 80/443 traffic for an IDS. |
| Athena Query (Flow Logs) | SELECT * FROM flow_logs WHERE action='REJECT' | Audit failed connection attempts at scale. |
Hierarchical Outline
- I. Traffic Capture Mechanisms
- VPC Flow Logs: Captures metadata (Source/Dest IP, Port, Protocol, Bytes, Action).
- VPC Traffic Mirroring: Captures full L2-L7 payloads for deep packet inspection (DPI).
- II. Activity & Configuration Auditing
- AWS CloudTrail: Records "Who, What, Where, When" of API calls (e.g.,
ModifySecurityGroupRules). - AWS Config: Records configuration snapshots; evaluates against "Config Rules" for compliance.
- AWS CloudTrail: Records "Who, What, Where, When" of API calls (e.g.,
- III. Log Management and Analysis
- Storage: S3 (Long-term/cheap) vs. CloudWatch Logs (Short-term/interactive).
- Delivery: Kinesis Data Firehose for real-time streaming to third-party tools (Splunk, Datadog).
- Analysis: Amazon Athena for SQL queries on S3 logs; CloudWatch Logs Insights for rapid filtering.
- IV. Alerting and Remediation
- CloudWatch Alarms: Static thresholds or anomaly detection.
- EventBridge: Triggering automated responses (e.g., isolating an EC2 instance) based on logs.
Visual Anchors
Network Logging Pipeline
Loading Diagram...
VPC Traffic Mirroring Architecture
\begin{tikzpicture}[node distance=2cm, every node/.style={draw, thick, rectangle, rounded corners, inner sep=5pt}] \node (Source) [fill=blue!10] {Source ENI (EC2)}; \node (Filter) [right=of Source, fill=green!10] {Mirror Filter}; \node (Target) [right=of Filter, fill=red!10] {Target (NLB/ENI)}; \node (IDS) [below=of Target] {Security Appliance (IDS/IPS)};
code
\draw [->, thick] (Source) -- node[above, draw=none] {Production Traffic} ++(3,0);
\draw [->, dashed, red, thick] (Source) -- (Filter);
\draw [->, dashed, red, thick] (Filter) -- node[above, draw=none] {VXLAN Encapsulated} (Target);
\draw [->, thick] (Target) -- (IDS);
\node [draw=none, below=of Filter] {\small \textit{Matches Rules (Port/Protocol)}};\end{tikzpicture}
Definition-Example Pairs
- Log Correlation: The process of linking data from different sources to identify a single security event.
- Example: Matching a
REJECTentry in VPC Flow Logs with aCreateSecurityGroupevent in CloudTrail to see who misconfigured a firewall.
- Example: Matching a
- Deep Packet Inspection (DPI): Examining the data part of a packet as it passes an inspection point.
- Example: Using VPC Traffic Mirroring to send packets to a Suricata appliance to detect SQL injection attempts that Flow Logs would miss.
- Continuous Compliance: Automatically auditing configurations against a baseline continuously.
- Example: Using AWS Config to automatically alert if any Security Group is modified to allow
0.0.0.0/0on port 22.
- Example: Using AWS Config to automatically alert if any Security Group is modified to allow
Worked Examples
Scenario: Troubleshooting a Connectivity Issue
Problem: A web server in a private subnet cannot reach a database, despite security groups appearing correct.
- Enable VPC Flow Logs: Enable logs for the specific ENI and send to CloudWatch Logs.
- Filter Logs: Use CloudWatch Logs Insights to run the following query:
sql
filter srcAddr = "10.0.1.5" and dstAddr = "10.0.2.10" | stats count(*) by action - Analyze: Result shows
REJECT. This confirms the traffic is being blocked by a security policy. - Audit NACLs: Since Security Groups are stateful and the outbound rule is allowed, check the Network ACL (NACL) for an explicit inbound/outbound deny rule.
Checkpoint Questions
- Which service should you use if you need to capture the full payload of a network packet for forensic analysis?
- What is the primary difference between a Security Group and an AWS Config Rule in terms of auditing?
- You need to store network logs for 7 years for regulatory compliance. Which storage destination is most cost-effective?
- How can you automate the process of alerting an admin when a specific API call (e.g.,
DeleteVpc) is made?
▶Click to see answers
- VPC Traffic Mirroring.
- A Security Group is a functional firewall (enforcement), while an AWS Config Rule is an auditing tool (verification of compliance).
- Amazon S3 (specifically S3 Glacier Deep Archive for long-term retention).
- Create a CloudTrail Trail, send it to CloudWatch Logs, and create a Metric Filter + Alarm on that specific API operation.
Muddy Points & Cross-Refs
- VPC Flow Logs vs. Traffic Mirroring: Students often confuse these. Remember: Flow Logs = Metadata (Who/Where/How much). Traffic Mirroring = The actual data (The content of the conversation).
- CloudTrail vs. AWS Config: CloudTrail is a log of actions (API calls). AWS Config is a log of state (the resulting configuration).
- Cross-Ref: For more on how to secure these flows, see Domain 4.1: Implement and maintain network features to meet security and compliance needs.
Comparison Tables
| Feature | VPC Flow Logs | VPC Traffic Mirroring | CloudTrail |
|---|---|---|---|
| Layer | L3/L4 (IP/Port) | L2-L7 (Full Packet) | Management Plane (API) |
| Overhead | Minimal / No impact | Potential impact on throughput | None |
| Storage | S3 / CloudWatch | N/A (Sent to Target) | S3 / CloudWatch |
| Use Case | Connectivity Troubleshooting | Intrusion Detection (IDS) | Audit User Activity |
| Encapsulation | None | VXLAN (Port 4789) | JSON Logs |