Developing a threat model and identifying appropriate mitigation strategies for a given network architecture

Task Statement 4.1: Implement and maintain network features to meet security and compliance needs and requirements.

📘AWS Certified Advanced Networking – Specialty

1. What is a Threat Model (in AWS Networking)?

A threat model is a structured way to:

  • Identify what can go wrong in a network architecture
  • Understand who or what can attack it
  • Find where vulnerabilities exist
  • Decide how to protect the system using AWS services

In simple terms:

A threat model is a security “blueprint” that shows risks in your AWS network and how to defend against them.

2. Why Threat Modeling is Important for the Exam

In AWS Advanced Networking, you are expected to:

  • Design secure VPC architectures
  • Protect inbound and outbound traffic
  • Secure hybrid connectivity (VPN / Direct Connect)
  • Ensure compliance and isolation between workloads
  • Choose correct AWS security services

So threat modeling helps you:

  • Think like a security architect
  • Identify attack points in a VPC design
  • Select correct AWS mitigation tools

3. Steps to Build a Threat Model (Exam-Oriented Approach)

AWS threat modeling typically follows these steps:

Step 1: Understand the Architecture

You first analyze:

  • VPC layout (public/private subnets)
  • Internet Gateway (IGW)
  • NAT Gateway
  • Route Tables
  • Security Groups & NACLs
  • Load Balancers
  • Hybrid connections (VPN / Direct Connect)
  • Inspection points (firewalls, proxies)

👉 Exam focus: Always identify data flow paths

Step 2: Identify Assets

Assets are things you must protect:

  • EC2 instances
  • Databases (RDS, Aurora)
  • Application Load Balancers
  • APIs (API Gateway)
  • Sensitive data flows (internal traffic, customer data)

👉 Anything that stores or processes data = asset

Step 3: Identify Entry Points

Entry points are where traffic enters the system:

  • Internet Gateway (public access)
  • ALB / NLB endpoints
  • API Gateway
  • VPN tunnels
  • Direct Connect links
  • VPC peering connections

👉 Exam tip: Entry points = attack surfaces

Step 4: Identify Threats

AWS networking threats commonly include:

1. Unauthorized Access

  • Open Security Groups (0.0.0.0/0)
  • Weak IAM + exposed services

2. Data Exfiltration

  • Outbound traffic to unknown destinations
  • Malware sending data through NAT Gateway

3. DDoS Attacks

  • Flooding ALB, NLB, or public IPs

4. Man-in-the-Middle (MITM)

  • Unencrypted traffic in transit
  • Weak TLS configuration

5. Lateral Movement

  • Compromised EC2 moving inside VPC
  • Over-permissive security groups

6. Misrouting / Network Leakage

  • Incorrect route tables
  • Leaking traffic between VPCs or accounts

Step 5: Analyze Trust Boundaries

A trust boundary is where security level changes.

Examples:

  • Internet → VPC (untrusted → trusted)
  • Public subnet → private subnet
  • AWS account A → AWS account B
  • On-premises → AWS cloud

👉 Threats often occur at trust boundaries.

Step 6: Assign Mitigation Strategies

This is the MOST IMPORTANT exam part.

You must match threats with AWS services.

4. AWS Mitigation Strategies (Very Important for Exam)

4.1 Protecting Inbound Traffic

Threat: DDoS / Malicious traffic

Mitigations:

  • AWS Shield Standard / Advanced → DDoS protection
  • AWS WAF → filters HTTP/HTTPS requests
  • Security Groups → allow only required ports/IPs
  • Network ACLs → subnet-level filtering
  • ALB with WAF integration

4.2 Protecting Outbound Traffic

Threat: Data exfiltration / malware communication

Mitigations:

  • AWS Network Firewall → deep packet inspection, domain filtering
  • NAT Gateway logging + monitoring
  • Route all traffic through inspection VPC
  • VPC endpoints (PrivateLink) → avoid internet traffic
  • DNS Firewall (Route 53 Resolver DNS Firewall) → block malicious domains

4.3 Securing East-West Traffic (inside VPC)

Threat: Lateral movement between EC2 instances

Mitigations:

  • Security Groups (least privilege rules)
  • Micro-segmentation using multiple subnets
  • Network Firewall between subnets
  • VPC Flow Logs monitoring
  • Service-to-service authentication (TLS/mTLS)

4.4 Securing Hybrid Connectivity

Threat: VPN / Direct Connect interception or misconfiguration

Mitigations:

  • IPsec VPN encryption
  • AWS Direct Connect with MACsec (where supported)
  • Private VIF / Transit Gateway segmentation
  • Route filtering in Transit Gateway
  • BGP authentication (where applicable)

4.5 Preventing Data Leakage

Threat: Sensitive data exposed to public internet or other VPCs

Mitigations:

  • Private subnets for databases
  • VPC endpoints (S3, DynamoDB, etc.)
  • IAM + resource policies
  • S3 bucket policies with restricted access
  • Security Group restrictions (no 0.0.0.0/0 for databases)

4.6 Monitoring and Detection

Threat: Undetected attacks or misconfigurations

Mitigations:

  • VPC Flow Logs → traffic visibility
  • CloudWatch Logs + Metrics
  • AWS CloudTrail → API activity tracking
  • GuardDuty → threat detection (malicious IPs, unusual behavior)
  • AWS Config → compliance monitoring

5. Common AWS Architecture Threat Patterns (Exam Relevance)

Pattern 1: Public Subnet Misconfiguration

Problem:

  • EC2 exposed directly to internet

Fix:

  • Move EC2 to private subnet
  • Use ALB in public subnet

Pattern 2: Over-permissive Security Groups

Problem:

  • Open inbound 0.0.0.0/0 on all ports

Fix:

  • Restrict to:
    • Specific IPs
    • Specific ports
    • Application-level access only

Pattern 3: Missing Traffic Inspection

Problem:

  • Traffic flows directly between VPCs or to internet

Fix:

  • Insert:
    • AWS Network Firewall
    • Transit Gateway inspection VPC

Pattern 4: No Traffic Visibility

Problem:

  • Cannot detect attacks or abnormal traffic

Fix:

  • Enable:
    • VPC Flow Logs
    • GuardDuty
    • CloudWatch alarms

6. How AWS Exam Questions Will Test This

You will see scenarios like:

  • “Design a secure architecture for multi-tier applications”
  • “Identify risk in this VPC design”
  • “Choose correct mitigation for data exfiltration”
  • “Secure hybrid connectivity between on-prem and AWS”
  • “Prevent lateral movement inside VPC”

👉 You must:

  1. Identify threat
  2. Identify entry point
  3. Select correct AWS service

7. Key AWS Services You MUST Remember

Network Protection

  • AWS Network Firewall
  • AWS WAF
  • AWS Shield

Monitoring

  • VPC Flow Logs
  • CloudWatch
  • CloudTrail
  • GuardDuty
  • AWS Config

Network Design Security

  • Security Groups
  • Network ACLs
  • Transit Gateway
  • VPC Peering
  • PrivateLink (VPC Endpoints)

8. Simple Exam Memory Trick

Think like this:

“Where can traffic enter → What can go wrong → How do I block or monitor it?”

9. Final Summary

A threat model in AWS networking means:

  • Mapping architecture
  • Finding entry points
  • Identifying threats (external + internal)
  • Understanding trust boundaries
  • Applying AWS security services to mitigate risks
  • Ensuring visibility, control, and compliance
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by