Chebis26/cloud-network-security-compliance
GitHub: Chebis26/cloud-network-security-compliance
一套覆盖 AWS 与 Azure 的生产级云网络安全框架,提供多层纵深防御架构设计与 PCI DSS、SOC 2 的自动化合规验证能力。
Stars: 0 | Forks: 0
# 云网络安全与合规框架
[](https://aws.amazon.com/)
[](https://azure.microsoft.com/)
[](https://www.pcisecuritystandards.org/)
[](https://www.aicpa.org/)
生产级云网络安全框架:包含安全架构设计、网络隔离、访问控制、微隔离,以及针对 PCI DSS 和 SOC 2 的自动化合规验证。
## 安全框架架构
```
NETWORK SECURITY LAYERS
┌──────────────────────────────────────────────────────────────────────┐
│ LAYER 1: PERIMETER SECURITY │
│ AWS WAF + Shield Advanced | Azure WAF (App Gateway/Front Door) │
│ • OWASP Top 10 protection • DDoS mitigation • IP reputation │
│ • Bot control • Rate limiting • Geo-blocking │
└──────────────────────────────┬───────────────────────────────────────┘
│ Filtered traffic only
┌──────────────────────────────▼───────────────────────────────────────┐
│ LAYER 2: NETWORK FIREWALL / NVA INSPECTION │
│ AWS Network Firewall | Azure Firewall Premium | Palo Alto VM-Series │
│ • Stateful L7 inspection • IDS/IPS signatures • TLS inspection │
│ • Domain allowlisting • DNS Firewall • App-ID filtering │
└──────────────────────────────┬───────────────────────────────────────┘
│ Inspected traffic
┌──────────────────────────────▼───────────────────────────────────────┐
│ LAYER 3: SUBNET-LEVEL CONTROLS │
│ AWS NACLs | Azure NSGs on subnet │
│ • Explicit deny rules • Subnet isolation • Micro-segmentation │
└──────────────────────────────┬───────────────────────────────────────┘
│
┌──────────────────────────────▼───────────────────────────────────────┐
│ LAYER 4: INSTANCE-LEVEL CONTROLS │
│ AWS Security Groups | Azure NSGs on NIC │
│ • Allow-list only (deny implicit) • SG-to-SG references │
└──────────────────────────────┬───────────────────────────────────────┘
│
┌──────────────────────────────▼───────────────────────────────────────┐
│ LAYER 5: DATA & IDENTITY │
│ KMS encryption | mTLS | RBAC | Zero Trust access policies │
└──────────────────────────────────────────────────────────────────────┘
```
## PCI DSS 网络要求映射
| PCI 要求 | 要求 | 网络控制 | 实现方式 |
|---------|-------------|-----------------|----------------|
| 1.2 | 限制入站/出站 | 防火墙规则 | NACLs + SGs 拒绝所有 + 显式允许 |
| 1.3 | 禁止直接从互联网访问 CDE | 隔离 | CDE 位于隔离的子网中,无公共路由 |
| 1.4 | 禁止未经批准的出站流量 | 出站过滤 | Network Firewall 域名允许列表 |
| 2.2 | 安全配置 | IaC + Config | 强制使用 Terraform,Config 规则 |
| 4.1 | 加密传输中的数据 | 全面启用 TLS | ALB 仅限 HTTPS,服务间使用 mTLS |
| 6.4 | 面向互联网的应用配置 WAF | WAF | AWS WAF / Azure WAF OWASP 规则 |
| 7.1 | 限制访问 | 最小权限 | 使用 SG/NSG 引用,而非 CIDR 范围 |
| 10.1 | 审计追踪 | Flow logs | VPC Flow Logs → S3 → Athena |
| 11.4 | IDS/IPS | 威胁检测 | Network Firewall IPS + GuardDuty |
## 分步执行
### 第 1 部分 — 安全网络架构
#### 第 1 步:CDE 隔离 (PCI DSS 持卡人数据环境)
```
cd terraform/aws/
# 创建隔离的 CDE VPC(独立于主应用 VPC)
# 无 peering,无 TGW attachment — 仅通过 PrivateLink 访问
terraform apply -target=module.cde_vpc -var="cidr=10.50.0.0/16"
CDE_VPC=$(terraform output -raw cde_vpc_id)
echo "CDE VPC: $CDE_VPC (isolated — no peering, no TGW)"
# CDE VPC 没有 internet gateway 且没有 NAT gateway
# 所有 AWS 服务访问仅通过 VPC Endpoints 进行
aws ec2 describe-internet-gateways \
--filters Name=attachment.vpc-id,Values=$CDE_VPC \
--query 'InternetGateways' --output text
# 预期:(空)— 没有附加到 CDE VPC 的 IGW
# 确认 CDE route tables 中没有指向 internet 的路由
aws ec2 describe-route-tables \
--filters Name=vpc-id,Values=$CDE_VPC \
--query 'RouteTables[*].Routes[*].DestinationCidrBlock' \
--output text | grep -E "0.0.0.0|::/0" \
