AWS Certified Security Specialty: Network Security Controls

This cram sheet focuses on Domain 3.3: Designing and troubleshooting network security controls, covering VPC security components, hybrid connectivity, and advanced threat protection.

Topic Weighting

• Domain 3: Infrastructure Security accounts for approximately 26% of the SCS-C03 exam.
• Task 3.3 (Network Security Controls) is a core component, frequently appearing in multi-service troubleshooting scenarios involving connectivity failures and architectural design.

Key Concepts Summary

1. VPC Security Fundamentals

• Security Groups (SG): Acts as a virtual firewall for instances. Operates at the ENI level.
  • Rule Type: Allow only (Implicit deny).
  • State: Stateful (Return traffic is automatically allowed).
• Network Access Control Lists (NACL): Acts as a firewall for subnets.
  • Rule Type: Allow and Deny. Rules are processed in numbered order.
  • State: Stateless (Inbound and outbound rules must be defined explicitly).

2. Advanced Inspection & Edge

• AWS Network Firewall: High-availability, managed service for Layer 3-7 protection. Supports stateful inspection, intrusion prevention (IPS), and web filtering. Used for "Chokepoint" architectures.
• AWS WAF: Protects Layer 7 (HTTP/S) against SQLi, XSS, and bot attacks. Deployed on CloudFront, ALB, API Gateway, or AppSync.
• AWS Shield: DDoS protection. Standard (Free, Layer 3/4) vs. Advanced (Paid, Layer 3/4/7 + Cost Protection).

3. Connectivity & Troubleshooting

• VPC Reachability Analyzer: Static configuration analysis tool. It does not send packets but checks if the configuration (SGs, NACLs, Routes) allows a path.
• Network Access Analyzer: Identifies unintended network access to resources using automated reasoning (e.g., "Can the internet reach my DB subnet?").
• VPC Endpoints:
  • Interface Endpoints: Powered by PrivateLink (ENI with private IP).
  • Gateway Endpoints: For S3 and DynamoDB only. Uses Route Table entries.

Common Pitfalls

• [!WARNING] The Ephemeral Port Gap: When using NACLs, forgetting to allow outbound traffic to ephemeral ports (1024-65535) for response traffic. This is a common cause of "connection timed out" even if port 80/443 is open.

• SG vs. NACL Scope: Applying an SG to a subnet or a NACL to an instance. SGs are resource-specific; NACLs are boundary-specific.
• Routing over Peering: Forgetting that VPC Peering is not transitive. If VPC A is peered with B, and B with C, A cannot talk to C through B.
• Reachability vs. Flow Logs: Using Reachability Analyzer to find "who is attacking me." Reachability Analyzer is for configuration; VPC Flow Logs are for actual traffic patterns.

Mnemonics / Memory Triggers

• S-S-S: Security Groups are Stateful and Single-resource (ENI) focused.
• N-N-N: NACLs are Not stateful and Numbered.
• The "Wall" Metaphor:
  • SG: The bouncer at the door of the room (Instance).
  • NACL: The security guard at the building lobby (Subnet).
  • Network Firewall: The high-tech perimeter fence around the entire campus (VPC).

Formula / Equation Sheet

Practice Set

1. Scenario: An EC2 instance in Subnet A cannot reach an S3 bucket via a Gateway Endpoint. The Route Table has the entry. What is the most likely blocker?
   • Answer: The Security Group outbound rules or the S3 Bucket Policy/Endpoint Policy.
2. Scenario: You need to block a specific malicious IP address from hitting your entire web tier. Where is the most efficient place to do this?
   • Answer: NACL (since it supports Deny rules) or AWS WAF/Network Firewall.
3. Scenario: You want to ensure no SSH (Port 22) access exists from the Internet to any resource in your VPC. Which tool validates this requirement continuously?
   • Answer: AWS Network Access Analyzer or AWS Config.
4. Scenario: A developer claims they can't connect to a DB. You run Reachability Analyzer and it shows "Reachable." What do you check next?
   • Answer: Check the DB's internal OS firewall (iptables/Windows Firewall) or application-level authentication, as Reachability Analyzer only checks AWS infrastructure.
5. Scenario: Traffic is reaching your ALB but not the instances behind it. SGs are open. What VPC feature could be misconfigured?
   • Answer: The Subnet NACL might be missing outbound rules for ephemeral ports back to the ALB.

Worked Examples

Troubleshooting a Broken Path

Problem: EC2 Instance (10.0.1.5) cannot connect to a public API via the Internet Gateway.

Step-by-Step Breakdown:

1. Check SG: Outbound port 443 must be open to 0.0.0.0/0.
2. Check Route Table: Must have a route 0.0.0.0/0 pointing to an igw-xxxx.
3. Check NACL Inbound: This is the common failure point. Because NACLs are stateless, you must have an Inbound rule for ports 1024-65535 from 0.0.0.0/0 to allow the API's response back in.
4. Check Public IP: The instance must have a Public IP or be in a private subnet with a route to a NAT Gateway.

Fact Recall Blanks

• The default NACL ____________ (Allows/Denies) all traffic until modified.
  • Answer: Allows (The default NACL that comes with a VPC allows all, but custom NACLs deny all by default).
• Security Groups are applied at the ____________ level.
  • Answer: ENI / Instance.
• To perform deep packet inspection (DPI) on traffic between two VPCs connected via Transit Gateway, use ____________.
  • Answer: AWS Network Firewall.
• A ____________ Endpoint uses a DNS entry to route traffic to AWS services over PrivateLink.
  • Answer: Interface.
• Reachability Analyzer is a ____________ (Static/Dynamic) analysis tool.
  • Answer: Static.