🌐 AWS Networking and Policy Baseline

Intro: In AWS, networking and identity are tightly coupled in practice. Security groups, route design, private endpoints, load balancers, and IAM all combine into the real access story.

The short baseline

• default-deny public exposure unless a documented internet-facing use case exists;
• prefer security groups for instance and ENI-level policy, with NACLs used deliberately at subnet boundaries rather than as a full replacement;
• separate ingress, application, data, and shared-services tiers by subnet and route intent;
• review egress paths, NAT dependencies, and internet-bound third-party calls explicitly;
• use VPC endpoints or PrivateLink where they materially reduce exposure for management or data flows.

What to review first

Ingress

• which load balancers or public IPs are internet-facing?
• which subnets actually host public resources?
• are admin paths separated from product traffic?

East-west movement

• can application tiers reach data tiers only on required ports?
• are shared services reachable from every workload by convenience rather than design?

Egress

• which workloads can call the public internet?
• are SaaS or third-party API dependencies constrained and observable?
• would an SSRF or compromised workload get broad outbound freedom?

Design notes

Use security groups as the primary control for most workload traffic. Use subnet design, route tables, NACLs, and private connectivity to reinforce the architecture where the blast radius matters.

Related pages

• AWS Security Baseline and Top Misconfigurations
• AWS IAM and Role Design
• Zero-Trust Egress and Private Connectivity Patterns