AWS Certified Security: Designing Network Segmentation & Traffic Protection
Design network segmentation based on security requirements (for example, north/south and east/west traffic protections, isolated subnets)
AWS Certified Security: Designing Network Segmentation & Traffic Protection
This curriculum overview covers the design and implementation of secure network architectures within AWS. It focuses on the critical distinction between North/South and East/West traffic and the implementation of isolated subnets to minimize the blast radius of potential security incidents.
## Prerequisites
Before starting this module, students should possess a foundational understanding of the following:
- Networking Fundamentals: Understanding of the OSI model, TCP/IP, CIDR notation (e.g.,
/24,/16), and DNS. - AWS VPC Basics: Familiarity with Virtual Private Clouds (VPC), Subnets (Public vs. Private), Route Tables, and Internet Gateways (IGW).
- Security Primitives: Basic knowledge of stateless vs. stateful filtering and the concept of the Principle of Least Privilege.
- Cloud Governance: General awareness of AWS Accounts and Organizations.
## Module Breakdown
| Module | Focus Area | Difficulty |
|---|---|---|
| 1. VPC Security Fundamentals | Security Groups (SG) vs. Network ACLs (NACL) | Beginner |
| 2. North-South Protection | Perimeter defense, IGWs, NAT Gateways, and WAF | Intermediate |
| 3. East-West Protection | Lateral movement prevention and Microsegmentation | Advanced |
| 4. Private Connectivity | VPC Endpoints, PrivateLink, and Isolated Subnets | Intermediate |
| 5. Auditing & Analysis | Network Access Analyzer and VPC Flow Logs | Intermediate |
## Learning Objectives per Module
Module 1: VPC Security Fundamentals
- Differentiate between stateful Security Groups (applied at the instance level) and stateless Network ACLs (applied at the subnet level).
- Apply rule ordering logic in NACLs to permit or deny specific IP ranges.
Module 2: North/South Traffic Protections
- Design secure ingress/egress patterns to manage traffic entering and leaving the VPC (North/South).
- Implement NAT Gateways to allow private instances to access the internet securely without being reachable from the outside.
Module 3: East/West Traffic Protections
- Construct a Zero-Trust architecture that assumes no implicit trust between internal workloads (East/West).
- Configure Security Group referencing (using SG-IDs instead of IP ranges) to enable dynamic scaling without compromising security.
Module 4: Isolated Subnets & Private Connectivity
- Design isolated subnets that have no route to an Internet Gateway or NAT Gateway.
- Configure Gateway and Interface VPC Endpoints (PrivateLink) to access AWS services (like S3 or DynamoDB) entirely over the AWS backbone.
## Success Metrics
To demonstrate mastery of network segmentation, the learner must be able to:
- Architecture Validation: Design a three-tier architecture where the Database tier has no route to the internet and is only accessible from the App tier on specific ports.
- Configuration Accuracy: Correctly identify why a stateless NACL requires both ingress and ephemeral egress port rules to function, unlike a stateful Security Group.
- Audit Proficiency: Use Network Access Analyzer to identify paths to the internet that violate organizational policy.
- Incident Containment: Demonstrate how to use a "Quarantine Security Group" to isolate a compromised instance by removing all inbound and outbound rules.
## Real-World Application
In a production environment, network segmentation is the primary defense against Lateral Movement. If an attacker compromises a web server (North/South entry), robust East/West protections (Microsegmentation) ensure they cannot reach sensitive database or payment processing tiers.
Comparison: Traffic Patterns
| Feature | North/South Traffic | East/West Traffic |
|---|---|---|
| Direction | Between the VPC and the Internet/On-Prem | Between resources within the VPC |
| Primary Control | Internet Gateways, NAT Gateways, WAF | Security Groups, VPC Peering, Transit Gateway |
| Security Goal | Perimeter Defense | Lateral Movement Prevention |
| Example | User accessing a website via HTTPS | Web server querying a database |
[!IMPORTANT] Zero Trust Principle: Never trust, always verify. Even within a "private" network, every request between two microservices should be authenticated and authorized via Security Groups and, where possible, mTLS.