Security Relevant Topology

[efkay88]

Feature name Security Relevant Topology

Is your feature request related to a problem? Please describe. As part of our security assessment we peform an analysis on a desgin idea based on a network diagram created with visio, draw.io etc. Our experience showed that impementation in real world deviates from the design idea and finding the gaps can be compliacted. Missing those gaps can lead to wrong assumptions regarding the overall design.

Describe the feature you'd like to see implemented All components involved in any communication with:

• Network flow direction, incl port/service information
• Data-in-transit encrpytion
• IP-Whitelisting
• All network relevant components (LB, NATGW, APIGW, DirectConnect, VPN, Cloudfront etc. )

Describe the value this feature will add to AWS Perspective Security Teams can analyze quicker the implementation and provide more accurate threat anaylsis reports.

[svozza]

Thank you, we've had some discussions about this sort of thing before and these are good ideas we can add to that.

[efkay88]

@svozza : Happy to support with more specific use cases.

[bwu-tang]

+1 to this. Would be great to see what is allowed not just what the actual network flow is (if it is different than what was originally requested)

[cool-raj]

+1 It would be great if each resource can show the status of compliance rule applied to them via config rules . This will help the central sec audit team to review the account compliance.

[uname223]

+1. I'd like to also see internet facing endpoints (and possibly on what ports they are reachable, and what policy/sg allows for that)

[svozza]

We've evaluated this request and added it to our backlog but it is not prioritised in the immediate roadmap for the solution.