Aws Networking Audit
by @vahagn-madatyan
AWS VPC networking audit covering CIDR architecture, Security Group and NACL rule analysis, Transit Gateway connectivity, VPC Flow Log forensics, Route Table...
clawhub install aws-networking-auditπ About This Skill
name: aws-networking-audit description: >- AWS VPC networking audit covering CIDR architecture, Security Group and NACL rule analysis, Transit Gateway connectivity, VPC Flow Log forensics, Route Table validation, and ENI/EIP resource optimization using read-only AWS CLI commands. license: Apache-2.0 metadata: safety: read-only author: network-security-skills-suite version: "1.0.0" openclaw: '{"emoji":"βοΈ","safetyTier":"read-only","requires":{"bins":["aws"],"env":["AWS_ACCESS_KEY_ID"]},"tags":["aws","vpc","cloud"],"mcpDependencies":["aws-network-mcp"],"egressEndpoints":["*.amazonaws.com:443"]}'
AWS VPC Networking Security Audit
Cloud resource audit for AWS Virtual Private Cloud (VPC) architecture, security posture, and connectivity. This skill evaluates provider-specific AWS networking constructs β VPC design, Security Groups, NACLs, Transit Gateway topologies, VPC Flow Logs, Route Tables, and ENI placement β not generic cloud networking advice.
Scope covers VPC-layer networking: CIDR planning, subnet tier layout,
security filtering, inter-VPC connectivity, and traffic observability.
Out of scope: CloudFront distributions, WAF rules, application-layer
load balancing (ALB content routing), and DNS (Route 53) configuration.
Reference references/cli-reference.md for read-only AWS CLI commands
organized by audit step, and references/vpc-architecture.md for the
VPC packet flow model, Security Group vs NACL evaluation order, and
Transit Gateway routing architecture.
When to Use
Prerequisites
aws sts get-caller-identity succeeds)ec2:DescribeVpcs, ec2:DescribeSubnets, ec2:DescribeSecurityGroups, ec2:DescribeNetworkAcls, ec2:DescribeTransitGateways, ec2:DescribeTransitGatewayRouteTables, ec2:DescribeRouteTables, ec2:DescribeFlowLogs, ec2:DescribeNetworkInterfaces, ec2:DescribeVpcPeeringConnections, ec2:DescribeVpcEndpoints, ec2:DescribeAddresses, logs:FilterLogEvents, logs:DescribeLogGroupsProcedure
Follow these six steps sequentially. Each step builds on prior findings, moving from inventory through security analysis to optimization.
Step 1: VPC Inventory and Design Assessment
Enumerate all VPCs in the target region and assess architectural design.
aws ec2 describe-vpcs --region --output table
aws ec2 describe-subnets --filters "Name=vpc-id,Values=" --output table
For each VPC, evaluate:
enableDnsSupport and enableDnsHostnames are enabled β required for VPC endpoints and private DNS resolution.Step 2: Security Group and NACL Analysis
Audit stateful Security Group rules and stateless NACL rules for overly permissive access.
Security Group analysis:
aws ec2 describe-security-groups --filters "Name=vpc-id,Values="
For each Security Group, evaluate inbound and outbound rules:
0.0.0.0/0 (or ::/0) is a finding. Severity depends on port: SSH/RDP from 0.0.0.0/0 is Critical; HTTPS from 0.0.0.0/0 on a public ALB may be acceptable.NACL analysis:
aws ec2 describe-network-acls --filters "Name=vpc-id,Values="
NACLs are stateless β evaluate both inbound and outbound rule sets:
Step 3: Transit Gateway and Connectivity Assessment
Evaluate inter-VPC and hybrid connectivity through Transit Gateway (TGW), VPC Peering, and VPC Endpoints.
Transit Gateway:
aws ec2 describe-transit-gateways
aws ec2 describe-transit-gateway-route-tables --transit-gateway-id
aws ec2 search-transit-gateway-routes --transit-gateway-route-table-id --filters "Name=state,Values=active"
VPC Peering:
aws ec2 describe-vpc-peering-connections --filters "Name=status-code,Values=active"
AllowDnsResolutionFromRemoteVpc for cross-VPC private DNS.VPC Endpoints:
aws ec2 describe-vpc-endpoints --filters "Name=vpc-id,Values="
Step 4: VPC Flow Log Analysis
Analyze VPC Flow Logs for security events and traffic patterns.
aws ec2 describe-flow-logs --filter "Name=resource-id,Values="
Verify Flow Logs are enabled at the VPC level (not just subnet or ENI level) with REJECT and ACCEPT capture. If Flow Logs are not enabled, document as Critical and recommend enabling before further analysis.
For active Flow Logs, query CloudWatch Logs:
aws logs filter-log-events --log-group-name --filter-pattern "REJECT"
Analyze patterns:
Step 5: Route Table Validation
Audit Route Tables for correctness, efficiency, and security.
aws ec2 describe-route-tables --filters "Name=vpc-id,Values="
For each Route Table, evaluate:
0.0.0.0/0 to a NAT Gateway for outbound internet access. Verify NAT Gateway is in a public subnet with an EIP. Multi-AZ deployments should have one NAT Gateway per AZ to avoid cross-AZ traffic and single-AZ failure.Step 6: Report and Optimization
Compile findings and identify resource optimization opportunities.
Unused resource cleanup:
aws ec2 describe-network-interfaces --filters "Name=vpc-id,Values=" "Name=status,Values=available"
aws ec2 describe-addresses --filters "Name=domain,Values=vpc"
Compile the findings report using the Report Template section.
Threshold Tables
Security Group Rule Severity
| Finding | Severity | Rationale | |---------|----------|-----------| | SG allows SSH (22) from 0.0.0.0/0 | Critical | Direct shell access from internet | | SG allows RDP (3389) from 0.0.0.0/0 | Critical | Remote desktop open to internet | | SG allows all ports from 0.0.0.0/0 | Critical | No port restriction on internet access | | ENI on public subnet using default SG | High | Default SG permits all inbound from group members | | SG with >50 inbound rules | High | Excessive complexity; likely over-permissive | | SG allows database ports from non-app subnets | High | Database access not restricted to application tier | | SG with no description on rules | Medium | Limits auditability and rule justification | | SG with 0 associated ENIs | Medium | Unused β cleanup candidate |
VPC Flow Log Reject Rate
| Reject Rate (per minute) | Severity | Action | |--------------------------|----------|--------| | >1000 external-source REJECTs | High | Active scanning or DDoS β review source IPs | | >100 internal-to-internal REJECTs | High | Misconfigured SG or NACL β investigate rules | | 10β100 external REJECTs | Medium | Background noise β monitor trend | | <10 external REJECTs | Low | Normal background scanning |
Subnet Utilization
| Available IPs (% of CIDR) | Severity | Action | |----------------------------|----------|--------| | <10% remaining | High | Subnet exhaustion risk β plan CIDR expansion | | 10β25% remaining | Medium | Monitor growth β plan expansion proactively | | >75% unused | Low | Over-provisioned β consider smaller CIDR next time |
Decision Trees
Is This Security Group Rule Overly Permissive?
Security Group rule under review
βββ Source is 0.0.0.0/0 (or ::/0)?
β βββ Yes
β β βββ Port = 22 (SSH) or 3389 (RDP)?
β β β βββ Yes β CRITICAL: Management ports open to internet
β β β β βββ Restrict to known IP ranges or use SSM/bastion
β β β βββ No
β β β βββ Port = 443 (HTTPS) on public-facing ALB/NLB?
β β β β βββ Yes β Acceptable for public services
β β β β βββ No β HIGH: Review necessity of open port
β β β βββ Port = ALL?
β β β βββ CRITICAL: All ports open to internet
β β βββ ENI attached to public subnet instance?
β β βββ Yes β Risk amplified β instance directly reachable
β β βββ No (private subnet) β Lower risk but still flag
β βββ No (specific source CIDR or SG reference)
β βββ SG self-reference?
β β βββ Acceptable for cluster communication
β βββ Cross-VPC or broad CIDR (/8, /16)?
β βββ Medium β verify least-privilege intent
Is This VPC Design Following AWS Best Practices?
VPC design under review
βββ Multiple AZs used?
β βββ No β HIGH: Single point of failure
β βββ Yes
β βββ Subnet tiers defined (public/private/isolated)?
β β βββ No β HIGH: Flat network β no segmentation
β β βββ Yes
β β βββ Public subnets have IGW route?
β β β βββ Verify only intended subnets are public
β β βββ Private subnets route to NAT GW?
β β β βββ Per-AZ NAT GW? β Best practice
β β β βββ Single NAT GW β Cost-optimized but AZ risk
β β βββ Isolated subnets have no internet route?
β β βββ Verify β should only reach VPC endpoints
β βββ VPC Flow Logs enabled?
β β βββ No β CRITICAL: No traffic visibility
β β βββ Yes β Check retention and capture scope
β βββ CIDR planning?
