π Network Security Skill
π― Purpose
Enforce cloud-native network security with zero-trust architecture, based on Network Security Policy.
Key Principle: "The perimeter is dead. Long live zero-trust."
π Scope
-
βοΈ Cloud-Native Protection (AWS-native services)
-
π Zero-Trust Architecture (never trust, always verify)
-
π‘οΈ Network Segmentation (VPC isolation, security groups)
-
π VPN Requirements (secure remote access)
-
π₯ Firewall Rules (AWS WAF, security groups, NACLs)
βοΈ Security Rules
MUST Requirements
aws_vpc_architecture: network_design: multi_tier: [public_subnets, private_subnets, isolated_subnets] availability_zones: minimum_2_for_ha security_groups: default_deny_least_privilege nacls: additional_subnet_protection
zero_trust_controls: identity: iam_roles_with_mfa segmentation: micro_segmentation_per_workload encryption: tls_1_3_preferred_vpn_for_admin monitoring: cloudtrail_guardduty_flowlogs
aws_waf: managed_rules: [owasp_top_10, known_bad_inputs, ip_reputation] custom_rules: [rate_limiting, geo_blocking] logging: s3_with_90_day_retention
MUST NOT Prohibitions
prohibited:
- public_databases: rds_in_public_subnets
- unrestricted_sg: 0.0.0.0/0_for_admin_ports
- default_vpc: production_in_default_vpc
- disabled_monitoring: no_cloudtrail_or_flow_logs
π‘ Example: Three-Tier VPC
vpc_deployment: public_subnets: [alb, nat_gateway] private_subnets: [ec2_app_servers, lambda] isolated_subnets: [rds_database]
security_groups: alb_sg: inbound: [443_from_0.0.0.0/0, 80_redirect] outbound: [8080_to_app_sg] app_sg: inbound: [8080_from_alb_sg, 22_from_bastion] outbound: [5432_to_db_sg, 443_external_apis] db_sg: inbound: [5432_from_app_sg_only] outbound: deny_all
monitoring: vpc_flow_logs: enabled guardduty: active cloudwatch_alarms: configured
π Integration
Policies: Network Security, Information Security
Frameworks: ISO 27001 A.8.20-23, NIST CSF PR.AC-05, CIS Control 12
π Document Control
-
Version: 1.0 | Updated: 2026-02-10
-
License: Apache-2.0
-
Classification: