DEV Community

AWS Community Builders profile image Wilklins Nyatteng
Wilklins Nyatteng for AWS Community Builders

Posted on

Evaluating Network Security With Amazon VPC Network Access Analyzer

#vpc #awsnetwork #awscommunitybuilder

Description

Amazon VPC Network Access Analyzer is a security analysis service that helps you improve the security and compliance of your AWS resources. This service analyzes all network traffic within your VPCs to provide you with visibility into traffic flows and detect unintended access. It can also help you identify overly permissive security group rules and network access control lists (ACLs).

In this lab, you will enable Network Access Analyzer and create a scope to analyze network traffic in a VPC.

Learning objectives

Upon completion of this beginner-level lab, you will be able to:

  • Analyze a Network Access Analyzer finding
  • Create a Network Access Analyzer scope
  • Logging In to the Amazon Web Services Console This lab experience involves Amazon Web Services (AWS), and you will use the AWS Management Console to complete the instructions in the following lab steps.

The AWS Management Console is a web control panel for managing all your AWS resources, from EC2 instances to SNS topics. The console enables cloud management for all aspects of the AWS account, including managing security credentials and even setting up new IAM Users.

Introduction

Developers can begin working with Network Access Analyzer using the AWS Management Console, AWS CLI, or AWS SDKs. When you access the Network Access Analyzer service for the first time, AWS creates four default scopes on your behalf. These default scopes can be used to analyze all traffic in your VPCs and subnets.

You can also create network access scopes to analyze specific traffic patterns. For example, you can create a scope to analyze traffic to a specific EC2 instance or subnet. You can also create a scope to analyze traffic from a specific source, such as a security group or IP address.

In this lab step, you will explore a default Network Access Analyzer scope and finding.

Instructions

  1. In the AWS Management Console, in the search bar at the top, enter network manager, and under Features, click the Network Manager result:

  1. In the left navigation pane, click Network Access Analyzer below Security and governance:

  1. Click Get started:


I have created the following default scopes:

  • AWS-IGW-Egress: Identify egress paths from all Network Interfaces to Internet Gateways.
  • All-IGW-Ingress: Identify ingress paths from Internet Gateways to all Network Interfaces.
  • AWS-VPC-Ingress: Identify ingress paths into your VPCs from Internet Gateways, Peering Connections, VPC Service Endpoints, VPN and Transit Gateways.
  • AWS-VPC-Egress: Identify egress paths to Internet Gateways, Peering Connections, VPC Endpoints, VPN, and Transit Gateways from all of your VPCs.

These default scopes created for you do not rely on any preconfigured resources. The AmazonVPCNetworkAccessAnalyzerFullAccessPolicy, opens in a new tab IAM managed policy grants the necessary permissions to create and analyze these scopes.

  1. Select the All-IGW-Ingress scope, then click Analyze:

  1. While you wait for the analysis to complete, click the arrow icon to expand the Network Access Scope definition:


{
          "NetworkInsightsAccessScopeId": "nis-0ca0d5341e6e92e8f",
          "MatchPaths": [
                    {
                              "Source": {
                                        "ResourceStatement": {
                                                  "ResourceTypes": [
                                                            "AWS::EC2::InternetGateway",
                                                            "AWS::EC2::VPCPeeringConnection",
                                                            "AWS::EC2::VPCEndpointService",
                                                            "AWS::EC2::TransitGatewayAttachment",
                                                            "AWS::EC2::VPNGateway"
                                                  ]
                                        }
                              },
                              "Destination": {
                                        "ResourceStatement": {
                                                  "ResourceTypes": [
                                                            "AWS::EC2::NetworkInterface"
                                                  ]
                                        }
                              }
                    }
          ]
}
Enter fullscreen mode Exit fullscreen mode

The scope definition is a JSON object that specifies the source and destination of the traffic to analyze. In this case, the source is an internet gateway, and the destination is a network interface. Findings that match this scope definition will be displayed in the Findings tab.

  1. The following analysis status will appear when the analysis is complete:

  1. In the Findings table, select the lab-igw to lab-bastion-instance finding:

The traffic flow diagram will appear below the table:

The source of the traffic is the lab-igw internet gateway, and the destination is the elastic network interface associated with the lab-bastion-instance EC2 instance. Rule 100 of the access control list allows all inbound traffic. The SSH traffic is allowed by the inbound lab-bastion-instance security group rule on port 22.

The End section of the diagram also provides details on which VPC the traffic is flowing through and the destination subnet.

  1. Creating a Network Access Analyzer Scope ### Introduction

Developers can begin working with Network Access Analyzer using the AWS Management Console, AWS CLI, or AWS SDKs. When you access the Network Access Analyzer service for the first time, AWS creates four default scopes on your behalf. These default scopes can be used to analyze all traffic in your VPCs and subnets.

