Posted On: Dec 1, 2021
Amazon VPC Network Access Analyzer is a new feature that enables you to identify unintended network access to your resources on AWS. Using Network Access Analyzer, you can verify whether network access for your Virtual Private Cloud (VPC) resources meets your security and compliance guidelines. With Network Access Analyzer, you can assess and identify improvements to your cloud security posture. Additionally, Network Access Analyzer makes it easier for you to demonstrate that your network meets certain regulatory requirements.
As a part of the AWS shared responsibility model, customers often need to verify that their networks on AWS are built with appropriate controls to block any unintended network access. Examples include, “Databases should never be accessible from the Internet”, “Application servers can only send TCP traffic on port 443 to a trusted on-premises IP range,” and “Production VPCs should not be accessible from Development VPCs.” Network Access Analyzer allows you to capture such requirements in simple and precise specifications. Using automated reasoning, Network Access Analyzer identifies network paths in your AWS environment that do not meet the requirements you defined. You can specify the sources and destinations for your network access requirements in terms of IP address ranges, port ranges, traffic protocols, AWS resource IDs, AWS Resource Groups, and resource types such as Internet Gateways or NAT Gateways. This way, you can easily govern network access across your AWS environment, independent of how your network is configured.
To get started, visit the AWS Management Console and evaluate your network using one of the Amazon created Network Access Scopes in Network Access Analyzer. You can also define your own Network Access Scopes and analyze your network using the AWS CLI, AWS SDK or AWS Management Console.
Amazon VPC Network Access Analyzer is generally available in the following AWS Regions: US East (N. Virginia), US East (Ohio), US West (Northern California), US West (Oregon), Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Stockholm), South America (Sao Paulo), and the Middle East (Bahrain).
To learn more, visit the Amazon VPC documentation and blog post for Network Access Analyzer. To view Network Access Analyzer prices, visit Amazon VPC Pricing.