Sanchit Dilip Jain/Amazon VPC Network Access Analyzer 🔍

Amazon VPC Network Access Analyzer

Introduction

1. What is VPC Network Access Analyzer?

   Network Access Analyzer is a feature that identifies unintended network access to your resources on AWS.

   • Understand, verify, and improve your network security posture: Network Access Analyzer helps you identify unintended network access relative to your security and compliance requirements, enabling you to improve your network security.
   • Demonstrate compliance: You can use Network Access Analyzer to demonstrate that your network on AWS meets specific compliance requirements.
   • Verify your network security posture: Network Access Analyzer lets you specify your network security requirements and identify potential network paths that do not meet your requirements.

2. Why do you need a Network Access Analyzer?

   • Problem statement: As organizations scale, it can be challenging to accomplish security and compliance objectives.
   • Tedious and ineffective network control validation: Customers have to manually check and audit their network designs and configurations, which do not scale.
   • Network controls become obsolete quickly: Customer environments are dynamic with evolving security mandates and network design changes, rendering all previous manual validation efforts obsolete.
   • Operations teams try to ensure a compliant environment that them under pressure and application teams in a position where they feel like they cannot move as fast as they want to.

Demo

1. Set up Amazon VPC Network Access Analyzer and check Internet accessibility

• Objective: In this demo, we will use Amazon VPC Network Access Analyzer to identify resources that can be accessed from internet gateways and verify that they are limited to only those with a legitimate need to be accessible from the internet.

• Below are the steps to enable Amazon VPC Network Access Analyzer

  • Click on the search bar from the AWS Console in the top left corner. Type VPC in the services search bar. Select VPC from the list.

  

  • Click Network Access Analyzer on the left side of the screen, which can find under the Network Analysis section, and then click Get started.

  

  • You will see four scopes that Amazon created.

  

  • To analyze all Ingress paths into your VPCs, click on the AWS-VPC-Ingress Network Access Scope ID. Click Analyze.

  

  • Scroll down to explore the findings once complete. Each finding shows a network path from the internet through the internet gateway to the resources in AWS(example: EC2 instances). It is where you would review each finding and flag/take action for findings/paths that were not intended to have internet access.

  

  • Select the first finding by clicking the radio button, and in the right pane, you can click on a resource to see additional information on a given resource.

  

• This completes the demo, and we successfully enabled Amazon VPC Network Access Analyzer and analyzed the ingress traffic paths from the internet gateway using a default Amazon network access scope.

2. Security controls (e.g., firewall/NAT-GW) in the path

• Objective: In this demo, we will create a custom network access scope to check if the instances in the VPCs route traffic via the Inspection VPC containing the Network Firewall.

• Below are the steps to perform this demo

  • Click on Network Access Analyzer on the left to get back to the main page. Click Create Network Access Scope in the upper right.

    

  • Select the Empty Template radio button and click Next.

    

  • Click Add match condition.

    • Select Resource IDs under Resource selection and VPCs under Resource types for the Source. Select the Prod VPC and Dev VPC under Resource IDs as shown below.

    

    • Under Destination, select Resource types under Resource selection and select Internet Gateways. Select the Central Egress VPC IGW under Resource IDs as shown below.

    

  • Click Next in the lower right, and on the Review and create screen, click Create Network Access Scope in the lower right.

  • Select the Network Access Scope and click Analyze in the upper right.

  • Once complete, you can see that there are findings. We are interested in looking at the ‘TCP’ traffic to filter the results, as shown in the diagram.

    

    • The Prod and Dev VPCs have a route through the network firewall (Inspection VPC). You may notice the destination address to quad zero.
    • Scroll down in the right pane to see the complete path ending at Central Egress VPC IGW. Notice the network firewall in the path as shown below.

    

  • Now you can validate if compliance is being met. i.e., find any paths where there is no Network Firewall. We will duplicate and modify this network scope and analyze it.

  • Click on Actions in the right-hand corner and select Duplicate and modify.

  • Scroll down to Exclusion Conditions, click on Add exclusion condition and add AWS Network Firewalls in the Through section under Resource types as shown below.

    

  • Click on Duplicate and analyze Network Access Scope.

    

  • You will see no findings detected, which is as expected. Because you have your Prod and Dev VPCs traffic going through the network firewall and the following compliance, no findings are detected.

• This completes the demo, and we successfully created a custom network access scope to see if the Prod and Dev VPCs route traffic to the internet via a Network Firewall. You then duplicated the network access scope and added an exclusion to see if any paths do not have a Network Firewall. If anyone is trying to evade a network firewall, you should be able to catch those findings here and take appropriate action.

Summary

• In this blog, we learned how the new Amazon VPC Network Access Analyzer helps you identify network configurations that can lead to unintended network access.
• Learn ways to improve your security posture while allowing you and your organization to be agile and flexible.

Resources

• Visit this page to find the latest documentation.