VPC Network Access Analyzer

VPC Network Access Analyzer

  • VPC Network Access Analyzer helps identify unintended network access to the resources on AWS.
  • Network Access Analyzer can be used to
    • Understand, verify, and improve the network security posture
      • helps identify unintended network access relative to the security and compliance requirements that enable improving network security.
    • Demonstrate compliance
      • can help demonstrate that the network on AWS meets certain compliance requirements.
  • Network Access Analyzer can help verify the following example requirements:
    • Network segmentation
      • verify that the production environment VPCs and development environment VPCs are isolated from one another or systems that process credit card information are isolated from the rest of the environment.
    • Internet accessibility
      • can help identify resources that can be accessed from internet gateways, and verify that they are limited to only those resources that have a legitimate need to be accessible from the internet.
    • Trusted network paths
      • can help verify that appropriate network controls such as network firewalls and NAT gateways are configured on all network paths between the resources and internet gateways.
    • Trusted network access
      • can help verify that the resources have network access only from a trusted IP address range, over specific ports and protocols.
      • network access requirements can be specified in terms of:
        • Individual resource IDs, such as vpc-01234567
        • All resources of a given type, such as AWS::EC2::InternetGateway
        • All resources with a given tag, using AWS Resource Groups
        • IP address ranges, port ranges, and traffic protocols

Network Access Analyzer Concepts

  • Network Access Scopes
    • Network Access Scopes specifies the network access requirements, which determine the types of findings that the analysis produces.
    • MatchPaths field help to specify the types of network paths to identify.
    • ExcludePaths field help to specify the types of network paths to exclude
  • Findings
    • Findings are potential paths in the network that match any of the MatchPaths entries in the Network Access Scope, but that do not match any of the ExcludePaths entries in the Network Access Scope.

Network Access Analyzer Works

  • Network Access Analyzer uses automated reasoning algorithms to analyze the network paths that a packet can take between resources in an AWS network.
  • performs a static analysis of a network configuration, meaning that no packets are transmitted in the network as part of this analysis.
  • produces findings for paths that match a customer-defined Network Access Scope.
  • only considers the state of the network as described in the network configuration, packet loss that’s due to transient network interruptions or service failures is not considered in this analysis.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.

References

AWS_VPC_Network_Access_Analyzer