Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

4.3.5. Identifying Unnecessary Network Access

First Principle: Over time, network rules accumulate — temporary access for a migration becomes permanent, overly broad security groups are never tightened, and unused VPC peering connections remain active. Regularly identifying and removing unnecessary network access reduces your attack surface.

Network Access Analyzer:
  • Analyzes VPC configurations to identify unintended network access paths
  • Detects paths between an internet gateway and a sensitive resource
  • Shows the specific security groups, NACLs, and route tables that create the access path
  • Identifies access that violates your security intent
Amazon Inspector Network Reachability:
  • Assesses whether EC2 instances are reachable from the internet
  • Identifies open ports that are accessible from external networks
  • Combines with vulnerability findings to prioritize (reachable + vulnerable = critical)

AWS Verified Access for access auditing:

  • Logs all access decisions (allowed and denied)
  • Provides visibility into who is accessing which applications
  • Identifies unused application access that could be revoked
Continuous Access Review Process:
  1. Run Network Access Analyzer to identify unintended paths
  2. Run Inspector network reachability to find internet-exposed resources
  3. Review security group rules for overly broad permissions (0.0.0.0/0)
  4. Review VPC peering and Transit Gateway attachments for unnecessary connections
  5. Implement Config rules to detect future regressions

⚠️ Exam Trap: Network Access Analyzer identifies access paths (could traffic flow from A to B?). Inspector network reachability identifies internet-exposed resources. They answer different questions. Use Network Access Analyzer for "is my database accidentally reachable from the internet?" analysis.

Scenario: Network Access Analyzer reveals that a development RDS instance has an unintended network path from the internet through a misconfigured security group and a public subnet route table. The database contains test data copied from production. You remediate by fixing the security group, moving the database to an isolated subnet, and adding a Config rule to prevent recurrence.

Reflection Question: Why is periodic network access review essential even in well-managed environments, and what types of access paths accumulate over time?

Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications