AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/security-reference-architecture/network.md

Summary

Added detailed information about AWS Network Firewall managed rule groups (threat defense, domain/IP filtering, threat signatures) and clarified design considerations for multiple services.

Security assessment

The changes add documentation about security features like Network Firewall's managed rule groups, which help protect against malware, bots, and known threats. While these are security-related features, there is no evidence of addressing a specific vulnerability or incident.

Diff

diff --git a/prescriptive-guidance/latest/security-reference-architecture/network.md b/prescriptive-guidance/latest/security-reference-architecture/network.md
index d70d9acc2..d2adc8bd3 100644
--- a//prescriptive-guidance/latest/security-reference-architecture/network.md
+++ b//prescriptive-guidance/latest/security-reference-architecture/network.md
@@ -11,3 +10,0 @@ Network architectureInbound (ingress) VPCOutbound (egress) VPCInspection VPCAWS
-Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_e3XI1t37KMHU2ua).  
----  
-  
@@ -16 +13 @@ The following diagram illustrates the AWS security services that are configured
-![Security services for the Network account](/images/prescriptive-guidance/latest/security-reference-architecture/images/network-acct.png)
+![Security services for the Network account.](/images/prescriptive-guidance/latest/security-reference-architecture/images/guide-img/91d313fc-d5f1-45a8-a5a6-2f4fc7abc93a/images/ce4eaa4d-b762-46fc-b788-83c4131e6681.png)
@@ -50,0 +48,13 @@ You use a firewall on a per-Availability Zone basis in your VPC. For each Availa
+Network Firewall provides _managed rule groups_ , a collection of pre-defined, ready-to-use rules that AWS writes and maintains for you. You can select one or more of the following rule groups to use in your Network Firewall policies:
+
+  * [Active threat defense managed rule groups ](https://docs.aws.amazon.com/network-firewall/latest/developerguide/aws-managed-rule-groups-atd.html)help protect against active threats tracked by AWS threat intelligence.
+
+  * [Domain and IP managed rule groups ](https://docs.aws.amazon.com/network-firewall/latest/developerguide/aws-managed-rule-groups-domain-list.html)help protect against domains known or suspected to be associated with malware or bots.
+
+  * [Threat signature managed rule groups ](https://docs.aws.amazon.com/network-firewall/latest/developerguide/aws-managed-rule-groups-threat-signature.html)inspect for and defend against signatures that represent a variety of known threat categories.
+
+
+
+
+Each set of managed rule groups counts as a single rule group toward the maximum number of stateful rule groups per firewall policy.
+
@@ -55 +65 @@ In the AWS SRA, Network Firewall is used within the network account because the
-###### Design considerations
+**Design considerations:**
@@ -82 +92,5 @@ The Network account defines the critical network infrastructure that controls th
-###### Design consideration
+**Design consideration:**
+
+  * Network Access Analyzer is a feature of Amazon VPC, and it can be used in any AWS account that has a VPC. Network administrators can get tightly scoped, cross-account IAM roles to validate that approved network paths are enforced within each AWS account.
+
+
@@ -84 +97,0 @@ The Network account defines the critical network infrastructure that controls th
-Network Access Analyzer is a feature of Amazon VPC, and it can be used in any AWS account that has a VPC. Network administrators can get tightly scoped, cross-account IAM roles to validate that approved network paths are enforced within each AWS account.
@@ -94 +107,5 @@ AWS RAM is invoked and managed by the resource owner, in the account where the s
-###### Design consideration
+**Design consideration:**
+
+  * Although AWS RAM as a service is deployed only within the Network account in the AWS SRA, it would typically be deployed in more than one account. For example, you can centralize your data lake management to a single data lake account, and then share the AWS Lake Formation data catalog resources (databases and tables) with other accounts in your AWS organization. For more information, see the [AWS Lake Formation documentation](https://docs.aws.amazon.com/lake-formation/latest/dg/sharing-catalog-resources.html) and the AWS blog post [Securely share your data across AWS accounts using AWS Lake Formation](https://aws.amazon.com/blogs/big-data/securely-share-your-data-across-aws-accounts-using-aws-lake-formation/). Additionally, security administrators can use AWS RAM to follow best practices when they build an AWS Private Certificate Authority hierarchy. CAs can be shared with external third parties, who can issue certificates without having access to the CA hierarchy. This allows origination organizations to limit and revoke third-party access.
+
+
@@ -96 +112,0 @@ AWS RAM is invoked and managed by the resource owner, in the account where the s
-Although AWS RAM as a service is deployed only within the Network account in the AWS SRA, it would typically be deployed in more than one account. For example, you can centralize your data lake management to a single data lake account, and then share the AWS Lake Formation data catalog resources (databases and tables) with other accounts in your AWS organization. For more information, see the [AWS Lake Formation documentation](https://docs.aws.amazon.com/lake-formation/latest/dg/sharing-catalog-resources.html) and the AWS blog post [Securely share your data across AWS accounts using AWS Lake Formation](https://aws.amazon.com/blogs/big-data/securely-share-your-data-across-aws-accounts-using-aws-lake-formation/). Additionally, security administrators can use AWS RAM to follow best practices when they build an AWS Private Certificate Authority hierarchy. CAs can be shared with external third parties, who can issue certificates without having access to the CA hierarchy. This allows origination organizations to limit and revoke third-party access.
