Curriculum Overview685 words
Curriculum Overview: AWS Network Logging & Threat Detection
Determine and configure appropriate log sources based on network design, threats, and attacks (for example, VPC Flow Logs, transit gateway flow logs, Amazon Route 53 Resolver logs)
Curriculum Overview: Network Log Sources & Configuration
This curriculum provides a structured path to mastering the determination and configuration of AWS network log sources. You will learn how to align logging strategies with network design to detect, analyze, and mitigate threats such as unauthorized access, data exfiltration, and DDoS attacks.
Prerequisites
Before starting this module, learners should possess the following foundational knowledge:
- Core AWS Networking: Deep understanding of VPCs, Subnets, Route Tables, and Security Groups.
- IP Fundamentals: Proficiency in IPv4/IPv6 addressing, CIDR notation, and the OSI model (specifically Layers 3, 4, and 7).
- IAM Authority: Ability to create and manage IAM roles and policies to allow services to write to CloudWatch and S3.
- Security Basics: Familiarity with common network attack vectors (e.g., port scanning, spoofing, man-in-the-middle).
Module Breakdown
| Module | Focus Area | Difficulty |
|---|---|---|
| 1. VPC Flow Logs Deep Dive | Configuration, syntax, and limitations of Flow Logs at VPC, Subnet, and ENI levels. | Intermediate |
| 2. Specialized Network Logs | Implementing Transit Gateway (TGW) flow logs and Route 53 Resolver query logs. | Intermediate |
| 3. Edge & Application Logging | Configuring WAF logs, CloudFront access logs, and Load Balancer (ALB/NLB) access logs. | Advanced |
| 4. Centralized Log Management | Aggregating logs into S3/CloudWatch and using Athena or Logs Insights for analysis. | Advanced |
Learning Objectives per Module
Module 1: VPC Flow Logs
- Identify the 14+ fields in a standard VPC Flow Log record (e.g.,
srcaddr,dstaddr,action). - Configure flow logs for specific Network Interfaces (ENIs) vs. entire VPCs.
- Recognize traffic types not captured by flow logs (e.g., DHCP, Instance Metadata 169.254.169.254).
Module 2: Hybrid & Transit Networking
- Determine when to use Transit Gateway flow logs for cross-account traffic monitoring.
- Configure Route 53 Resolver query logs to detect DNS tunneling or connections to malicious domains.
Module 3: Edge Security
- Configure AWS WAF to log to Kinesis Data Firehose for real-time L7 attack analysis.
- Enable CloudFront access logs to track geographic traffic patterns and cache hits/misses.
Visual Anchors
Log Flow Architecture
Loading Diagram...
Network Logging Scope
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds
Success Metrics
Learners have mastered this curriculum when they can:
- Analyze Traffic Patterns: Successfully differentiate between
REJECTrecords caused by Security Groups vs. Network ACLs in a Flow Log. - Architecture Design: Propose a logging architecture for a multi-account environment that minimizes cost while maintaining a 5-minute RPO (Recovery Point Objective) for security forensic data.
- Threat Detection: Write an Athena query or CloudWatch Insights filter to identify the top 10 source IPs attempting to connect to prohibited ports.
- Configuration Mastery: Navigate the constraint that Flow Log configurations cannot be modified post-creation without deletion and recreation.
Real-World Application
- Incident Response: During a suspected data breach, an engineer uses VPC Flow Logs to trace the volume of data (
bytesfield) sent to an external IP address to determine the extent of exfiltration. - Compliance (PCI-DSS/HIPAA): Providing an immutable audit trail of all network connections to sensitive data processing environments using S3 Object Lock on log buckets.
- Cost Optimization: Identifying unused NAT Gateways or inefficient cross-AZ traffic by analyzing flow logs for high-cost traffic paths.
[!IMPORTANT] Always remember: VPC Flow Logs do not capture packet contents (payload). For deep packet inspection (DPI), you must implement VPC Traffic Mirroring.