Networking: VPC, subnets, security groups
Networking in AWS centers on the VPC (Virtual Private Cloud) — an isolated address space within a given region. It is where EC2, RDS and other resources live. Correct segmentation and filtering rules are the first line of defense — and one of the main areas ZEUS checks for exposure.
VPC and subnets
A VPC has a CIDR range (e.g. 10.0.0.0/16) divided into subnets tied to
availability zones (AZs). The key distinction:
- Public subnet — has a route to an Internet Gateway (IGW); resources can have public IPs.
- Private subnet — no direct access from the internet; egress to the outside goes through a NAT Gateway.
# Utwórz VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=vpc-zeus}]'
# Podsieć publiczna w AZ a
aws ec2 create-subnet --vpc-id vpc-xxxx \
--cidr-block 10.0.1.0/24 --availability-zone eu-central-1a
Security Groups vs NACLs
AWS has two layers of filtering:
| Trait | Security Group | Network ACL |
|---|---|---|
| Level | instance (ENI) | subnet |
| State | stateful | stateless |
| Rules | allow only | allow + deny |
| Default | all inbound blocked | all allowed |
A Security Group is stateful (return traffic is allowed automatically) and is the primary tool you use day to day.
# Reguła: zezwól na HTTPS z internetu
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxx --protocol tcp --port 443 --cidr 0.0.0.0/0
# Reguła SSH ograniczona tylko do biura (NIGDY 0.0.0.0/0!)
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxx --protocol tcp --port 22 --cidr 203.0.113.0/24
Tip: the most common critical finding is a security group with
0.0.0.0/0on port 22 (SSH) or 3389 (RDP). Restrict administrative access to known addresses, or use SSM Session Manager — without opening any ports at all.
VPC Endpoints — private access to AWS services
Instead of going out over the internet to reach S3 or DynamoDB, a VPC Endpoint keeps the traffic inside the AWS network. It is the equivalent of Azure's Private Link and the foundation of an architecture with no public exposure.
How ZEUS sees it
Through Boto3 and the EC2 API, ZEUS reads the topology: VPCs, subnets, route tables, Internet/NAT Gateways and all the security group and NACL rules. On that basis it flags publicly exposed resources and dangerously open management ports. This data feeds the security posture view alongside the equivalents from Azure and GCP.
In the next lesson: compute and storage — EC2, S3 and RDS.