3.4.2. Network & Data Security

A misconfigured Security Group that allows 0.0.0.0/0 on port 22 has been the starting point for countless breaches — and it's one of the most common AWS misconfigurations. Without layered network defenses, your applications are one vulnerability scan away from being discovered by attackers. Think of network security like castle defenses: the moat (VPC), the walls (Network ACLs), the gates (Security Groups), the archers (WAF), and the royal guard (Shield) each provide a distinct layer of protection.

This section covers the layered approach to network security, data classification and encryption strategies, and automated detection of sensitive data. Unlike identity security (who can access), network and data security focuses on how data is protected in transit and at rest.