Designing and Implementing Network Security Controls
This section addresses the following exam objectives:
Domain 3: Infrastructure Security
Task Statement 3.2: Design and implement network security controls
1. Understanding Network Security in AWS
Network security in AWS is built on isolation, explicit allowlisting, and minimal exposure. The objective is to permit only the traffic that is required, block everything else, and enforce controls as close to the workload as possible. AWS provides multiple layers of protection, including instance-level controls, subnet boundaries, centralized inspection, and private connectivity options.
For the exam, always map the requirement to the least-privilege control at the correct layer—for example, using security groups for per-workload access, NACLs for coarse subnet blocking, or centralized firewalls for deep inspection and egress control.
2. Core VPC Security Mechanisms
Understanding where each control operates—and what it can and cannot do—is critical.
Security groups are stateful, instance- or ENI-level allowlists. They permit only explicitly allowed traffic and automatically allow return traffic, making them ideal for tight, workload-specific rules.
Network ACLs (NACLs) are stateless controls at the subnet boundary. They support explicit allow and deny rules, with ordered evaluation. NACLs are best suited for coarse-grained subnet protections and rapid blocking across a tier.
AWS Network Firewall provides centralized, stateful and stateless inspection at the VPC edge. It supports domain filtering, URL rules, and Suricata-based IDS/IPS for east-west and egress traffic.
Route tables determine the next hop for traffic. If there is no route, traffic cannot flow—making routing a powerful segmentation control.
VPC endpoints (Gateway and Interface) enable private access to AWS services without traversing the public internet.
Exam Tip:
Security groups are your closest, stateful allowlists. NACLs add subnet-level deny capability. Network Firewall enables deep inspection and centralized policy enforcement.
3. Inter-VPC Connectivity and Private Service Access
Choose connectivity patterns based on scale, isolation, and visibility.
AWS Transit Gateway provides scalable, hub-and-spoke routing between many VPCs and on-premises networks, with separate route tables to enforce segmentation.
VPC peering offers simple, point-to-point connectivity but does not support transitive routing, making it unsuitable at large scale.
AWS PrivateLink (Interface Endpoints) allows private, service-specific access without exposing routing tables, ideal for SaaS and shared services.
Gateway Endpoints provide private access to Amazon S3 and DynamoDB via route table entries and endpoint policies.
Exam Tip:
Large, segmented environments point to Transit Gateway. Private access to a service without routing exposure points to PrivateLink.
4. Network Security Telemetry Sources
Select telemetry based on what you need to observe.
VPC Flow Logs show L3/L4 accept or reject decisions per ENI and are the primary source for allow/deny evidence.
Traffic Mirroring captures packet data for deep inspection with partner IDS tools.
Load balancer access logs provide Layer 7 request visibility.
AWS CloudTrail records API calls affecting network configuration.
Route 53 Resolver DNS logs reveal DNS queries and potential command-and-control or exfiltration patterns.
Exam Tip:
If the question asks why traffic was allowed or denied, start with VPC Flow Logs. If it asks what’s inside the packet, use Traffic Mirroring.
5. VPN, Direct Connect, and Hybrid Connectivity
Hybrid designs must address encryption, redundancy, and latency.
Site-to-Site VPN provides encrypted IPsec tunnels over the internet with built-in redundancy.
Direct Connect offers predictable performance over private circuits but does not encrypt by default.
VPN over Direct Connect adds encryption on private links.
MACsec provides Layer-2 encryption on supported Direct Connect links with minimal overhead.
Exam Tip:
High availability typically means Direct Connect with VPN as backup. Mandatory encryption on Direct Connect points to MACsec or VPN over DX.
6. Implementing Network Segmentation
Segmentation limits blast radius and enforces trust boundaries.
Public subnets host only internet-facing components such as ALBs or NAT gateways.
Private subnets contain application and database tiers with no IGW routes.
Highly sensitive workloads are isolated in separate VPCs with dedicated routing and firewall inspection.
Service access uses VPC endpoints instead of public paths.
Egress traffic is centralized through inspection VPCs with Network Firewall and DNS controls.
Exam Tip:
“Keep traffic off the public internet” translates to VPC endpoints, private routing, and no IGW or NAT paths.
7. Designing Controls to Permit or Block Traffic
Apply controls at multiple layers:
At the workload level, use tight security group rules per tier.