β βββ Overlaps with peered VPCs? β Blocks connectivity
β βββ Sufficient for growth? β Plan secondary CIDRs
Report Template
AWS VPC NETWORKING AUDIT REPORT
==================================
Account: [account-id] ([account-alias])
Region: [region]
VPC: [vpc-id] ([Name tag])
CIDR Blocks: [primary] [secondary if any]
Audit Date: [timestamp]
Performed By: [operator/agent]VPC ARCHITECTURE:
Subnets: [total] (public:[n] private:[n] isolated:[n])
AZs: [list]
DNS: enableDnsSupport=[yes/no] enableDnsHostnames=[yes/no]
Tenancy: [default/dedicated]
SECURITY GROUPS:
Total: [n] | With 0.0.0.0/0 inbound: [n] | Unused (0 ENIs): [n]
Default SG in use: [yes/no β ENI count]
Rules total: [n] inbound / [n] outbound
NACLs:
Total: [n] | Using default NACL: [n subnets]
Custom NACLs: [n] | Stateless rules reviewed: [n]
CONNECTIVITY:
Transit Gateway: [tgw-id or N/A] | Attachments: [n]
VPC Peering: [n active] | Route validation: [pass/issues]
VPC Endpoints: [n] (gateway:[n] interface:[n])
FLOW LOGS:
Status: [enabled/disabled] | Capture: [ALL/ACCEPT/REJECT]
Log destination: [CloudWatch/S3] | Retention: [days]
Reject rate: [n/min avg] | Top reject sources: [list]
ROUTE TABLES:
Total: [n] | Main RT associations: [n subnets]
Black-hole routes: [n] | NAT GW routes: [n]
RESOURCE OPTIMIZATION:
Unused ENIs: [n] | Unattached EIPs: [n]
Cross-AZ traffic: [high/moderate/low]
NAT GW count: [n] across [n] AZs
FINDINGS:
1. [Severity] [Category] β [Description]
Resource: [sg-xxx / rtb-xxx / nacl-xxx]
Issue: [detail] β Recommendation: [action]
RECOMMENDATIONS: [prioritized by severity]
NEXT AUDIT: [CRITICAL findings: 30d, HIGH: 90d, clean: 180d]
Troubleshooting
VPC Flow Logs Not Enabled
If aws ec2 describe-flow-logs returns empty for the target VPC, Flow Logs
are not configured. Document as a Critical finding β no traffic visibility.
Flow Logs require an IAM role with logs:CreateLogGroup, logs:CreateLogStream,
logs:PutLogEvents permissions. Enabling Flow Logs is a non-disruptive operation.
Security Group Not Attached to Expected ENI
Use aws ec2 describe-network-interfaces --filters "Name=group-id,Values=
to find all ENIs associated with a Security Group. If the expected ENI is missing,
check whether the instance was replaced (Auto Scaling) or the SG was modified.
Transit Gateway Route Propagation Disabled
If TGW routes are missing, verify propagation is enabled on the TGW Route Table
for the relevant VPC attachment. Use aws ec2 get-transit-gateway-route-table-propagations
to check. Disabled propagation requires manual static route entries.
Black-Hole Routes in Route Tables
Routes with status "blackhole" occur when the target resource (NAT Gateway, VPC Peering Connection, TGW Attachment) is deleted but the route entry remains. Identify affected subnets and either remove the route or create a replacement target.
Cross-Account VPC Audit
For multi-account environments using AWS Organizations, use aws sts assume-role
to obtain temporary credentials for each account. Alternatively, use AWS Config
aggregator or AWS RAM (Resource Access Manager) shared resources for centralized visibility.
β‘ When to Use
βοΈ Configuration
aws sts get-caller-identity succeeds)ec2:DescribeVpcs, ec2:DescribeSubnets, ec2:DescribeSecurityGroups, ec2:DescribeNetworkAcls, ec2:DescribeTransitGateways, ec2:DescribeTransitGatewayRouteTables, ec2:DescribeRouteTables, ec2:DescribeFlowLogs, ec2:DescribeNetworkInterfaces, ec2:DescribeVpcPeeringConnections, ec2:DescribeVpcEndpoints, ec2:DescribeAddresses, logs:FilterLogEvents, logs:DescribeLogGroupsπ Tips & Best Practices
VPC Flow Logs Not Enabled
If aws ec2 describe-flow-logs returns empty for the target VPC, Flow Logs
are not configured. Document as a Critical finding β no traffic visibility.
Flow Logs require an IAM role with logs:CreateLogGroup, logs:CreateLogStream,
logs:PutLogEvents permissions. Enabling Flow Logs is a non-disruptive operation.
Security Group Not Attached to Expected ENI
Use aws ec2 describe-network-interfaces --filters "Name=group-id,Values=
to find all ENIs associated with a Security Group. If the expected ENI is missing,
check whether the instance was replaced (Auto Scaling) or the SG was modified.
Transit Gateway Route Propagation Disabled
If TGW routes are missing, verify propagation is enabled on the TGW Route Table
for the relevant VPC attachment. Use aws ec2 get-transit-gateway-route-table-propagations
to check. Disabled propagation requires manual static route entries.
Black-Hole Routes in Route Tables
Routes with status "blackhole" occur when the target resource (NAT Gateway, VPC Peering Connection, TGW Attachment) is deleted but the route entry remains. Identify affected subnets and either remove the route or create a replacement target.
Cross-Account VPC Audit
For multi-account environments using AWS Organizations, use aws sts assume-role
to obtain temporary credentials for each account. Alternatively, use AWS Config
aggregator or AWS RAM (Resource Access Manager) shared resources for centralized visibility.