AWS Network Security Controls: Curriculum Overview

This curriculum provides a comprehensive roadmap for mastering infrastructure protection within AWS. It focuses on the design, implementation, and troubleshooting of Security Groups, Network ACLs, and AWS Network Firewall to create a multi-layered defense-in-depth strategy.

Prerequisites

Before beginning this curriculum, students should possess the following foundational knowledge:

• AWS Networking Fundamentals: Clear understanding of Virtual Private Clouds (VPCs), CIDR blocks, Public vs. Private Subnets, and Route Tables.
• OSI Model: Proficiency in Layers 3 (Network), 4 (Transport), and 7 (Application) protocols (IP, TCP/UDP, HTTP/S).
• IAM Basics: Understanding how service roles and permissions interact with network-accessible resources.
• CLI Proficiency: Ability to use the AWS Command Line Interface to query resource configurations and describe network interfaces.

Module Breakdown

Learning Objectives per Module

Module 1: VPC Security Architecture

• Design network segmentation strategies (North/South vs. East/West traffic).
• Configure isolated subnets to limit the blast radius of potential security breaches.
• Utilize VPC Endpoints to keep traffic within the AWS backbone.

Module 2: Security Groups (SG)

• Implement Stateful rules where return traffic is automatically permitted.
• Manage "Allow-only" rule sets and understand how all rules are evaluated simultaneously.
• Apply security groups to Elastic Network Interfaces (ENIs) for granular compute protection.

Module 3: Network ACLs (NACL)

• Configure Stateless filtering requiring explicit rules for both inbound and outbound traffic.
• Manage "Allow" and "Deny" rules using numbered priority (lowest processed first).
• Solve for ephemeral port requirements when designing return traffic paths.

Module 4: AWS Network Firewall

• Deploy managed firewall endpoints across multiple Availability Zones.
• Create stateful and stateless rule groups for Deep Packet Inspection (DPI).
• Implement domain list filtering and Suricata-compatible intrusion prevention rules.

Module 5: Troubleshooting Network Flow

• Use VPC Flow Logs to analyze accepted and rejected traffic patterns.
• Utilize Reachability Analyzer and Network Access Analyzer to find path blockages.
• Differentiate between a "Connection Timeout" (often SG/Routing) and "Connection Refused" (Service/OS level).

Visual Anchors

Layered Defense Flow

Security Group vs. NACL Scopes

Success Metrics

Learners have mastered this curriculum when they can:

1. Construct a 3-tier architecture where the Database tier is unreachable from the internet but can communicate with the App tier via specific SGs.
2. Remediate a 'Broken' NACL where outbound rules for ephemeral ports (1024-65535) are missing, causing return traffic to fail.
3. Evaluate Rule Order: Correctly predict if traffic is blocked by a NACL rule 100 (Deny) even if rule 200 (Allow) permits it.
4. Audit Connectivity: Use the IAM Access Analyzer for Network to identify unintended public access to private resources.

Real-World Application

• Compliance & Auditing: Financial institutions use NACLs to provide a "hard" deny for specific IP ranges (blacklisting) that cannot be overridden by developers managing Security Groups.
• Enterprise Scaling: Using AWS Firewall Manager, security administrators can centrally deploy Network Firewall rules across hundreds of accounts to ensure consistent edge protection.
• Micro-segmentation: SGs allow for "Security Group Referencing," where rules allow traffic from other SGs rather than IP ranges, enabling dynamic scaling without updating firewall rules.