Chebis26/cloud-network-security-compliance

GitHub: Chebis26/cloud-network-security-compliance

一套覆盖 AWS 与 Azure 的生产级云网络安全框架,提供多层纵深防御架构设计与 PCI DSS、SOC 2 的自动化合规验证能力。

Stars: 0 | Forks: 0

# 云网络安全与合规框架 [![AWS](https://img.shields.io/badge/AWS-Network_Security-FF9900?logo=amazon-aws)](https://aws.amazon.com/) [![Azure](https://img.shields.io/badge/Azure-Network_Security-0078D4?logo=microsoft-azure)](https://azure.microsoft.com/) [![PCI](https://img.shields.io/badge/Compliance-PCI_DSS-red)](https://www.pcisecuritystandards.org/) [![SOC2](https://img.shields.io/badge/Compliance-SOC_2-blue)](https://www.aicpa.org/) 生产级云网络安全框架:包含安全架构设计、网络隔离、访问控制、微隔离,以及针对 PCI DSS 和 SOC 2 的自动化合规验证。 ## 安全框架架构 ``` NETWORK SECURITY LAYERS ┌──────────────────────────────────────────────────────────────────────┐ │ LAYER 1: PERIMETER SECURITY │ │ AWS WAF + Shield Advanced | Azure WAF (App Gateway/Front Door) │ │ • OWASP Top 10 protection • DDoS mitigation • IP reputation │ │ • Bot control • Rate limiting • Geo-blocking │ └──────────────────────────────┬───────────────────────────────────────┘ │ Filtered traffic only ┌──────────────────────────────▼───────────────────────────────────────┐ │ LAYER 2: NETWORK FIREWALL / NVA INSPECTION │ │ AWS Network Firewall | Azure Firewall Premium | Palo Alto VM-Series │ │ • Stateful L7 inspection • IDS/IPS signatures • TLS inspection │ │ • Domain allowlisting • DNS Firewall • App-ID filtering │ └──────────────────────────────┬───────────────────────────────────────┘ │ Inspected traffic ┌──────────────────────────────▼───────────────────────────────────────┐ │ LAYER 3: SUBNET-LEVEL CONTROLS │ │ AWS NACLs | Azure NSGs on subnet │ │ • Explicit deny rules • Subnet isolation • Micro-segmentation │ └──────────────────────────────┬───────────────────────────────────────┘ │ ┌──────────────────────────────▼───────────────────────────────────────┐ │ LAYER 4: INSTANCE-LEVEL CONTROLS │ │ AWS Security Groups | Azure NSGs on NIC │ │ • Allow-list only (deny implicit) • SG-to-SG references │ └──────────────────────────────┬───────────────────────────────────────┘ │ ┌──────────────────────────────▼───────────────────────────────────────┐ │ LAYER 5: DATA & IDENTITY │ │ KMS encryption | mTLS | RBAC | Zero Trust access policies │ └──────────────────────────────────────────────────────────────────────┘ ``` ## PCI DSS 网络要求映射 | PCI 要求 | 要求 | 网络控制 | 实现方式 | |---------|-------------|-----------------|----------------| | 1.2 | 限制入站/出站 | 防火墙规则 | NACLs + SGs 拒绝所有 + 显式允许 | | 1.3 | 禁止直接从互联网访问 CDE | 隔离 | CDE 位于隔离的子网中,无公共路由 | | 1.4 | 禁止未经批准的出站流量 | 出站过滤 | Network Firewall 域名允许列表 | | 2.2 | 安全配置 | IaC + Config | 强制使用 Terraform,Config 规则 | | 4.1 | 加密传输中的数据 | 全面启用 TLS | ALB 仅限 HTTPS,服务间使用 mTLS | | 6.4 | 面向互联网的应用配置 WAF | WAF | AWS WAF / Azure WAF OWASP 规则 | | 7.1 | 限制访问 | 最小权限 | 使用 SG/NSG 引用,而非 CIDR 范围 | | 10.1 | 审计追踪 | Flow logs | VPC Flow Logs → S3 → Athena | | 11.4 | IDS/IPS | 威胁检测 | Network Firewall IPS + GuardDuty | ## 分步执行 ### 第 1 部分 — 安全网络架构 #### 第 1 步:CDE 隔离 (PCI DSS 持卡人数据环境) ``` cd terraform/aws/ # 创建隔离的 CDE VPC(独立于主应用 VPC) # 无 peering,无 TGW attachment — 仅通过 PrivateLink 访问 terraform apply -target=module.cde_vpc -var="cidr=10.50.0.0/16" CDE_VPC=$(terraform output -raw cde_vpc_id) echo "CDE VPC: $CDE_VPC (isolated — no peering, no TGW)" # CDE VPC 没有 internet gateway 且没有 NAT gateway # 所有 AWS 服务访问仅通过 VPC Endpoints 进行 aws ec2 describe-internet-gateways \ --filters Name=attachment.vpc-id,Values=$CDE_VPC \ --query 'InternetGateways' --output text # 预期:(空)— 没有附加到 CDE VPC 的 IGW # 确认 CDE route tables 中没有指向 internet 的路由 aws ec2 describe-route-tables \ --filters Name=vpc-id,Values=$CDE_VPC \ --query 'RouteTables[*].Routes[*].DestinationCidrBlock' \ --output text | grep -E "0.0.0.0|::/0" \ && echo "FAIL: CDE has internet route" || echo "PASS: No internet route in CDE" ``` #### 第 2 步:强制实施网络传输加密 ``` # AWS:在 ALB 上强制使用 HTTPS(拒绝 HTTP) aws elbv2 create-listener \ --load-balancer-arn $ALB_ARN \ --protocol HTTP --port 80 \ --default-actions \ Type=redirect,\ RedirectConfig={Protocol=HTTPS,Port=443,StatusCode=HTTP_301} # 在 ALB 上强制最低 TLS 1.2 aws elbv2 modify-listener \ --listener-arn $HTTPS_LISTENER_ARN \ --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 # 策略强制要求:仅限 TLS 1.2+,强加密套件,无 RC4/DES # AWS:通过 bucket policy 阻止未加密的 S3 上传 aws s3api put-bucket-policy \ --bucket $CDE_BUCKET \ --policy '{ "Version": "2012-10-17", "Statement": [{ "Sid": "DenyHTTP", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": ["arn:aws:s3:::'$CDE_BUCKET'","arn:aws:s3:::'$CDE_BUCKET'/*"], "Condition": {"Bool": {"aws:SecureTransport": "false"}} }] }' # Azure:在 App Gateway 上强制使用 HTTPS az network application-gateway http-listener update \ --gateway-name appgw-enterprise \ --resource-group rg-networking \ --name listener-http \ --frontend-port 80 az network application-gateway redirect-config create \ --gateway-name appgw-enterprise \ --resource-group rg-networking \ --name redirect-http-to-https \ --type Permanent \ --include-path true \ --include-query-string true \ --target-listener listener-https echo "All HTTP traffic redirected to HTTPS. TLS 1.2+ enforced." ``` #### 第 3 步:配置 Network Firewall 出站控制 ``` # AWS Network Firewall:domain allowlist(仅允许已批准的 egress) cat > /tmp/nfw-policy.json << 'EOF' { "StatelessDefaultActions": ["aws:forward_to_sfe"], "StatelessFragmentDefaultActions": ["aws:forward_to_sfe"], "StatefulEngineOptions": {"RuleOrder": "STRICT_ORDER"}, "StatefulRuleGroupReferences": [ {"ResourceArn": "'$DOMAIN_ALLOWLIST_RG_ARN'", "Priority": 1}, {"ResourceArn": "'$THREAT_SIGNATURES_RG_ARN'", "Priority": 2} ] } EOF # Domain allowlist rule group aws network-firewall create-rule-group \ --rule-group-name enterprise-domain-allowlist \ --type STATEFUL \ --capacity 1000 \ --rule-group '{ "RulesSource": { "RulesSourceList": { "GeneratedRulesType": "ALLOWLIST", "TargetTypes": ["HTTP_HOST","TLS_SNI"], "Targets": [ ".amazonaws.com",".amazon.com", "github.com",".github.com", ".docker.io","registry-1.docker.io", ".microsoft.com",".azure.com", "pypi.org","*.pypi.org", ".paloaltonetworks.com",".cisco.com" ] } } }' echo "Egress filtered: only approved domains allowed through firewall" ``` ### 第 2 部分 — 合规自动化 #### 第 4 步:用于网络合规的 AWS Config 规则 ``` # 部署用于网络安全的 Config rules NETWORK_RULES=( "vpc-sg-open-only-to-authorized-ports" "restricted-ssh" "restricted-common-ports" "no-unrestricted-route-to-igw" "vpc-flow-logs-enabled" "internet-gateway-authorized-vpc-only" "ec2-instance-no-public-ip" "alb-http-drop-invalid-header-enabled" "elb-tls-https-listeners-only" "nacl-no-unrestricted-ssh-rdp" ) for RULE in "${NETWORK_RULES[@]}"; do aws configservice put-config-rule \ --config-rule "{ \"ConfigRuleName\": \"$RULE\", \"Source\": { \"Owner\": \"AWS\", \"SourceIdentifier\": \"$(echo $RULE | tr '[:lower:]' '[:upper:]' | tr '-' '_')\" } }" 2>/dev/null || echo "Rule already exists: $RULE" done # 获取合规性摘要 aws configservice get-compliance-summary-by-config-rule \ --query 'ComplianceSummary.