@@ -106 +122,5 @@ In the AWS SRA, Verified Access is hosted within the Network account. The centra
-###### Design consideration
+**Design consideration:**
+
+  * You can group endpoints for applications that have similar security requirements to simplify policy administration, and then share the group with application accounts. All applications in the group share the group policy. If an application in the group requires a specific policy because of an edge case, you can apply application-level policy for that application.
+
+
@@ -108 +127,0 @@ In the AWS SRA, Verified Access is hosted within the Network account. The centra
-You can group endpoints for applications that have similar security requirements to simplify policy administration, and then share the group with application accounts. All applications in the group share the group policy. If an application in the group requires a specific policy because of an edge case, you can apply application-level policy for that application.
@@ -114 +133 @@ You can group endpoints for applications that have similar security requirements
-VPC Lattice integrates with AWS RAM to enable sharing of services and service networks. AWS SRA depicts a distributed architecture where developers or service owners create VPC Lattice services in their Application account. Service owners define the listeners, routing rules, and target groups along with auth policies. They then share the services with other accounts, and associate the services with VPC Lattice service networks. These networks are created by network administrators in the Network account and shared with the Application account. Network administrators configure service network-level auth policies and monitoring. Administrators associate VPCs and VPC Lattice services with one or more service networks. For a detailed walkthrough of this distributed architecture, see the AWS blog post [Build secure multi-account multi-VPC connectivity for your applications with Amazon VPC Lattice](https://aws.amazon.com/blogs/networking-and-content-delivery/build-secure-multi-account-multi-vpc-connectivity-for-your-applications-with-amazon-vpc-lattice/)
+VPC Lattice integrates with AWS RAM to enable sharing of services and service networks. AWS SRA depicts a distributed architecture where developers or service owners create VPC Lattice services in their Application account. Service owners define the listeners, routing rules, and target groups along with auth policies. They then share the services with other accounts, and associate the services with VPC Lattice service networks. These networks are created by network administrators in the Network account and shared with the Application account. Network administrators configure service network-level auth policies and monitoring. Administrators associate VPCs and VPC Lattice services with one or more service networks. For a detailed walkthrough of this distributed architecture, see the AWS blog post [Build secure multi-account multi-VPC connectivity for your applications with Amazon VPC Lattice](https://aws.amazon.com/blogs/networking-and-content-delivery/build-secure-multi-account-multi-vpc-connectivity-for-your-applications-with-amazon-vpc-lattice/). 
@@ -116 +135 @@ VPC Lattice integrates with AWS RAM to enable sharing of services and service ne
-###### Design considerations
+**Design considerations:**
@@ -120 +139 @@ VPC Lattice integrates with AWS RAM to enable sharing of services and service ne
-  * A client can send requests to services that are associated with a service network only if the client is in a VPC that's associated with the same service network. Client traffic that traverses a VPC peering connection or a transit gateway is denied.
+  * All clients and services in VPCs associated with the service network can communicate with other services within the same service network. Traffic that traverses VPC peering or AWS Transit Gateway can also access resources and services over a VPC endpoint.
@@ -141 +160 @@ The CloudFront security dashboard provides AWS WAF visibility and controls direc
-###### Design considerations
+**Design considerations:**
@@ -162 +181 @@ You can send full AWS WAF logs to an S3 bucket in the Log Archive account by con
-###### Design considerations
+**Design considerations:**
@@ -177 +196 @@ You can use the [Shield Advanced automatic application layer DDoS mitigation fea
-###### Design considerations
+**Design considerations:**
@@ -194 +213,5 @@ ACM is used in the Network account to generate a public TLS certificate, which,
-###### Design consideration
+**Design consideration:**
+
+  * For externally facing certificates, ACM must reside in the same account as the resources for which it provisions certificates. Certificates cannot be shared across accounts.
+
+
@@ -196 +218,0 @@ ACM is used in the Network account to generate a public TLS certificate, which,
-For externally facing certificates, ACM must reside in the same account as the resources for which it provisions certificates. Certificates cannot be shared across accounts.
@@ -210 +232 @@ Route 53 resolvers are created by default as part of every VPC. In the AWS SRA,
-###### Design consideration
+**Design consideration:**
@@ -212 +234 @@ Route 53 resolvers are created by default as part of every VPC. In the AWS SRA,
-DNS Firewall and AWS Network Firewall both offer domain name filtering, but for different types of traffic. You can use DNS Firewall and Network Firewall together to configure domain-based filtering for application-layer traffic over two different network paths:
+  * DNS Firewall and AWS Network Firewall both offer domain name filtering, but for different types of traffic. You can use DNS Firewall and Network Firewall together to configure domain-based filtering for application-layer traffic over two different network paths: