Study Guide875 words
Secure AWS Network Architectures: Security & Compliance Study Guide
Implementing an AWS network architecture to meet security and compliance requirements (for example, untrusted network, perimeter VPC, three-tier architecture)
Secure AWS Network Architectures: Security & Compliance Study Guide
This guide covers the implementation of robust AWS network architectures designed to meet stringent security and compliance requirements. It focuses on structural patterns like Three-Tier, Perimeter VPC, and Untrusted Networks, alongside the tools used to secure traffic flows.
Learning Objectives
- Design secure network architectures including Untrusted Networks (DMZs), Perimeter VPCs, and Three-Tier models.
- Implement security controls for inbound, outbound, and inter-VPC traffic flows.
- Develop a threat model to identify and mitigate risks within a network architecture.
- Evaluate the use of Gateway Load Balancers, AWS Network Firewall, and WAF in a security stack.
- Verify compliance through logging, monitoring, and automated auditing.
Key Terms & Glossary
- DMZ (Demilitarized Zone): A physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, usually the internet.
- Blast Radius: The potential extent of damage that can be caused by a single security incident; minimized through network segmentation.
- NACL (Network Access Control List): A stateless layer of security at the subnet level that acts as a firewall for controlling traffic in and out of one or more subnets.
- Security Group: A stateful virtual firewall for instances to control inbound and outbound traffic at the ENI (Elastic Network Interface) level.
- Inbound Inspection: The process of checking traffic entering the AWS environment from the internet for threats.
- Egress Filtering: Monitoring and restricting the flow of information leaving a network to unauthorized destinations.
The "Big Idea"
[!IMPORTANT] The core philosophy of secure AWS networking is Defense in Depth. Rather than relying on a single firewall, security is layered across the architecture: at the edge (Shield/WAF), the VPC perimeter (Network Firewall/GWLB), the subnet (NACLs), and the individual resource (Security Groups). This ensures that if one layer is compromised, others remain to protect the data.
Formula / Concept Box
| Security Layer | Scope | Traffic State | Primary Use Case |
|---|---|---|---|
| AWS WAF | Layer 7 (HTTP/S) | Managed | Protecting web apps from common exploits (SQLi, XSS). |
| AWS Shield | Layer 3/4 | Managed | DDoS protection (Standard is free, Advanced is paid). |
| Network ACL | Subnet | Stateless | Coarse-grained IP/Port blocking; "black hole" filtering. |
| Security Group | Instance (ENI) | Stateful | Fine-grained application-level access control. |
| Network Firewall | VPC/Multi-VPC | Stateful/Stateless | Deep packet inspection (DPI) and URL filtering. |
Hierarchical Outline
- Threat Modeling & Mitigation
- Asset Identification: Servers, databases, data, and microservices.
- Risk Assessment: Identifying vulnerabilities like unpatched software or weak passwords.
- Mitigation Strategy: Applying encryption, access controls, and monitoring.
- Structural Architecture Patterns
- Untrusted Network (DMZ): A VPC hosting public resources (Web) isolated from protected internal networks.
- Three-Tier Architecture: Separation of Web (Public), Application (Private), and Database (Private) into distinct subnets.
- Perimeter VPC: A centralized VPC for inspecting all traffic entering or leaving a multi-VPC environment.
- Hub-and-Spoke: Centralizing control via AWS Transit Gateway to connect multiple VPCs.
- Traffic Flow Security
- Inbound: WAF, Shield, and Network Firewall.
- Outbound: NAT Gateways, Proxies, and Gateway Load Balancers (GWLB).
- Inter-VPC: VPC Peering, Transit Gateway, and VPC Endpoint Policies.
Visual Anchors
Three-Tier Architecture Flow
Loading Diagram...
Security Group vs. NACL Logic
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds
Definition-Example Pairs
- Perimeter VPC: A dedicated VPC that acts as a transit point for all north-south traffic to apply centralized security inspection.
- Example: A company uses a Perimeter VPC containing a fleet of Palo Alto firewalls behind a Gateway Load Balancer to inspect all traffic coming from the internet before it reaches their production VPCs.
- VPC Endpoint Policy: An IAM resource policy attached to an endpoint to control which principals can use the endpoint to access the service.
- Example: Restricting an S3 Interface Endpoint so it can only be used to access one specific S3 bucket, preventing data exfiltration to personal accounts.
- Automated Security Incident Reporting: Using AWS services to detect and alert on security events without human intervention.
- Example: Setting up a CloudWatch Alarm that triggers an SNS notification to the security team whenever a VPC Flow Log detects a high volume of rejected SSH attempts.
Worked Examples
Designing an Inspection Flow with Gateway Load Balancer (GWLB)
Scenario: You need to inspect all outbound traffic from your application VPC using a third-party firewall appliance to ensure no data is being sent to malicious IPs.
- Step 1: Deploy Firewalls. Place your firewall appliances in a separate Security VPC behind a GWLB.
- Step 2: Create Endpoints. In the Application VPC, create a GWLB Endpoint (GWLBe).
- Step 3: Update Route Tables. Modify the route table of the application subnet to point all outbound traffic (
0.0.0.0/0) to the GWLBe. - Step 4: Inspection. The GWLB encapsulates the traffic (using GENEVE protocol) and sends it to the firewall. The firewall inspects and returns it to the GWLB.
- Step 5: Delivery. The traffic is sent back to the GWLBe in the App VPC and then out to the internet via the NAT Gateway.
Checkpoint Questions
- What is the main difference between a Security Group and a NACL regarding how they handle return traffic?
- Why is a