{Compliant:CompliantResourceCount.CappedCount,NonCompliant:NonCompliantResourceCount.CappedCount}' \ --output table ``` #### 第 5 步:自动修复不合规的网络资源 ``` # scripts/network_compliance_check.py """ Automated network compliance check for PCI DSS Requirement 1. Identifies and optionally remediates security group misconfigurations. """ import boto3, json ec2 = boto3.client('ec2', region_name='us-east-1') sns = boto3.client('sns') DANGEROUS_PORTS = {22: 'SSH', 3389: 'RDP', 1521: 'Oracle', 3306: 'MySQL', 5432: 'PostgreSQL', 27017: 'MongoDB', 6379: 'Redis'} def check_security_groups(remediate: bool = False) -> list[dict]: findings = [] paginator = ec2.get_paginator('describe_security_groups') for page in paginator.paginate(): for sg in page['SecurityGroups']: for rule in sg.get('IpPermissions', []): for ip in rule.get('IpRanges', []): if ip.get('CidrIp') not in ('0.0.0.0/0',): continue from_port = rule.get('FromPort', 0) to_port = rule.get('ToPort', 65535) for port, service in DANGEROUS_PORTS.items(): if from_port <= port <= to_port: finding = { 'sg_id': sg['GroupId'], 'sg_name': sg.get('GroupName', ''), 'service': service, 'port': port, 'risk': 'CRITICAL' } findings.append(finding) print(f"[CRITICAL] {sg['GroupId']} ({sg.get('GroupName')}): " f"{service} (port {port}) open to 0.0.0.0/0") if remediate: ec2.revoke_security_group_ingress( GroupId=sg['GroupId'], IpPermissions=[{ 'IpProtocol': rule['IpProtocol'], 'FromPort': from_port, 'ToPort': to_port, 'IpRanges': [{'CidrIp': '0.0.0.0/0'}] }] ) print(f" → REMEDIATED: Revoked {service} from 0.0.0.0/0") return findings if __name__ == '__main__': import argparse parser = argparse.ArgumentParser() parser.add_argument('--remediate', action='store_true') args = parser.parse_args() findings = check_security_groups(remediate=args.remediate) print(f"\nTotal findings: {len(findings)}") with open('network_compliance_report.json', 'w') as f: json.dump(findings, f, indent=2) ``` ``` # 运行合规性检查(仅报告) python3 scripts/network_compliance_check.py # 运行并启用 auto-remediation python3 scripts/network_compliance_check.py --remediate ``` ## 安全架构原则 ``` DESIGN PRINCIPLES FOR COMPLIANCE-ALIGNED NETWORKS: 1. LEAST PRIVILEGE CONNECTIVITY → Security Groups reference other SGs, not CIDR ranges → Each subnet has its own NACL with minimal rules → No 0.0.0.0/0 inbound except on ALB SG (HTTPS only) 2. NETWORK MICRO-SEGMENTATION → Separate VPC per environment (prod/staging/dev) → Separate subnet tier per function (web/app/data) → CDE workloads in isolated VPC (PCI DSS Req 1.3) 3. ENCRYPTED IN TRANSIT EVERYWHERE → ALB: TLS 1.2+ only, strong cipher policy → Service-to-service: mTLS via Istio/App Mesh → Database: SSL/TLS connections enforced → S3: deny HTTP access via bucket policy 4. FULL AUDIT TRAIL → VPC Flow Logs: ALL traffic, 90-day retention → CloudTrail: all API calls, log validation enabled → Config: track all resource configuration changes → Network Firewall: alert logs for threat signatures 5. AUTOMATED COMPLIANCE VALIDATION → AWS Config rules evaluate continuously → Non-compliant resources trigger SNS alert → Critical violations auto-remediated within 5 minutes → Weekly compliance report to security dashboard ``` ## 许可证 MIT 许可证
标签:Streamlit, 网络安全, 网络架构, 访问控制, 逆向工具, 隐私保护