AWS Network Threat Modeling & Mitigation Strategies

This guide explores the structured approach to developing threat models and implementing robust mitigation strategies within AWS network architectures, specifically tailored for the ANS-C01 exam.

Learning Objectives

After studying this guide, you should be able to:

• Define the steps of a comprehensive threat modeling process.
• Identify assets, threats, and vulnerabilities within a specific network architecture.
• Map appropriate AWS security services to specific threat categories.
• Architect secure patterns such as Three-Tier, Perimeter VPC, and Hub-and-Spoke.
• Implement compliance testing and ongoing monitoring to validate security controls.

Key Terms & Glossary

• Threat Modeling: A structured process to identify, quantify, and address security risks associated with a system.
• DMZ (Demilitarized Zone): Also known as an untrusted network architecture; a sub-network that exposes an organization's external-facing services to an untrusted network (usually the Internet).
• Perimeter VPC: A dedicated VPC that acts as a gatekeeper for all traffic entering or leaving an AWS environment, often hosting inspection appliances.
• Blast Radius: The potential extent of damage that can be caused by a single security incident or technical failure.
• Shared Responsibility Model: The AWS security framework where AWS manages security "of" the cloud, and the customer manages security "in" the cloud.

The "Big Idea"

Security in AWS is not a static state but a continuous lifecycle. Threat modeling is the foundation of this lifecycle; you cannot protect what you do not understand. By systematically identifying assets and potential attackers, you move from a "hope-based" security posture to a "risk-based" architecture where controls (like NACLs, Security Groups, and WAFs) are applied precisely where they are most effective.

Formula / Concept Box

Hierarchical Outline

1. The Threat Modeling Lifecycle

   • Inventory Phase: Identifying what needs protection (data, compute, IP).
   • Analysis Phase: Investigating threat actors (nation-states, hackers, insiders).
   • Prioritization: Assessing the likelihood vs. impact of each threat.

2. Standard Secure Architectures

   • Three-Tier Architecture: Separation of Web, App, and Database into distinct subnets.
   • Hub-and-Spoke: Centralized control via AWS Transit Gateway connecting multiple spoke VPCs.
   • Perimeter VPC (DMZ): Isolating public-facing resources to protect the internal network.

3. Core Mitigation Mechanisms

   • Inbound Protection: AWS WAF (Layer 7), AWS Shield (DDoS), AWS Network Firewall.
   • Inter-VPC Security: Security Groups (stateful), NACLs (stateless), VPC Endpoint Policies.
   • Data Protection: Encryption at rest (KMS) and in transit (TLS/IPsec).

4. Validation & Compliance

   • Automated Testing: Using AWS Config and Lambda for drift detection.
   • Active Testing: Penetration testing and vulnerability scanning with Amazon Inspector.

Visual Anchors

The Threat Modeling Workflow

Standard Three-Tier Segmentation

\begin{tikzpicture}[node distance=1.5cm, every node/.style={rectangle, draw, minimum width=3cm, minimum height=1cm, align=center}]

% Nodes \node (internet) [fill=gray!20] {Public Internet}; \node (igw) [below of=internet] {Internet Gateway}; \node (web) [below of=igw, fill=blue!10] {Web Tier Subnet$Public)}; \node (app) [below of=web, fill=green!10] {Application Tier Subnet$Private)}; \node (db) [below of=app, fill=red!10] {Database Tier Subnet$Private)};

% Connections \draw [->, thick] (internet) -- (igw); \draw [->, thick] (igw) -- (web); \draw [->, thick] (web) -- node[right, draw=none] {SG / NACL} (app); \draw [->, thick] (app) -- node[right, draw=none] {SG / NACL} (db);

% Legend/Annotation \node [right of=web, xshift=3cm, draw=none, text width=4cm] {\small \textbf{Inbound}: WAF/Shield}; \node [right of=db, xshift=3cm, draw=none, text width=4cm] {\small \textbf{Storage}: Encryption at Rest};

\end{tikzpicture}

Definition-Example Pairs

• Segmentation: The act of splitting a network into smaller parts to improve performance and security.
  • Example: Placing a database in a private subnet with no route to the Internet Gateway, allowing access only from the application tier.
• Mitigation Strategy: A specific action or tool used to reduce the risk associated with a threat.
  • Example: Implementing AWS Shield Advanced to mitigate the risk of a high-volume Layer 3/4 DDoS attack.
• VPC Endpoint Policy: An IAM resource policy attached to a VPC endpoint to control which principals can use the endpoint to access a service.
  • Example: Creating a policy for an S3 Gateway Endpoint that only allows access to a specific corporate bucket, preventing data exfiltration to personal accounts.

Worked Examples

Scenario: Securing a Multi-Region Web Application

Goal: Protect a web application from SQL injection and ensure cross-region traffic is encrypted.

1. Threat Model Discovery:
   • Asset: Customer Database (RDS).
   • Threat: SQL Injection via the web tier.
   • Vulnerability: Exposed public endpoints.
2. Mitigation Plan:
   • Layer 7: Deploy AWS WAF on the Application Load Balancer (ALB) with SQLi injection protection rules.
   • Layer 4: Configure Security Groups to allow only traffic from the ALB to the App instances, and only from App instances to the DB.
   • Encryption: Enable TLS 1.2 for all data in transit. Use AWS KMS to encrypt the RDS volume at rest.
3. Validation:
   • Run Amazon Inspector to check for EC2 vulnerabilities.
   • Use AWS Config to ensure no security groups allow 0.0.0.0/0 on port 3306 (MySQL).

Checkpoint Questions

1. What is the primary difference between a Security Group and a Network ACL in terms of statefulness?
2. Why should a Perimeter VPC be isolated from other VPCs in the environment?
3. Which AWS service is best suited for automating the identification of unpatched software on EC2 instances?
4. Describe the function of a "Hub" in a Hub-and-Spoke architecture.

▶Click to see answers

1. Security Groups are stateful (responses are allowed automatically); NACLs are stateless (rules must be defined for both inbound and outbound traffic).
2. To ensure all traffic is forced through a centralized point of inspection before reaching internal resources, minimizing the risk of lateral movement.
3. Amazon Inspector.
4. It acts as a central point of control, usually containing a Transit Gateway or centralized firewall, to manage traffic between spokes and external connections.

Muddy Points & Cross-Refs

• NACL vs. Security Group: Students often struggle with where to apply each. Remember: NACLs are your subnet-level "fences" (broad), while Security Groups are your instance-level "doors" (specific).
• Perimeter VPC vs. Transit Gateway: A Perimeter VPC is an architectural pattern, while Transit Gateway is a service used to implement patterns like Hub-and-Spoke. You often use them together.
• Compliance Testing: Don't confuse AWS Config (resource configuration history) with AWS CloudTrail (API call history).

Comparison Tables

Inbound vs. Outbound Traffic Controls

[!IMPORTANT] Threat models must be reviewed on a regular basis. As your network architecture or the global threat landscape evolves, your security controls must be updated to remain effective.