You can also create network access scopes to analyze specific traffic patterns. For example, you can create a scope to analyze traffic to a specific EC2 instance or subnet. You can also create a scope to analyze traffic from a specific source, such as a security group or IP address.

In this lab step, you will create a network access scope and analyze traffic to the lab-db-instance EC2 instance.

Instructions

  1. Click the Network Access Scopes breadcrumb link to return to the scopes page:

  1. Click Create Network Access Scope:

  1. In the Select Network Access Scope template step, select Empty template, then click Next: In the Select Network Access Scope template step, select Empty template, then click Next:

  1. In the Define Network Access Scope step, enter db-instance-ingress for the Name: In the Define Network Access Scope step, enter db-instance-ingress for the Name:


Network access scopes can include a match condition and an exclude condition.

match condition specifies the network access patterns that do not meet your requirements. If a finding matches a match condition, it will be reported in the analysis.

An exclude condition specifies the traffic that you want to exclude from the analysis. Exclude conditions can be used to define network access that you consider as trusted. If a finding matches an excluded condition, it will not be reported in the analysis.

Up next, you will create a match condition to analyze all traffic to the lab-db-instance EC2 instance.

  1. Click Add match condition below Match conditions:

A Match findings condition will be added to the scope.

  1. 1. Configure the following match condition:
  2. Source: You will not configure a source. This scope will analyze all traffic and sources that can access the lab-db-instance EC2 instance.
  3. Destination:
    • Expand the Resources section.
    • Resource selection: Select Resource IDs from the drop-down menu
    • Resource types: Select EC2 Instances from the drop-down menu
    • Resource IDs: Select the lab-db-instance EC2 instance from the drop-down menu

This network access scope will capture any network traffic that is allowed to access the lab-db-instance EC2 instance. In this example, you want to ensure that the only SSH access allowed to the lab-db-instance EC2 instance is from the bastion-security-group.

  1. Click Next.
  2. Click Create Network Access Scope:


You will be redirected to the Network Access Scopes page.

  1. Select the db-instance-ingress scope, then click Analyze:

In this lab step, you created a network access scope and analyzed the traffic to the lab-db-instance EC2 instance.

  1. Addressing Network Access Analyzer Findings ### Introduction

Network access findings are generated by analyzing network traffic in a scope. A finding is a potential path in your network that matches any of the match conditions and does not match any of the exclude conditions defined in the scope. Findings are presented in the Network Access Analyzer console and can be exported for further analysis.

In this lab step, you will review a finding generated by your custom network access scope and address the unintended access to the lab-db-instance EC2 instance.

Instructions

  1. In the Findings table below, select the finding with the lab-default-instance EC2 instance in the Start column:

The diagram above presents the following details:

  • Start: The finding begins with the ENI that initiated the network traffic. In this case, the ENI is associated with the lab-default-instance EC2 instance.
  • End: The ENI of the EC2 instance that received the network traffic
  • The outbound network traffic is allowed by the default-security-group security group and is destined for the lab-db-instance EC2 instance.
  • The db-security-group allows inbound SSH traffic on port 22 from the 0.0.0.0/0 CIDR block to the lab-db-instance EC2 instance. This public internet access is unintended and should be addressed:

  1. Click the db-security-group ID to expand the access details:

You will notice the db-security-group is allowing SSH traffic from the 0.0.0.0/0 CIDR block.

To remove this unintended access, you will update the db-security-group security group rule to only allow SSH traffic from the bastion-security-group.

  1. To update the security group rule, click the security group ID below Resource ID:

  1. Click Edit inbound rules:

  1. Click Delete next to the only inbound rule defined:

  1. Click Add rule:

  1. Configure the following rule:
  2. Type: Select SSH from the drop-down menu
  3. Source:
    • Select Custom from the drop-down menu
    • Select the bastion-security-group from the drop-down menu

  1. Click Save rules:

  1. Return to the Network Access Analyzer tab, then click Analyze to re-run the db-instance-ingress analysis:

After the analysis completes, you will notice the Findings table now displays a single finding. This finding indicates that the lab-bastion-instance is the only EC2 instance that has access to the lab-db-instance EC2 instance:

The inbound rule you added to the db-security-group allows SSH traffic from the lab-bastion-instance to the lab-db-instance.

Summary

In this lab step, you reviewed your network access finding and addressed the SSH access issue by updating the db-security-group security group rule.

By completing this lab, you've completed the following tasks:

  • Created a Network Access Analyzer scope
  • Evaluated a Network Access Analyzer finding
  • Updated a security group rule to restrict SSH access to the lab-db-instance EC2 instance

Top comments (0)