Domain 5: Cloud Security Operations Module 52 of 70

Module 52: Network Security Controls

CCSP Domain 5 — Cloud Security Operations Section A 6 min read
The CCSP exam treats network security in the cloud as fundamentally different from traditional networking. The exam expects you to understand that cloud networks are software-defined, that segmentation is logical rather than physical, and that the shared responsibility model determines who configures what.

Software-Defined Networking in the Cloud

Cloud networks are software-defined. There are no physical switches or routers that the customer manages. Every network construct — subnets, route tables, firewalls, load balancers — is a logical abstraction managed through APIs. The CCSP exam tests whether you understand the security implications of this model.

The primary implication: misconfiguration is the leading cause of cloud network security failures. When everything is defined in code or console configurations, a single policy error can expose resources to the internet. The exam expects you to recognize misconfiguration as the top network threat in cloud environments.

Virtual Private Clouds and Subnets

A Virtual Private Cloud (VPC) is an isolated network segment within the cloud provider's infrastructure. The exam tests several VPC security concepts:

  • Public vs. private subnets: Public subnets have routes to the internet gateway. Private subnets do not. The exam tests whether you place sensitive resources (databases, internal services) in private subnets.
  • Subnet isolation: Resources in different subnets can be isolated using network access control lists (NACLs). The exam tests whether you use NACLs as a second layer of defense beyond security groups.
  • VPC peering: Connects two VPCs for direct communication. The exam tests whether you understand that peering is non-transitive — if VPC A peers with VPC B, and VPC B peers with VPC C, A cannot reach C through B.

Security Groups and NACLs

The exam frequently tests the distinction between security groups and network ACLs:

  • Security groups: Stateful, instance-level firewalls. If you allow inbound traffic, the response is automatically allowed outbound. Security groups only support allow rules.
  • Network ACLs: Stateless, subnet-level firewalls. You must explicitly allow both inbound and outbound traffic. NACLs support both allow and deny rules.
Exam trap: If a question describes traffic being allowed inbound but blocked outbound, and the customer is using security groups, the answer is that something else is blocking it — security groups are stateful. If NACLs are involved, check whether outbound rules were configured.

Micro-Segmentation

Micro-segmentation divides the network into fine-grained segments, applying security policies to individual workloads rather than broad network zones. The exam tests micro-segmentation as a zero trust principle: every workload communicates only with explicitly authorized peers.

In cloud environments, micro-segmentation is implemented through security groups applied per instance, service mesh policies, or cloud-native network policies. The exam expects you to recognize micro-segmentation as the preferred approach over traditional zone-based segmentation.

Network Monitoring and Detection

The exam tests your knowledge of cloud network monitoring capabilities:

  • Flow logs: Record metadata about network traffic (source, destination, port, protocol, action). Flow logs do not capture packet contents. The exam tests whether you use flow logs for traffic analysis and anomaly detection.
  • Network-based IDS/IPS: Traditional network taps do not work in cloud environments because you cannot access the physical network. Cloud-native alternatives include host-based agents, inline virtual appliances, and cloud provider detection services.
  • DNS logging: DNS queries can reveal command-and-control communication, data exfiltration, and policy violations. The exam tests whether you monitor DNS as a detection mechanism.

DDoS Protection

Distributed denial of service attacks target availability. The exam tests your understanding of cloud DDoS mitigation:

  • Volumetric attacks: Overwhelm bandwidth. Cloud providers absorb these using their massive infrastructure capacity.
  • Protocol attacks: Exploit protocol weaknesses (SYN floods). Mitigated by cloud provider edge services.
  • Application-layer attacks: Target specific application endpoints. Require WAF rules and rate limiting configured by the customer.

The exam pattern: volumetric and protocol DDoS mitigation is primarily the CSP's responsibility. Application-layer DDoS mitigation is the customer's responsibility.

Common Exam Traps

  • Assuming physical network access: You cannot install a network tap in the cloud. Use flow logs and cloud-native tools.
  • Confusing stateful and stateless: Security groups are stateful. NACLs are stateless. This distinction drives correct answers.
  • Choosing perimeter-only defense: The exam favors defense in depth — security groups, NACLs, WAF, and micro-segmentation together.
  • Ignoring VPC peering non-transitivity: Peering connections do not chain. Each connection is independent.

Key Takeaways for the Exam

Cloud networks are software-defined, making misconfiguration the primary threat. VPCs provide isolation with public and private subnets. Security groups (stateful, instance-level) and NACLs (stateless, subnet-level) are complementary controls. Micro-segmentation implements zero trust at the workload level. Network monitoring uses flow logs and cloud-native tools, not physical taps. DDoS responsibility is split between provider and customer based on attack layer.

Next Module Section A Review: Infrastructure Operations