4.3. Network Security Controls

Network controls govern which resources can communicate with each other and how — they're the internal traffic rules of your AWS environment. If edge security is airport security and compute security is building inspection, network controls are the locked doors and corridors between rooms: they ensure that even if someone gets inside the building, they can only access the rooms they're authorized to enter. Without proper network segmentation, a compromised resource in one tier can communicate freely with resources in every other tier — transforming a single-point compromise into a full-environment breach. What makes AWS network security uniquely complex? Multiple overlapping control layers (security groups, NACLs, Network Firewall, VPC endpoints) each operate at different scopes, with different rule syntaxes, and different evaluation orders.

This section covers the full spectrum of AWS network controls — from instance-level to VPC-level — plus hybrid connectivity, zero-trust network access, segmentation strategies, and access analysis.

Scenario: A compromised EC2 instance in the web tier attempts to connect directly to the RDS database. Without network segmentation, the connection succeeds. With proper tier isolation (separate subnets, restrictive security groups, NACLs), the connection is blocked.

Reflection Question: Why does defense-in-depth require network controls at multiple levels (security group, NACL, Network Firewall) rather than just one?