Aws Networking Audit — Aws Networking 审计

AWS VPC networking 审计 covering CIDR architecture, Security Group and NACL rule analysis, Transit Gateway connectivity, VPC Flow 记录 forensics, 路由 Table 验证, and ENI/EIP resource optimization using read-only AWS 命令行工具 commands.

0· 230·0 当前·0 累计

by @vahagn-madatyan (Vahagn Madatyan)·MIT-0

安全加密云服务 CI/CD DevOps

下载技能包

License

MIT-0

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

安装命令

点击复制

官方npx clawhub@latest install aws-networking-audit

镜像加速npx clawhub@latest install aws-networking-audit --registry https://cn.longxiaskill.com 镜像可用

需要定制？告诉我你的需求 →

技能文档

AWS VPC Networking Security 审计

Cloud resource 审计 for AWS Virtual Private Cloud (VPC) architecture, security posture, and connectivity. This 技能 evaluates 提供者-specific AWS networking constructs — VPC de签名, Security Groups, NACLs, Transit Gateway topo记录ies, VPC Flow 记录s, 路由 Tables, and ENI placement — not generic cloud networking advice.

Scope covers VPC-layer networking: CIDR planning, subnet tier layout, security 过滤器ing, inter-VPC connectivity, and traffic observability. Out of scope: CloudFront distributions, WAF rules, 应用-layer load balancing (ALB content routing), and DNS (路由 53) configuration. Reference references/命令行工具-reference.md for read-only AWS 命令行工具 commands organized by 审计 step, and references/vpc-architecture.md for the VPC packet flow 模型, Security Group vs NACL evaluation order, and Transit Gateway routing architecture.

When to Use VPC architecture de签名 review — validating CIDR allocation, subnet tier layout, and AZ distribution before or after 部署ment Post-迁移 networking 审计 — 验证ing VPC connectivity, Security Group rules, and 路由 Table entries after workload 迁移 Security assessment — identifying overly permissive Security Group rules, default NACL exposure, and missing VPC Flow 记录 coverage Connectivity troubleshooting — diagnosing Transit Gateway 路由 propagation 失败s, VPC peering asymmetric routing, or black-hole 路由s 合规 preparation — documenting VPC segmentation, Security Group justification, and Flow 记录 retention for 审计ors Cost optimization review — identifying unused Elastic Network Interfaces (ENIs), unattached Elastic IPs (EIPs), and cross-AZ traffic patterns Prerequisites AWS 命令行工具 v2 配置d with valid 凭证s (aws sts 获取-caller-身份 succeeds) IAM 权限s — minimum read-only policy covering: ec2:DescribeVpcs, ec2:DescribeSubnets, ec2:DescribeSecurityGroups, ec2:DescribeNetworkAcls, ec2:DescribeTransitGateways, ec2:DescribeTransitGateway路由Tables, ec2:Describe路由Tables, ec2:DescribeFlow记录s, ec2:DescribeNetworkInterfaces, ec2:DescribeVpcPeeringConnections, ec2:DescribeVpc端点s, ec2:Describe添加resses, 记录s:过滤器记录事件, 记录s:Describe记录Groups Tar获取 scope identified — specific VPC ID(s), AWS account, and region. Multi-account 审计s require cross-account IAM 角色s or AWS Organizations 访问 VPC Flow 记录s enabled — Step 4 requires active Flow 记录s publishing to CloudWatch 记录s or S3. If Flow 记录s are not enabled, document this as a Critical finding Procedure

Follow these six steps sequentially. Each step builds on prior findings, moving from inventory through security analysis to optimization.

Step 1: VPC Inventory and De签名 Assessment

Enumerate all VPCs in the tar获取 region and assess architectural de签名.

aws ec2 describe-vpcs --region --输出 table aws ec2 describe-subnets --过滤器s "Name=vpc-id,Values=" --输出 table

For each VPC, evaluate:

CIDR block allocation: Primary and secondary CIDR blocks. 检查 for RFC 1918 合规, overl应用ing CIDRs across VPCs (blocks peering), and sufficient 添加ress space for growth. VPCs support up to 5 CIDR blocks. Subnet tier layout: Identify public subnets (路由 Table 路由s to Internet Gateway), private subnets (路由 Table 路由s to NAT Gateway), and isolated subnets (no internet 路由). 验证 each tier exists and workloads are placed in the correct tier. AvAIlability Zone distribution: Subnets should span at least 2 AZs for resilience. Single-AZ VPC de签名s are a High finding. DNS 设置tings: 验证 enableDnsSupport and enableDnsHostnames are enabled — required for VPC 端点s and private DNS resolution. Tenancy: Default vs dedicated. Dedicated tenancy has 签名ificant cost implications; 验证 it is intentional. Step 2: Security Group and NACL Analysis

审计状态ful Security Group rules and 状态less NACL rules for overly permissive 访问.

Security Group analysis:

aws ec2 describe-security-groups --过滤器s "Name=vpc-id,Values="

For each Security Group, evaluate inbound and outbound rules:

0.0.0.0/0 inbound rules: Any Security Group rule permitting inbound from 0.0.0.0/0 (or ::/0) is a finding. Severity depends on port: SSH/RDP from 0.0.0.0/0 is Critical; HTTPS from 0.0.0.0/0 on a public ALB may be acceptable. SG-to-ENI m应用ing on public subnets: Cross-reference Security Groups with ENIs on public subnets. An overly permissive Security Group attached to an ENI in a public subnet with a public IP is higher risk than the same Security Group on a private subnet. Default Security Group: The VPC default Security Group allows all inbound from itself and all outbound. If any ENI uses the default Security Group, flag as Medium — workloads should use purpose-specific Security Groups. Unused Security Groups: Security Groups with no associated ENIs are 清理up candidates.

NACL analysis:

aws ec2 describe-network-acls --过滤器s "Name=vpc-id,Values="

NACLs are 状态less — evaluate 机器人h inbound a

数据来源：ClawHub ↗ · 中文优化：龙虾技能库