This chapter covers VPC Network Access Analyzer, a powerful AWS tool for verifying that your VPC network configurations comply with your intended security and access policies. For the SAA-C03 exam, understanding this service is critical because it directly tests your ability to audit and validate network security in a VPC — a core skill for the Secure Architectures domain. Approximately 5-10% of exam questions touch on VPC security analysis tools, including Network Access Analyzer, so mastering this topic can significantly boost your score. We will dive deep into how it works, how to configure it, and the exact exam traps you must avoid.
Jump to a section
Imagine you are a building safety inspector for a large office complex. The complex has hundreds of rooms, each with doors that can be locked or unlocked, and windows that can be open or closed. Your job is to ensure that no door that should be locked is left unlocked, and no window that should be closed is left open, especially those that could allow unauthorized entry. You have a master blueprint of the intended security policy: which doors should be locked, which windows should be secure. Instead of manually checking every door and window, you use an automated scanning tool that compares the actual state of each door and window (from a central monitoring system) against the intended security policy. The tool generates a report listing every discrepancy: doors that are unlocked but should be locked, windows that are open but should be closed. It also identifies paths that an intruder could take from an external door to a sensitive area, like the server room. This is exactly what VPC Network Access Analyzer does: it compares the actual network configuration of your VPC (security groups, network ACLs, route tables, etc.) against your intended network access policies (defined as a 'network access scope') and reports findings where the actual configuration allows unintended access. It also shows the specific network paths that lead to unintended access, helping you visualize and remediate security risks.
What is VPC Network Access Analyzer?
VPC Network Access Analyzer is a feature of Amazon VPC that helps you identify unintended network access to your resources. It allows you to specify your intended network access policies — called 'network access scopes' — and then analyzes the actual VPC configurations (security groups, network ACLs, route tables, gateways, etc.) to detect any discrepancies. The analyzer reports findings that indicate where the actual network access does not match your intended policy. These findings include the specific network path that leads to the unintended access, enabling you to pinpoint the misconfiguration.
Why It Exists
In complex VPC environments with multiple security groups, NACLs, transit gateways, and VPN connections, it is easy to accidentally allow unintended network traffic. For example, a security group rule might be too permissive (e.g., 0.0.0.0/0 on port 22), or a NACL might allow inbound traffic that should be blocked. Manual auditing is error-prone and does not scale. Network Access Analyzer automates this verification, providing a continuous assessment of your network security posture.
How It Works Internally
The analyzer operates by simulating network paths between specified source and destination endpoints, based on your current VPC configuration. It does not send actual packets; it uses a static analysis of the configuration data. Here is the step-by-step mechanism:
1. Define a Network Access Scope: You create a scope that defines the intended network access. A scope consists of: - Source: The resources that initiate traffic (e.g., VPC, subnet, security group, or specific resource like an EC2 instance). - Destination: The resources that receive traffic. - Protocol and Ports: The allowed protocols and port ranges. - Traffic Direction: Ingress or egress. - Match Criteria: You can specify conditions like VPC IDs, subnet IDs, security group IDs, or resource ARNs.
Analyze the Scope: When you trigger an analysis (manually or via scheduled event), the analyzer evaluates the current VPC configuration against the scope. It considers:
- Security group rules - Network ACL rules - Route tables (including prefix lists, gateway routes, etc.) - VPC peering connections - Transit gateway attachments - VPN connections - AWS Direct Connect - Internet gateways and NAT gateways - VPC endpoints - AWS Network Firewall rules - Any other relevant network components
3. Generate Findings: The analyzer produces findings that list: - Unintended Access: Network paths that exist in the configuration but are not allowed by the scope. - Missing Access: Network paths that are allowed by the scope but are not possible due to the configuration. - Partial Access: Paths that partially match the scope (e.g., correct source/destination but wrong port).
Each finding includes a detailed network path showing each hop from source to destination, including the specific resources and rules involved.
Key Components, Values, and Defaults
- Network Access Scope: A resource that defines your intended policy. You can create up to 100 scopes per account per Region (soft limit, can be increased). - Findings: Stored for 90 days. You can view them in the AWS Management Console, AWS CLI, or via Amazon EventBridge events. - Analysis Types: - On-Demand Analysis: Triggered manually. - Scheduled Analysis: You can schedule recurring analyses using Amazon EventBridge rules (e.g., every 6 hours). - Pricing: There is no additional charge for Network Access Analyzer; you pay only for the resources it analyzes (e.g., VPCs, subnets). As of the exam, it is generally free to use. - Regions: Available in all commercial AWS Regions.
