Network & Infrastructure
Your network is the foundation everything else sits on. We review how traffic flows, where the boundaries are, and whether the right controls are in place to prevent unauthorised access and lateral movement.
VPC Design & Security Groups
We review your VPC topology, subnet design, and security group rules across all accounts and regions. The assessment identifies overly permissive rules — such as 0.0.0.0/0 ingress on management ports — flat network designs where workloads that should be isolated can communicate freely, and unused or redundant security groups that add complexity.
Network ACLs & Traffic Flow
We assess Network ACL configuration at the subnet level as an additional layer of defence beyond security groups. We identify subnets relying solely on default allow-all NACLs and review traffic flow between public, private, and isolated subnets to ensure the network boundaries match your intended architecture.
Transit Gateway & VPC Peering
For multi-VPC and multi-account environments, we review Transit Gateway route tables, attachments, and propagation settings. We identify where routing is too broad — allowing traffic to flow between VPCs that should be isolated — and assess whether peering connections and route tables follow the principle of least connectivity.
WAF & DDoS Protection
We assess AWS WAF rule sets across CloudFront distributions, Application Load Balancers, and API Gateways. We review AWS Shield coverage and check whether web-facing resources have appropriate protections in place against common attacks including SQL injection, XSS, and volumetric DDoS.
PrivateLink & VPC Endpoints
We identify AWS services — S3, DynamoDB, SQS, and others — that are being accessed over the public internet where VPC Endpoints or PrivateLink are available. Moving to private connectivity keeps traffic on the AWS backbone, reduces exposure, and can lower data transfer costs.