Network Security and Compliance: Implementation and Maintenance

This guide covers the essential knowledge and skills required to implement and maintain network features that meet security and compliance requirements in an AWS environment, specifically focusing on Task 4.1 of the ANS-C01 exam.

Learning Objectives

After studying this guide, you should be able to:

• Develop and implement threat models based on application architecture.
• Configure and manage AWS network security services including AWS WAF, Shield, and Network Firewall.
• Use automation to verify connectivity intent and ensure compliance (e.g., Reachability Analyzer).
• Implement a centralized security management strategy across multiple accounts using AWS Firewall Manager and Security Hub.
• Deploy secure, repeatable network architectures such as perimeter VPCs and three-tier designs.

Key Terms & Glossary

• Security Group (SG): A virtual stateful firewall for EC2 instances to control incoming and outgoing traffic.
• Network ACL (NACL): An optional, stateless layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
• AWS Network Firewall: A managed service that makes it easy to deploy essential network protections for all of your VPCs, supporting deep packet inspection (DPI).
• Reachability Analyzer: A configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your VPCs.
• AWS RAM (Resource Access Manager): Allows you to share your resources across any AWS account or within your Organization, essential for multi-account Transit Gateway or VPC sharing.

The "Big Idea"

In the AWS Advanced Networking context, security is not just a perimeter concern; it is a defense-in-depth strategy. The core objective is to move from manual, reactive security configurations to automated, proactive compliance. By integrating tools like AWS Config and Firewall Manager, you transition from managing individual firewalls to managing security policies that automatically apply to all resources, ensuring the network remains compliant as it scales.

Formula / Concept Box

Hierarchical Outline

• I. Threat Modeling & Mitigation
  • Threat Modeling: Identifying entry points, trust boundaries, and data flows.
  • Inbound Protection: Using AWS WAF for HTTP/S and AWS Shield for DDoS mitigation.
  • Outbound Protection: Using Network Firewall or Forward Proxies to filter egress traffic to the internet.
• II. Infrastructure Security Implementation
  • Perimeter VPCs: Centralizing security inspection for north-south traffic.
  • Three-Tier Architecture: Isolating Web, Application, and Database layers into separate subnets with strict SG rules.
  • Inter-VPC Security: Implementing VPC Endpoint Policies and Transit Gateway security controls.
• III. Automation & Compliance
  • Verification: Using Reachability Analyzer to prove that pathing matches security intent.
  • Consistency: Using AWS CloudFormation to ensure every environment is deployed with identical security controls.
  • Auditing: Leveraging AWS Config to detect when a Security Group is modified to allow 0.0.0.0/0 on sensitive ports.

Visual Anchors

Centralized Security Inspection Flow

Security Group (Stateful) Logic

\begin{tikzpicture}[node distance=2cm, auto] \draw[thick] (0,0) rectangle (4,3); \node at (2,2.5) {\textbf{Instance (SG)}}; \draw[blue, thick, ->] (-2,1) -- (0,1) node[midway, above] {Inbound Allowed}; \draw[blue, thick, dashed, <-] (-2,0.5) -- (0,0.5) node[midway, below] {Auto-allowed Outbound}; \node[draw, fill=yellow!20] at (2,1.2) {State Table}; \end{tikzpicture}

Definition-Example Pairs

• Stateless Filtering: A firewall that treats each packet as an isolated entity, requiring explicit rules for both request and response.
  • Example: A Network ACL rule allowing inbound traffic on port 80 requires a corresponding outbound rule for ephemeral ports (1024-65535) to allow the response.
• Stateful Filtering: A firewall that tracks the state of connections and automatically allows return traffic for established connections.
  • Example: If a Security Group allows inbound SSH (port 22), it automatically allows the outgoing response packets without an explicit outbound rule.
• Deep Packet Inspection (DPI): Looking at the data part of a packet to find protocol non-compliance, viruses, or spam.
  • Example: Using AWS Network Firewall to block traffic containing a specific malware signature, even if it's traveling over a permitted port.

Worked Examples

Scenario: Troubleshooting a Connectivity Failure

Problem: An application in Subnet A cannot reach a database in Subnet B. All routing in the Route Tables appears correct.

Step 1: Run Reachability Analyzer Create a path between the source (Application ENI) and destination (Database ENI). Specify the destination port (e.g., 3306).

Step 2: Analyze Results Reachability Analyzer reports: Status: Unreachable. It identifies that the Security Group for the Database does not have an ingress rule for the Application's IP range.

Step 3: Remediation Update the Database Security Group to allow TCP 3306 from the specific Security Group ID of the Application instance (Security Group Referencing).

Checkpoint Questions

1. What is the primary difference between a Security Group and a Network ACL?
2. Which AWS service allows you to centrally manage and deploy WAF rules across all your accounts in an Organization?
3. You need to inspect traffic between two VPCs connected via Transit Gateway. Which architectural pattern should you use?
4. True or False: Reachability Analyzer sends actual data packets through the network to test connectivity.

Muddy Points & Cross-Refs

• Ephemeral Ports: Often forgotten in NACL configurations. If your NACL blocks high ports (1024-65535), your instances cannot receive responses for outgoing requests. (Cross-ref: Unit 1 - VPC Fundamentals).
• Gateway Load Balancer (GWLB) vs. Network Firewall: GWLB is for 3rd-party appliances; Network Firewall is an AWS-managed service. Choose Network Firewall for ease of use, GWLB for specific vendor features (Check Point, Palo Alto).

Comparison Tables

Traffic Filtering Comparison