Configuration and Verification
You can create a network access scope using the AWS Management Console, AWS CLI, or AWS SDK. Here is an example using the AWS CLI:
aws ec2 create-network-insights-access-scope \
--match-paths '[
{
"Source": {
"ResourceStatement": {
"ResourceTypes": ["AWS::EC2::Instance"]
}
},
"Destination": {
"ResourceStatement": {
"ResourceTypes": ["AWS::EC2::VPC"]
}
},
"ThroughResources": [
{
"ResourceStatement": {
"ResourceTypes": ["AWS::EC2::InternetGateway"]
}
}
]
}
]'This scope defines that EC2 instances should be able to reach any VPC via an internet gateway (i.e., outbound internet access).
To start an analysis:
aws ec2 start-network-insights-access-scope-analysis \
--network-insights-access-scope-id scope-1234567890abcdef0To view findings:
aws ec2 describe-network-insights-access-scope-analyses \
--network-insights-access-scope-id scope-1234567890abcdef0How It Interacts with Related Technologies
AWS Security Hub: Findings from Network Access Analyzer can be integrated into Security Hub for centralized security posture management.
Amazon EventBridge: You can trigger automated remediation actions when a finding is generated (e.g., update security group rules via AWS Lambda).
AWS Config: While Config tracks configuration changes, Network Access Analyzer focuses on the actual network access allowed by the current configuration, providing a complementary view.
VPC Flow Logs: Flow logs capture actual traffic; Network Access Analyzer analyzes what traffic is *possible* based on configuration. Together they give a complete picture.
Use Cases
Compliance: Ensure that your VPC configurations comply with internal security policies (e.g., no SSH from the internet).
Audit: Periodically verify that changes to security groups or NACLs have not introduced unintended access.
Troubleshooting: When a connectivity issue arises, use the analyzer to check if the intended path is allowed by the configuration.
Limitations
It analyzes only the VPC configuration, not actual traffic. It cannot detect dynamic routing changes or transient states.
It does not inspect traffic content; it only checks network-layer rules.
Findings are based on the configuration at the time of analysis; real-time changes may not be reflected until the next analysis.
Exam-Relevant Details
The analyzer can identify unintended ingress (e.g., a security group allowing 0.0.0.0/0 on port 22) and unintended egress (e.g., an EC2 instance that can reach the internet when it should not).
It supports both resource-based and path-based scopes. Resource-based scopes define allowed access between specific resources (e.g., instance A can talk to instance B on port 80). Path-based scopes define allowed paths through specific network components (e.g., traffic must go through a transit gateway).
The analyzer can detect missing access — for example, if your scope says that instances in subnet A should be able to reach an RDS database, but the security group blocks it, the analyzer will report a missing access finding.
It works across VPC peering, transit gateway, VPN, and Direct Connect connections, as long as the resources are in the same account and Region (cross-account analysis is not supported as of the exam).
Step-by-Step Analysis Process
Define Scope: Create a network access scope that encapsulates your intended policy.
Trigger Analysis: Run an analysis on-demand or schedule it.
Review Findings: Examine the list of findings in the console or via CLI. Each finding shows the network path.
Remediate: Modify security groups, NACLs, or route tables to align with the scope.
Re-analyze: Run the analysis again to verify that the unintended access is removed.
Best Practices
Start with a broad scope (e.g., allow all traffic from your VPC to the internet) and then narrow down to specific requirements.
Use scheduled analyses to continuously monitor for configuration drift.
Integrate findings with Security Hub or EventBridge for automated incident response.
Combine with AWS Config rules to enforce that security groups do not allow unrestricted access.
Summary
VPC Network Access Analyzer is a powerful tool for verifying that your VPC network configurations match your intended security policies. By defining network access scopes and analyzing the current configuration, you can detect unintended access, missing access, and partial access. It is a critical component of a robust security posture and a key topic for the SAA-C03 exam.
Define Network Access Scope
You start by creating a network access scope that represents your intended network access policy. This involves specifying the source and destination resources, the allowed protocols and ports, and the traffic direction. You can define scopes based on resource types (e.g., all EC2 instances in a VPC) or specific resource ARNs. The scope acts as the baseline against which the actual configuration is compared. You can create up to 100 scopes per account per Region. The scope is stored as a resource in your account and can be reused for multiple analyses.
Trigger Analysis
Once the scope is defined, you trigger an analysis. This can be done manually via the console or CLI, or automatically using a scheduled EventBridge rule. The analysis does not send real traffic; it performs a static evaluation of the current VPC configuration. It examines security group rules, NACL rules, route tables, gateway associations, VPC peering, transit gateway attachments, VPN connections, Direct Connect, VPC endpoints, and AWS Network Firewall rules. The analysis typically completes within a few minutes, depending on the complexity of the VPC.
