0Pricing
AWS Security Academy · Lesson

Domain Filtering and Egress Control

Restrict which external destinations your workloads can reach.

Why Control Egress

Most firewalls focus on inbound traffic, but egress (outbound) control is critical for security. Compromised workloads call out to attacker servers to receive commands or exfiltrate data. Restricting which destinations your resources can reach cuts off this path and limits the damage of a breach.

The Limits of SGs and NACLs

Security groups and NACLs can restrict outbound traffic only by IP and port, not by domain. Since attacker infrastructure uses rotating IPs and shared cloud hosts, IP-based egress rules are brittle. Domain-based filtering in Network Firewall solves this by controlling destinations by name.

All lessons in this course

  1. What AWS Network Firewall Provides
  2. Stateful Rule Groups and Suricata Rules
  3. Domain Filtering and Egress Control
  4. Securing the CloudFront Edge
← Back to AWS Security Academy