What is Network Access Analyzer? - Amazon Virtual Private Cloud

What is Network Access Analyzer?

Network Access Analyzer is a feature that identifies unintended network access to your resources on AWS. You can use Network Access Analyzer to specify your network access requirements and to identify potential network paths that do not meet your specified requirements. You can use Network Access Analyzer to:

  • Understand, verify, and improve your network security posture: Network Access Analyzer helps you to identify unintended network access relative to your security and compliance requirements, enabling you to take steps to improve your network security.

  • Demonstrate compliance: You can use Network Access Analyzer to demonstrate that your network on AWS meets certain compliance requirements.

Network Access Analyzer can help you verify the following example requirements:

  • Network segmentation: You can verify that your production environment VPCs and development environment VPCs are isolated from one another. Likewise, you can verify that a separate logical network is used for systems that process credit card information, and that it's isolated from the rest of your environment.

  • Internet accessibility: You can identify resources in your environment that can be accessed from internet gateways, and verify that they are limited to only those resources that have a legitimate need to be accessible from the internet.

  • Trusted network paths: You can verify that you have appropriate network controls such as network firewalls and NAT gateways on all network paths between your resources and internet gateways.

  • Trusted network access: You can verify that your resources have network access only from a trusted IP address range, over specific ports and protocols. You can specify your network access requirements in terms of:

    • Individual resource IDs, such as vpc-01234567

    • All resources in your account of a given type, such as AWS::EC2::InternetGateway

    • All resources with a given tag, using AWS Resource Groups

    • IP address ranges, port ranges, and traffic protocols

Network Access Analyzer concepts

Network Access Scopes

You can specify your network access requirements as Network Access Scopes, which determine the types of findings that the analysis produces. You add entries to the MatchPaths field to specify the types of network paths to identify. You add entries to the ExcludePaths field to specify the types of network paths to exclude.

  • MatchPaths: The values specified in the MatchPaths field define the types of network paths that an analysis produces. Typically, you use the MatchPaths field to specify network paths that you consider to be a violation of your security or compliance requirements. For example, if you don't want any network paths starting from VPC vpc-01234567 and ending in vpc-07654321, you can specify VPC vpc-01234567 as a source, and VPC vpc-07654321 as a destination in a MatchPaths field entry. When you analyze this Network Access Scope, you will see findings that indicate any potential network paths that start from a network interface in vpc-01234567 and end at a network interface in vpc-07654321.

  • ExcludePaths: You can specify values in the ExcludePaths field to prevent certain network paths from appearing in your findings. Typically, you use the ExcludePaths field to specify network paths that you consider to be a legitimate exception to your network security or compliance requirements. For example, if you want to identify all network interfaces that are reachable from an internet gateway except for your web servers, you can specify the MatchPaths field entry to identify the relevant paths, and then specify an ExcludePaths field entry to exclude any path with your web servers as a destination. When you analyze this Network Access Scope, you will see all network paths that originate from an internet gateway and end at a network interface, except for any paths that end at your web servers.

Findings

Findings are potential paths in your network that match any of the MatchPaths entries in your Network Access Scope, but that do not match any of the ExcludePaths entries in your Network Access Scope.

For details, see Working with Network Access Scopes.

Working with Network Access Analyzer

You can use any of the following interfaces to work with Network Access Analyzer:

  • AWS Management Console — A web interface for AWS services, including Network Access Analyzer.

  • AWS Command Line Interface (AWS CLI) — Provides commands for AWS services, including Network Access Analyzer. The AWS CLI is supported on Windows, macOS, and Linux. For more information, see the AWS Command Line Interface User Guide.

  • AWS CloudFormation — Enables you to create templates that describe your AWS resources. You use the templates to provision and manage AWS resources as a single unit. For more information, see the following resources: AWS::EC2::NetworkInsightsAccessScope and AWS::EC2::NetworkInsightsAccessScopeAnalysis.

  • AWS SDKs — Provides language-specific APIs and takes care of many of the connection details, such as calculating signatures, handling request retries, and handling errors. For more information, see AWS SDKs.

  • Query API — Provides low-level API actions that you call using HTTPS requests. Using the Query API is the most direct way to access Network Access Analyzer. However, the Query API requires your application to take care of low-level details such as generating the hash to sign the request, and handling errors. For more information, see the Amazon EC2 API Reference.

Pricing

When you run a Network Access Analyzer analysis, you are charged based on the number of elastic network interfaces that are analyzed. For more information, see Pricing.