Generate Findings
After the analysis, the system generates findings categorized as unintended access, missing access, or partial access. Each finding includes a detailed network path from source to destination, listing every intermediate resource (e.g., subnet, security group, NACL, gateway) and the specific rules that allow or block traffic. Findings are stored for 90 days. You can view them in the console, retrieve them via CLI, or send them to Amazon EventBridge for automated actions. The findings also include the scope ID and the timestamp of the analysis.
Review and Remediate
You review the findings to identify misconfigurations. For example, a finding might show that an EC2 instance in a private subnet can reach the internet through a NAT gateway, which might be unintended. The network path shows the exact route and security group rules involved. You then modify the relevant security groups, NACLs, or route tables to close the unintended access. After making changes, you re-run the analysis to confirm that the findings are resolved. This iterative process ensures your VPC configuration aligns with your intended policy.
Schedule Continuous Monitoring
To maintain security over time, you can schedule recurring analyses using Amazon EventBridge. For example, you can run an analysis every 6 hours or daily. You can also configure EventBridge to trigger a Lambda function that automatically remediates certain findings (e.g., revoking a security group rule). Continuous monitoring helps detect configuration drift caused by manual changes or automated deployments. The analyzer integrates with AWS Security Hub for centralized alerting, allowing you to track findings alongside other security issues.
Enterprise Scenario 1: Financial Services Compliance
A financial services company must comply with PCI DSS, which requires strict network segmentation and access controls. They have a multi-VPC architecture with a shared services VPC and application VPCs connected via transit gateway. The security team defines a network access scope that permits only specific application VPCs to access the database subnet in the shared services VPC on port 3306 (MySQL). They run a scheduled analysis every hour. One day, a developer accidentally adds a security group rule that allows 0.0.0.0/0 on port 3306. The analyzer immediately generates an unintended access finding, showing the network path from the internet through the internet gateway, NAT gateway, and the misconfigured security group. The security team receives an alert via EventBridge and a Lambda function automatically revokes the offending rule. Without the analyzer, this misconfiguration could have led to a data breach.
Enterprise Scenario 2: E-commerce Platform with Microservices
An e-commerce platform runs hundreds of microservices in a VPC, each in its own security group. They need to ensure that only the frontend service can access the payment processing service on port 443. They create a network access scope that allows traffic from the frontend security group to the payment security group on port 443. After a deployment, a new microservice is inadvertently placed in the same security group as the frontend, gaining unintended access to the payment service. The analyzer detects this as unintended access and provides the network path showing the security group association. The team remediates by moving the new microservice to its own security group and updating the scope. This prevents potential fraud or data leakage.
Common Pitfalls in Production
Overly Broad Scopes: Defining a scope that is too permissive (e.g., allow all traffic) defeats the purpose. Always start restrictive and expand as needed.
Ignoring Findings: Teams sometimes ignore findings because they believe the analyzer is wrong. Always verify the network path — the analyzer is accurate based on configuration.
Cross-Account Limitations: The analyzer does not support cross-account analysis. If you have multiple accounts, you must create scopes in each account separately.
Performance at Scale: For very large VPCs with thousands of rules, the analysis may take longer. Plan your analysis schedule accordingly. The service is designed to scale, but be mindful of API rate limits.
What SAA-C03 Tests
The SAA-C03 exam tests your understanding of VPC Network Access Analyzer as a tool for verifying network security. Specifically, objective 1.1 (Secure Architectures) includes designing secure VPC architectures and auditing network configurations. Expect questions that ask you to identify the correct tool to detect unintended network access, how to define a network access scope, and how to interpret findings.
Common Wrong Answers and Why
VPC Flow Logs: Many candidates choose Flow Logs because they are familiar with them. However, Flow Logs capture actual traffic, not configuration-based potential access. The question often asks for a tool that identifies *unintended access paths* before traffic flows, which is exactly what Network Access Analyzer does.
AWS Config: Config tracks configuration changes over time, but it does not simulate network paths. It can tell you that a security group rule changed, but not whether that change creates an unintended access path. Network Access Analyzer provides the path analysis.
Security Groups themselves: Some think that reviewing security groups manually is sufficient, but the exam tests automation. The analyzer automates the comparison against an intended policy.
Amazon Inspector: Inspector is for vulnerability assessment, not network path analysis. Do not confuse it with Network Access Analyzer.
Specific Numbers and Terms
100 scopes per account per Region (soft limit)
90-day retention of findings
On-demand and scheduled analyses (via EventBridge)
Unintended, missing, and partial access finding types
Network access scope is the key resource
Network path is a key output
Edge Cases and Exceptions
The analyzer does not support cross-account analysis. If you need to analyze access across accounts, you must create scopes in each account.
It does not analyze traffic that goes through AWS services like CloudFront or API Gateway; it only analyzes VPC network components.
