VPC Network Access Analyzer

A security analysis tool that automatically analyzes network access paths across your entire VPC, detecting unintended internet exposure and excessive access permissions

Overview

VPC Network Access Analyzer is a service that comprehensively analyzes network access paths within a VPC and automatically detects access routes that violate security policies. While Reachability Analyzer verifies reachability between two specific points, Network Access Analyzer targets the entire VPC to comprehensively analyze which resources are accessible from where. You define Network Access Scopes and set detection conditions for access patterns that should not be permitted (e.g., direct internet access to databases). Findings display the specific access paths and the network components permitting them, enabling use in security audits and compliance checks.

Designing Network Access Scopes

Network Access Analyzer analysis begins with defining a Network Access Scope. Scopes consist of Match Paths and Exclude Paths, declaratively describing the access patterns you want to detect. Match conditions specify source and destination resource types, CIDR blocks, and prefix lists. For example, specifying the source as Internet Gateway and the destination as ENIs within a specific subnet detects all reachable paths from the internet to that subnet. Exclude conditions remove intentionally permitted access paths (e.g., internet access via ALB) to reduce false positives. AWS-provided preset scopes are also available, letting you immediately start detecting common patterns such as inbound access from the internet, outbound access to the internet, and inter-VPC access. Custom scopes are defined in JSON format, making them suitable for version control and code review.

Analyzing Findings and Remediation Actions

When analysis runs, access paths matching the scope are listed as Findings. Each finding displays the source resource, destination resource, and network components along the path (security groups, network ACLs, route tables, NAT Gateways, etc.) in detail. For example, a path like Internet Gateway, Route Table A, Subnet B, Security Group C, EC2 Instance D shows all hops permitting access. Remediation actions include removing security group inbound rules, adding network ACL deny rules, or removing routes from route tables. When findings are numerous, prioritize high-severity items (direct database access, exposed management ports) first. Exporting findings to CSV and incorporating them into security team review workflows is also effective. Regularly re-running analysis and monitoring for new findings prevents security degradation from configuration drift.

Leveraging for Security Audits and Compliance

Network Access Analyzer is ideal for automating periodic security audits and compliance checks. PCI DSS requires strict access restrictions to the Cardholder Data Environment (CDE), and periodically verifying access paths to CDE subnets with Network Access Analyzer demonstrates continuous compliance. For SOC 2 audits, it serves as objective evidence demonstrating the effectiveness of network segmentation. Integration with Organizations enables cross-account VPC analysis from a delegated administrator account, providing centralized assessment of network security posture across the entire multi-account environment. Since analysis can be executed via API, automating monthly security report generation and tracking month-over-month changes in findings is recommended. For cost management, charges are based on the number of ENIs processed per analysis execution, so scope down analysis targets in large VPCs. The division of responsibilities with Reachability Analyzer is clear: Reachability Analyzer for day-to-day troubleshooting, Network Access Analyzer for periodic security audits.

ShareXB!