Unit 4: Network Security, Compliance, and Governance

This study guide covers the critical aspects of securing AWS network infrastructures, maintaining compliance with global standards, and implementing robust governance through auditing and monitoring. This corresponds to Domain 4 of the AWS Certified Advanced Networking Specialty (ANS-C01) exam.

Learning Objectives

By the end of this unit, you should be able to:

Develop and Implement threat models based on specific application architectures (monolithic vs. microservices).
Secure Inbound and Outbound traffic flows using AWS WAF, Shield, and Network Firewall.
Validate and Audit security configurations using VPC Flow Logs, Traffic Mirroring, and CloudTrail.
Maintain Confidentiality of data in transit through DNSSEC and encryption mechanisms.
Automate Incident Response using CloudWatch alarms and AWS Lambda for remediation.

Key Terms & Glossary

IDS/IPS (Intrusion Detection/Prevention System): A device or software application that monitors a network for malicious activity or policy violations. AWS Network Firewall provides these capabilities.
WAF (Web Application Firewall): A layer 7 firewall designed to protect web applications from common exploits like SQL injection and Cross-Site Scripting (XSS).
NACL (Network Access Control List): A stateless optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
Security Group: A stateful virtual firewall for your EC2 instances to control incoming and outgoing traffic.
Shared Responsibility Model: A framework where AWS is responsible for the security of the cloud, and the customer is responsible for security in the cloud.

The "Big Idea"

Security in AWS is not a static configuration but a continuous lifecycle. It begins with identifying compliance requirements (e.g., PCI DSS, HIPAA), assessing the current architecture against those requirements, and implementing a multi-layered defense (Defense-in-Depth). Governance is achieved by ensuring that every network flow is logged, every change is audited, and every anomaly triggers an automated alert.

Formula / Concept Box

Concept	Application / Rule
Stateful Filtering	Security Groups: If you allow an inbound port, the return traffic is automatically allowed regardless of outbound rules.
Stateless Filtering	NACLs: Return traffic must be explicitly allowed by an outbound rule.
Threat Modeling	Risk = Probability $\times$ Impact. Focus on entry points (IGW), lateral movement (VPC Peering), and data exit (NAT Gateway).
Encryption	Use TLS for application-level data and IPsec for network-level tunnels (VPN).

Hierarchical Outline

I. Implementing Security & Compliance (Task 4.1)
- Threat Modeling: Identifying vulnerabilities in monolithic vs. microservices architectures.
- Inbound Security: Utilizing AWS WAF for Layer 7 and AWS Shield for DDoS protection.
- Outbound Security: Implementing Network Firewall and Forward Proxies to filter egress traffic.
- Inter-VPC Security: Using VPC Endpoint Policies to restrict access to specific S3 buckets or DynamoDB tables.
II. Validation & Auditing (Task 4.2)
- Logging Services: VPC Flow Logs (metadata), CloudTrail (API calls), and GuardDuty (intelligent threat detection).
- Traffic Inspection: VPC Traffic Mirroring for deep packet inspection (DPI) by third-party appliances.
- Centralized Management: Using AWS Firewall Manager to enforce policies across multiple accounts in an organization.
III. Confidentiality & Data Integrity (Task 4.3)
- DNS Security: Implementing DNSSEC on Route 53 to prevent cache poisoning.
- Traffic Management: Using Route 53 Traffic Policies to route users securely based on geography or latency.

Visual Anchors

Traffic Security Flow

Loading Diagram...

Network Layer Defense (TikZ)

\begin{tikzpicture}[node distance=1.5cm, every node/.style={draw, fill=blue!10, rounded corners}] \node (ext) [fill=red!10] {External Internet}; \node (igw) [below of=ext] {Internet Gateway (IGW)}; \node (nacl) [below of=igw, fill=orange!10] {Network ACL (Stateless)}; \node (sg) [below of=nacl, fill=green!10] {Security Group (Stateful)}; \node (app) [below of=sg] {Application / Data};

code

\draw[<->, thick] (ext) -- (igw);
\draw[<->, thick] (igw) -- (nacl);
\draw[<->, thick] (nacl) -- (sg);
\draw[<->, thick] (sg) -- (app);

\draw [dashed, red, thick] (-2,-2.2) -- (2,-2.2) node[right] {Subnet Boundary};
\draw [dashed, blue, thick] (-2,-3.7) -- (2,-3.7) node[right] {Instance Boundary};

\end{tikzpicture}

Definition-Example Pairs

Compliance Framework: A set of guidelines (e.g., SOC 2) to ensure data security. Example: A healthcare company uses the AWS HIPAA compliance program to ensure patient records are encrypted at rest and in transit.
Automated Remediation: Using code to fix a security issue immediately. Example: If a Security Group is created with 0.0.0.0/0 on port 22, an AWS Config rule triggers a Lambda function to delete the rule instantly.
Traffic Mirroring: Copying network traffic from an ENI to an out-of-band security appliance. Example: An enterprise mirrors traffic from its production web servers to a Darktrace appliance for anomaly detection without impacting performance.

Worked Examples

Scenario: Securing a Perimeter VPC

Goal: Inspect all traffic entering a multi-account environment from a single point.

Deploy a Centralized Inspection VPC: Create a VPC specifically for security appliances.
Transit Gateway (TGW) Integration: Connect all spoke VPCs to the TGW.
Appliance Deployment: Place Gateway Load Balancer (GWLB) endpoints in the Centralized VPC to distribute traffic to Network Firewall or third-party IDS/IPS.
Routing Configuration: Update TGW route tables to ensure all traffic from the Internet Gateway (IGW) is routed through the Inspection VPC before reaching the internal spoke VPCs.

Checkpoint Questions

What is the primary difference between a stateful and a stateless firewall in AWS?
Which service would you use to perform automated vulnerability assessments on EC2 instances?
How does VPC Traffic Mirroring differ from VPC Flow Logs?
What is the purpose of DNSSEC in Amazon Route 53?

Muddy Points & Cross-Refs

NACL vs. Security Group: Many students struggle with the return traffic rules. Remember: NACLs are like a security guard checking IDs both ways, whereas Security Groups are like a hotel keycard—once you're in, the door lets you out automatically.
WAF vs. Network Firewall: WAF is specifically for Web (HTTP/S) traffic. Network Firewall works at Layers 3-7 for all IP traffic.
Deep Dive: For more on encryption, refer to Unit 3: Network Management and Operation (Encryption methods).

Comparison Tables

AWS Security Services Comparison

Service	OSI Layer	Primary Use Case
AWS WAF	Layer 7 (Application)	Protecting web apps from SQLi, XSS, and bots.
AWS Shield	Layer 3/4 (Network/Transport)	DDoS protection (Standard is free, Advanced includes cost protection).
AWS Network Firewall	Layers 3-7	High-throughput IPS/IDS and domain filtering for entire VPCs.
Amazon GuardDuty	Management Plane	Threat detection using machine learning on CloudTrail and Flow Logs.

Monitoring vs. Logging

Feature	VPC Flow Logs	VPC Traffic Mirroring
Data Type	Metadata (IPs, Ports, Bytes)	Full Packet Content
Performance Impact	None	Minimal (uses excess ENI capacity)
Primary Goal	Auditing and Billing	Deep Packet Inspection (DPI)
Storage	CloudWatch Logs / S3	Sent to a Target (ENI or GWLB)