&& echo "FAIL: CDE has internet route" || echo "PASS: No internet route in CDE"
```
#### 第 2 步:强制实施网络传输加密
```
# AWS:在 ALB 上强制使用 HTTPS(拒绝 HTTP)
aws elbv2 create-listener \
--load-balancer-arn $ALB_ARN \
--protocol HTTP --port 80 \
--default-actions \
Type=redirect,\
RedirectConfig={Protocol=HTTPS,Port=443,StatusCode=HTTP_301}
# 在 ALB 上强制最低 TLS 1.2
aws elbv2 modify-listener \
--listener-arn $HTTPS_LISTENER_ARN \
--ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06
# 策略强制要求:仅限 TLS 1.2+,强加密套件,无 RC4/DES
# AWS:通过 bucket policy 阻止未加密的 S3 上传
aws s3api put-bucket-policy \
--bucket $CDE_BUCKET \
--policy '{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyHTTP",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::'$CDE_BUCKET'","arn:aws:s3:::'$CDE_BUCKET'/*"],
"Condition": {"Bool": {"aws:SecureTransport": "false"}}
}]
}'
# Azure:在 App Gateway 上强制使用 HTTPS
az network application-gateway http-listener update \
--gateway-name appgw-enterprise \
--resource-group rg-networking \
--name listener-http \
--frontend-port 80
az network application-gateway redirect-config create \
--gateway-name appgw-enterprise \
--resource-group rg-networking \
--name redirect-http-to-https \
--type Permanent \
--include-path true \
--include-query-string true \
--target-listener listener-https
echo "All HTTP traffic redirected to HTTPS. TLS 1.2+ enforced."
```
#### 第 3 步:配置 Network Firewall 出站控制
```
# AWS Network Firewall:domain allowlist(仅允许已批准的 egress)
cat > /tmp/nfw-policy.json << 'EOF'
{
"StatelessDefaultActions": ["aws:forward_to_sfe"],
"StatelessFragmentDefaultActions": ["aws:forward_to_sfe"],
"StatefulEngineOptions": {"RuleOrder": "STRICT_ORDER"},
"StatefulRuleGroupReferences": [
{"ResourceArn": "'$DOMAIN_ALLOWLIST_RG_ARN'", "Priority": 1},
{"ResourceArn": "'$THREAT_SIGNATURES_RG_ARN'", "Priority": 2}
]
}
EOF
# Domain allowlist rule group
aws network-firewall create-rule-group \
--rule-group-name enterprise-domain-allowlist \
--type STATEFUL \
--capacity 1000 \
--rule-group '{
"RulesSource": {
"RulesSourceList": {
"GeneratedRulesType": "ALLOWLIST",
"TargetTypes": ["HTTP_HOST","TLS_SNI"],
"Targets": [
".amazonaws.com",".amazon.com",
"github.com",".github.com",
".docker.io","registry-1.docker.io",
".microsoft.com",".azure.com",
"pypi.org","*.pypi.org",
".paloaltonetworks.com",".cisco.com"
]
}
}
}'
echo "Egress filtered: only approved domains allowed through firewall"
```
### 第 2 部分 — 合规自动化
#### 第 4 步:用于网络合规的 AWS Config 规则
```
# 部署用于网络安全的 Config rules
NETWORK_RULES=(
"vpc-sg-open-only-to-authorized-ports"
"restricted-ssh"
"restricted-common-ports"
"no-unrestricted-route-to-igw"
"vpc-flow-logs-enabled"
"internet-gateway-authorized-vpc-only"
"ec2-instance-no-public-ip"
"alb-http-drop-invalid-header-enabled"
"elb-tls-https-listeners-only"
"nacl-no-unrestricted-ssh-rdp"
)
for RULE in "${NETWORK_RULES[@]}"; do
aws configservice put-config-rule \
--config-rule "{
\"ConfigRuleName\": \"$RULE\",
\"Source\": {
\"Owner\": \"AWS\",
\"SourceIdentifier\": \"$(echo $RULE | tr '[:lower:]' '[:upper:]' | tr '-' '_')\"
}
}" 2>/dev/null || echo "Rule already exists: $RULE"
done
# 获取合规性摘要
aws configservice get-compliance-summary-by-config-rule \
--query 'ComplianceSummary.{Compliant:CompliantResourceCount.CappedCount,NonCompliant:NonCompliantResourceCount.CappedCount}' \
--output table
```
#### 第 5 步:自动修复不合规的网络资源
```
# scripts/network_compliance_check.py
"""
Automated network compliance check for PCI DSS Requirement 1.