At the subnet level, apply NACL denies for known bad ports or sources.
At the VPC edge, use Network Firewall for centralized inspection and egress filtering.
At the routing layer, separate route tables per tier or environment.
At the name-resolution layer, enforce DNS policies to block malicious domains.
Exam Tip:
Need to block traffic quickly across a subnet? Use a NACL deny. Need granular, per-app control? Use security groups.
8. Keeping Data Off the Public Internet
Design private paths end-to-end.
Use Gateway Endpoints for S3 and DynamoDB.
Use Interface Endpoints (PrivateLink) for other AWS services and SaaS providers.
Route inter-VPC traffic through Transit Gateway without IGW routes.
Place serverless workloads in VPCs with endpoints for outbound AWS API access.
Either strictly control outbound traffic through an inspection VPC or disallow internet access entirely.
Exam Tip:
“Access S3 privately without NAT” clearly indicates an S3 Gateway Endpoint with restrictive bucket policies.
9. Matching Telemetry to Threats
Choose visibility based on risk:
DDoS and L7 anomalies → load balancer logs and metrics.
East-west movement → VPC Flow Logs and Network Firewall alerts.
Data exfiltration → DNS logs and firewall egress rules.
Configuration drift → CloudTrail and AWS Config.
Packet-level forensics → Traffic Mirroring.
Exam Tip:
To prove whether traffic was allowed or denied, VPC Flow Logs are authoritative.
10. Redundancy and Security for Hybrid Networks
Design for failure and defense in depth.
Use multiple VPN tunnels across AZs.
Deploy multiple Direct Connect links with LAGs and geographic diversity.
Segment environments using Transit Gateway route tables.
Rotate IPsec keys and manage MACsec keys securely.
Exam Tip:
“Five-nines” connectivity usually implies dual Direct Connect plus VPN failover.
11. Identifying and Removing Unnecessary Access
Continuously reduce exposure.
Eliminate overly permissive security group rules.
Use NACLs to block known bad ports globally.
Restrict VPC endpoint access with endpoint policies.
Detect drift using AWS Config and Security Hub.
Automate remediation with EventBridge and Lambda.
Exam Tip:
“Identify and remove unnecessary access” often maps directly to AWS Config managed rules with auto-remediation.
12. Managing Network Controls at Scale
Scale security with governance.
Use AWS Firewall Manager to centrally enforce security group baselines, Network Firewall policies, and WAF rules.
Manage network constructs with infrastructure as code.
Separate environments into accounts and OUs with SCPs that restrict public exposure.
Monitor changes with CloudTrail and Config, alerting SecOps automatically.
Exam Tip:
For multi-account enforcement of network policies, choose AWS Firewall Manager.
13. Hands-On Pattern: Private Egress With Inspection
Scenario: A regulated workload must access S3 and a SaaS API without using the public internet, with full egress inspection.
A compliant design removes the IGW, uses an S3 Gateway Endpoint with restrictive policies, accesses the SaaS via PrivateLink, routes any remaining outbound traffic through an inspection VPC with Network Firewall, and enables Flow Logs, firewall alerts, and DNS logs.
Exam Tip:
“Keep traffic off the public internet” points to endpoints, PrivateLink, and Transit Gateway—not NAT to an IGW.
14. Key Exam Tips
Security groups are stateful, per-workload allowlists; NACLs provide subnet-level denies.
Network Firewall centralizes east-west and egress inspection.
Transit Gateway enables scalable, segmented routing.
PrivateLink and Gateway Endpoints keep service access private.
Flow Logs prove allow/deny decisions; Traffic Mirroring enables deep inspection.
Hybrid HA designs combine Direct Connect, VPN, and optional MACsec.
Least-privilege routing is enforced with route tables and TGW attachments.
Use Firewall Manager and Config for continuous governance and remediation.
Final Thoughts
Designing network security on AWS is about layered enforcement: tight workload allowlists, subnet-level controls, centralized inspection, and private connectivity that avoids unnecessary internet exposure. For the exam, read each scenario carefully and select the control that enforces the requirement at the right layer with minimal exposure.
By combining segmentation, private endpoints, Transit Gateway routing, and centralized governance, you can build resilient, compliant network defenses that scale across AWS environments.