It can analyze paths that go through transit gateway, VPC peering, VPN, and Direct Connect, but only within the same account and Region.
If a network ACL is stateless, the analyzer considers both inbound and outbound rules. Make sure you understand that NACLs are evaluated in order (rule number) and that they have separate inbound and outbound rules.
How to Eliminate Wrong Answers
If the question mentions intended vs actual access or unintended network paths, the answer is likely Network Access Analyzer.
If the question asks for continuous monitoring of configuration changes, consider AWS Config or EventBridge, but if it asks for analysis of potential access paths, choose Network Access Analyzer.
If the question mentions actual traffic analysis, choose VPC Flow Logs.
If the question asks for vulnerability scanning, choose Amazon Inspector.
Mastering these distinctions is crucial for the exam.
VPC Network Access Analyzer compares actual VPC configuration against a defined network access scope to detect unintended, missing, or partial access.
It performs static analysis — no actual packets are sent.
Findings are retained for 90 days.
Default limit is 100 scopes per account per Region (soft limit).
It supports analysis across VPC peering, transit gateway, VPN, and Direct Connect within the same account and Region.
Integration with EventBridge allows automated remediation.
It does not support cross-account analysis.
Key exam trap: Do not confuse with VPC Flow Logs (actual traffic) or AWS Config (configuration changes).
Use on-demand or scheduled analyses (via EventBridge).
Each finding includes a detailed network path showing each hop and the rules involved.
These come up on the exam all the time. Here's how to tell them apart.
VPC Network Access Analyzer
Analyzes configuration-based potential access
No actual traffic required
Outputs findings with network paths
Can detect unintended access before it is exploited
Supports scheduled analysis via EventBridge
VPC Flow Logs
Captures actual network traffic metadata
Requires traffic to flow
Outputs log records of individual flows
Detects actual access patterns, not configuration issues
Streams logs to CloudWatch, S3, or Kinesis
Mistake
Network Access Analyzer sends test packets to verify connectivity.
Correct
It does not send any traffic. It performs a static analysis of the VPC configuration (security groups, NACLs, route tables, etc.) to determine what traffic is allowed. No packets are generated.
Mistake
Network Access Analyzer can detect cross-account unintended access.
Correct
As of the current exam, Network Access Analyzer only supports analysis within the same AWS account and Region. It cannot analyze network paths that cross accounts.
Mistake
Findings are stored indefinitely.
Correct
Findings are stored for 90 days. After that, they are automatically deleted. You should export findings if you need long-term retention.
Mistake
Network Access Analyzer replaces VPC Flow Logs.
Correct
They are complementary. Flow Logs capture actual traffic, while Network Access Analyzer analyzes configuration-based potential access. Both are useful for a complete security picture.
Mistake
You can create unlimited network access scopes per account.
Correct
The default limit is 100 scopes per account per Region. This is a soft limit that can be increased by requesting a quota increase.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
VPC Network Access Analyzer analyzes your VPC configuration (security groups, NACLs, route tables) to identify potential unintended network access paths based on your intended policy. It does not require actual traffic. VPC Flow Logs capture metadata about actual traffic flows that have occurred. The analyzer is proactive (finds misconfigurations before they are exploited), while Flow Logs are reactive (show what has already happened). On the exam, if the question asks about identifying unintended access paths, choose Network Access Analyzer.
Yes, it can analyze network paths that traverse VPC peering connections, as long as both VPCs are in the same account and Region. The analyzer will include the peering connection as a hop in the network path. It also supports transit gateway, VPN, and Direct Connect within the same account and Region.
Findings are stored for 90 days. After 90 days, they are automatically deleted. You should export findings to Amazon S3 or another storage service if you need to retain them for longer periods for compliance or auditing purposes.
No, as of the current SAA-C03 exam, VPC Network Access Analyzer only supports analysis within a single AWS account and Region. It cannot analyze network paths that cross accounts. If you need to audit network access across accounts, you must create separate scopes in each account.
It generates three types of findings: unintended access (the configuration allows access that the scope denies), missing access (the scope allows access that the configuration blocks), and partial access (the configuration allows access but only partially matches the scope, e.g., correct source/destination but wrong port). Each finding includes a detailed network path.
You can schedule recurring analyses using Amazon EventBridge. Create a rule that triggers on a schedule (e.g., every 6 hours) and targets the StartNetworkInsightsAccessScopeAnalysis API. You can also use EventBridge to send notifications or trigger remediation actions when findings are generated.
As of the SAA-C03 exam, there is no additional charge for using VPC Network Access Analyzer itself. You pay only for the underlying resources it analyzes (e.g., VPCs, subnets) as part of your normal AWS usage. However, if you use EventBridge or Lambda for automation, standard charges apply.
You've just covered VPC Network Access Analyzer — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?