INF-02: Network Security
Objective
Protect network perimeter and internal network traffic.
Description
Network boundaries are protected with firewalls and network segmentation. Remote access requires VPN or zero-trust architecture. Network traffic is monitored.
Implementation Details
Cloud Firewalls: AWS Security Groups and NACLs protect resources. AWS Network Firewall for advanced threat protection.
Zero Trust: Applications behind AWS Application Load Balancer with WAF. No direct internet access to application servers.
Remote Access: No VPN - all remote access via SSO to cloud applications. Engineers access AWS Console via SSO only.
Traffic Monitoring: VPC Flow Logs enabled. AWS GuardDuty for threat detection. Unusual traffic patterns trigger alerts.
Examples
- All application servers in private subnets with no public IP addresses
- AWS WAF protects APIs from common attacks (SQL injection, XSS)
- VPC Flow Logs sent to CloudWatch, analyzed for anomalies
- GuardDuty alerts on suspicious network activity (port scanning, crypto mining)
Audit Evidence
- Network diagram showing segmentation
- VPC Flow Logs configuration
- AWS GuardDuty findings report
- WAF rules and blocked request metrics
Framework Mapping
SOC 2
- CC6.6 ^[Firewalls and network segmentation restrict access to protected information assets]
- CC6.7 ^[Network controls restrict transmission, movement, and removal of information]
GDPR
- Article 32 ^[Network security controls (firewalls, segmentation, monitoring) ensure security appropriate to risk]
Referenced By
This section is automatically generated by make generate-backlinks. Do not edit manually.
Standards: