Domain 3 of 6 · Chapter 3 of 3

Network Security Controls

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.

Included in this chapter:

  • Stateful vs stateless: the model behind every control
  • AWS Network Firewall: when SGs and NACLs run out
  • Hybrid connectivity: VPN, Direct Connect, and MACsec
  • Zero-trust app access with AWS Verified Access
  • Segmentation: subnets, route domains, and PrivateLink
  • Proving least access: Network Access Analyzer and Inspector

Network traffic controls compared

PropertySecurity groupNetwork ACLAWS Network Firewall
Attaches toENI (instance/LB/endpoint)SubnetFirewall endpoint in firewall subnet
StateStateful (return traffic auto-allowed)Stateless (each direction needs a rule)Stateful with Suricata flow tracking
Rule typesAllow onlyAllow and deny, numbered orderAllow, deny, and alert; stateless + stateful groups
Filters onIP, port, protocolIP, port, protocolIP, port, protocol, FQDN, deep packet inspection
Ephemeral portsHandled automaticallyMust open 1024-65535 for returnTracked by the flow table
Typical usePer-resource allowlistSubnet-edge coarse deny or defense in depthCentral egress/FQDN filtering and IPS

Decision tree

Filter by domain name or inspect payload? AWS Network Firewall stateful, Suricata, FQDN + deep packet inspection Yes Need an explicit deny at the subnet edge? No Network ACL stateless, numbered, allow + deny on subnet Yes Per-resource allowlist on an instance/LB? No Security group stateful, allow only, on the ENI; reply auto-allowed Yes Security group (default) start here; stateful keeps rules simple No

Cheat sheet

  • Security groups are stateful, so the return traffic is automatic
  • Security groups have no deny rule, you block by not allowing
  • NACLs are stateless, so open the ephemeral range for return traffic
  • NACLs allow deny rules and evaluate them lowest number first
  • A custom NACL denies everything until you add rules
  • Use AWS Network Firewall for domain filtering and deep inspection
  • Network Firewall runs as endpoints in dedicated firewall subnets
  • Enable TGW appliance mode for symmetric routing to inspection
  • Site-to-Site VPN is IPsec over the internet, encrypted by default
  • Scale VPN past one tunnel with ECMP and dynamic routing
  • Direct Connect is private but not encrypted on its own
  • MACsec adds Layer 2 encryption to dedicated Direct Connect links
  • Run a VPN over a Direct Connect public VIF for end-to-end encryption
  • Public VIF reaches AWS services, private VIF reaches a VPC
  • AWS Verified Access grants app access per request with no VPN
  • Verified Access policy combines a user and a device trust provider
  • The strongest isolation is a subnet with no internet or NAT route
  • Separate Transit Gateway route tables create isolated route domains
  • PrivateLink exposes one service one-way, without peering networks
  • Network Access Analyzer proves access from configuration, not traffic
  • Inspector network reachability flags externally reachable instances
  • Route 53 DNS Firewall defaults to fail-closed and evaluates rule groups by lowest priority first
  • Network Firewall only inspects traffic inside HOME_NET, which defaults to the firewall VPC CIDR
  • Network Firewall strict rule order honours priority; action order runs pass before drop
  • Network Firewall TLS inspection needs TLS_SNI targets and can't see QUIC
  • Network Firewall logs a flow only on alert, drop, reject, or pass-with-alert
  • AWS managed threat signature rule groups give Network Firewall IPS without custom Suricata rules
  • Interface VPC endpoints need an inbound 443 rule from the client workloads
  • A VPC endpoint policy filters calls but never grants IAM permissions
  • Reference a security group as the source so rules follow auto-scaling, not IPs

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. What is AWS Network Firewall?
  2. Tunnel options for your AWS Site-to-Site VPN connection
  3. What is AWS Direct Connect?
  4. MAC Security (MACsec) in AWS Direct Connect
  5. What is AWS Verified Access?
  6. What is AWS PrivateLink?
  7. What is Network Access Analyzer?
  8. Amazon Inspector network reachability scanning