Identifies and optionally remediates security group misconfigurations.
"""
import boto3, json
ec2 = boto3.client('ec2', region_name='us-east-1')
sns = boto3.client('sns')
DANGEROUS_PORTS = {22: 'SSH', 3389: 'RDP', 1521: 'Oracle', 3306: 'MySQL',
5432: 'PostgreSQL', 27017: 'MongoDB', 6379: 'Redis'}
def check_security_groups(remediate: bool = False) -> list[dict]:
findings = []
paginator = ec2.get_paginator('describe_security_groups')
for page in paginator.paginate():
for sg in page['SecurityGroups']:
for rule in sg.get('IpPermissions', []):
for ip in rule.get('IpRanges', []):
if ip.get('CidrIp') not in ('0.0.0.0/0',):
continue
from_port = rule.get('FromPort', 0)
to_port = rule.get('ToPort', 65535)
for port, service in DANGEROUS_PORTS.items():
if from_port <= port <= to_port:
finding = {
'sg_id': sg['GroupId'],
'sg_name': sg.get('GroupName', ''),
'service': service,
'port': port,
'risk': 'CRITICAL'
}
findings.append(finding)
print(f"[CRITICAL] {sg['GroupId']} ({sg.get('GroupName')}): "
f"{service} (port {port}) open to 0.0.0.0/0")
if remediate:
ec2.revoke_security_group_ingress(
GroupId=sg['GroupId'],
IpPermissions=[{
'IpProtocol': rule['IpProtocol'],
'FromPort': from_port,
'ToPort': to_port,
'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
}]
)
print(f" → REMEDIATED: Revoked {service} from 0.0.0.0/0")
return findings
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--remediate', action='store_true')
args = parser.parse_args()
findings = check_security_groups(remediate=args.remediate)
print(f"\nTotal findings: {len(findings)}")
with open('network_compliance_report.json', 'w') as f:
json.dump(findings, f, indent=2)
```
```
# 运行合规性检查(仅报告)
python3 scripts/network_compliance_check.py
# 运行并启用 auto-remediation
python3 scripts/network_compliance_check.py --remediate
```
## 安全架构原则
```
DESIGN PRINCIPLES FOR COMPLIANCE-ALIGNED NETWORKS:
1. LEAST PRIVILEGE CONNECTIVITY
→ Security Groups reference other SGs, not CIDR ranges
→ Each subnet has its own NACL with minimal rules
→ No 0.0.0.0/0 inbound except on ALB SG (HTTPS only)
2. NETWORK MICRO-SEGMENTATION
→ Separate VPC per environment (prod/staging/dev)
→ Separate subnet tier per function (web/app/data)
→ CDE workloads in isolated VPC (PCI DSS Req 1.3)
3. ENCRYPTED IN TRANSIT EVERYWHERE
→ ALB: TLS 1.2+ only, strong cipher policy
→ Service-to-service: mTLS via Istio/App Mesh
→ Database: SSL/TLS connections enforced
→ S3: deny HTTP access via bucket policy
4. FULL AUDIT TRAIL
→ VPC Flow Logs: ALL traffic, 90-day retention
→ CloudTrail: all API calls, log validation enabled
→ Config: track all resource configuration changes
→ Network Firewall: alert logs for threat signatures
5. AUTOMATED COMPLIANCE VALIDATION
→ AWS Config rules evaluate continuously
→ Non-compliant resources trigger SNS alert
→ Critical violations auto-remediated within 5 minutes
→ Weekly compliance report to security dashboard
```
## 许可证
MIT 许可证
标签:Streamlit, 网络安全, 网络架构, 访问控制, 逆向工具, 隐私保护