Task Statement 4.2: Validate and audit security by using network monitoring and logging services.
📘AWS Certified Advanced Networking – Specialty
1. What is a Network Audit Strategy in AWS?
A network audit strategy is a structured approach to:
- Check whether network security rules are correct
- Ensure compliance with security policies
- Detect misconfigurations
- Apply consistent rules across accounts and VPCs
- Continuously monitor changes
In AWS, this is important because environments are:
- Highly distributed (many VPCs and accounts)
- Dynamically changing (auto-scaling, CI/CD deployments)
- Shared across teams
2. Key AWS Components Used in Network Auditing
2.1 Security Groups (SGs)
Security Groups act as virtual firewalls at the instance level.
Key points for exam:
- They are stateful (return traffic is automatically allowed)
- Operate at ENI (Elastic Network Interface) level
- Only support allow rules (no deny rules)
- Rules include:
- Inbound traffic rules
- Outbound traffic rules
Audit focus:
When auditing Security Groups, you check:
- Overly permissive rules (for example, 0.0.0.0/0 access)
- Unused or orphaned SGs
- Missing required ports (like application or database ports)
- Consistency across accounts
Example in AWS environment:
- EC2 instances in different VPCs must only allow port 443 from approved application subnets
- Audit ensures no instance is exposed unnecessarily
2.2 Network ACLs (NACLs)
Network ACLs operate at the subnet level.
Key points for exam:
- They are stateless (return traffic must be explicitly allowed)
- Support both:
- Allow rules
- Deny rules
- Rules are evaluated in numbered order (lowest first match wins)
Audit focus:
When auditing NACLs:
- Ensure correct inbound and outbound rules exist
- Check for accidental open access to all ports
- Validate deny rules for unwanted traffic
- Ensure subnet-level segmentation is correct
Example in AWS environment:
- Public subnet NACL should allow HTTP/HTTPS inbound but restrict database ports
- Audit ensures no unnecessary ports are open to the internet
2.3 AWS Firewall Manager
AWS Firewall Manager is used for centralized security policy management across multiple AWS accounts.
It works with:
- AWS WAF (Web Application Firewall)
- AWS Shield Advanced
- VPC Security Groups
- Network Firewall
Key exam concepts:
Firewall Manager helps you:
- Define central security policies
- Apply policies across multiple accounts in AWS Organizations
- Automatically enforce compliance
- Detect non-compliant resources
Audit capabilities:
Firewall Manager is used to:
- Identify non-compliant security groups across accounts
- Ensure consistent WAF rules across applications
- Monitor VPC Firewall configurations
- Automatically remediate violations (if enabled)
Example in AWS environment:
- Organization has 50 AWS accounts
- Firewall Manager enforces:
- “No SG should allow SSH from 0.0.0.0/0”
- Audit shows which accounts violate this rule
3. Multi-Account Network Audit Strategy (AWS Organizations)
In real AWS environments, companies use multiple accounts for:
- Production
- Development
- Security logging
- Shared services
3.1 Why multi-account auditing is important?
- Prevent inconsistent security rules across accounts
- Centralized governance
- Easier compliance reporting
- Reduced human error
3.2 Tools used for cross-account auditing
1. AWS Organizations
- Groups multiple AWS accounts
- Enables centralized policy control (SCPs)
2. AWS Firewall Manager
- Enforces security policies across all accounts
3. AWS Config (important supporting service)
- Tracks configuration changes
- Records compliance history
4. CloudTrail (supporting auditing tool)
- Logs API activity across accounts
- Helps trace changes to SGs, NACLs, Firewall rules
3.3 Audit strategy approach
A proper network audit strategy includes:
Step 1: Define security baseline
- Standard SG rules
- Standard NACL rules
- Firewall policies
Step 2: Centralize control
- Use AWS Organizations + Firewall Manager
Step 3: Continuous monitoring
- Use AWS Config rules
- Enable CloudTrail logging
Step 4: Detect misconfigurations
- Identify:
- Open ports
- Missing deny rules
- Over-permissive access
Step 5: Enforce compliance
- Automatically correct or alert violations
4. Key Differences (Important for Exam)
Security Groups vs NACLs
| Feature | Security Groups | Network ACLs |
|---|---|---|
| Level | Instance (ENI) | Subnet |
| Type | Stateful | Stateless |
| Rules | Allow only | Allow + Deny |
| Evaluation | All rules applied | Ordered rules |
| Default behavior | Deny all inbound | Allow all (default NACL) |
Firewall Manager vs Security Groups
| Feature | Firewall Manager | Security Groups |
|---|---|---|
| Scope | Multi-account | Single VPC/ENI |
| Purpose | Policy enforcement | Traffic filtering |
| Central control | Yes | No |
| Automation | Yes | Limited |
5. Exam-Focused Key Points to Remember
You must understand these clearly:
1. Security Groups
- Stateful
- No deny rules
- Instance-level filtering
- Often misconfigured with open access
2. NACLs
- Stateless
- Subnet-level filtering
- Support deny rules
- Rule order matters
3. Firewall Manager
- Centralized security policy tool
- Works across AWS Organizations
- Enforces SG, WAF, and firewall rules
- Detects and fixes non-compliance
4. Multi-account strategy
- Uses AWS Organizations
- Enforces consistency across accounts
- Uses CloudTrail + Config for auditing
6. Typical Exam Scenarios
You may be asked:
Scenario 1:
“Detect and prevent open SSH access across multiple accounts”
✔ Best answer:
- AWS Firewall Manager + Security Group policy
Scenario 2:
“Audit subnet-level traffic restrictions”
✔ Best answer:
- Network ACL analysis + AWS Config
Scenario 3:
“Centralize security rule enforcement across accounts”
✔ Best answer:
- AWS Organizations + Firewall Manager
Scenario 4:
“Track who changed security group rules”
✔ Best answer:
- AWS CloudTrail
Final Summary
A network audit strategy in AWS focuses on:
- Checking Security Groups for instance-level misconfigurations
- Validating Network ACLs for subnet-level traffic control
- Using Firewall Manager for centralized, multi-account enforcement
- Leveraging AWS Organizations for governance
- Using AWS Config and CloudTrail for continuous auditing
This combination ensures:
- Consistent security policies
- Continuous compliance monitoring
- Detection and prevention of insecure network configurations
