cc6-6 High priority Security / Logical and Physical Access

Logical access security measures protect against external threats

Systems exposed to the internet face a constant stream of automated attacks: brute force login attempts, exploitation of known vulnerabilities, credential stuffing, and reconnaissance. This criterion addresses the controls that protect external-facing systems: network-level restrictions, intrusion detection, and protections against unauthorized external access.

10h estimated effort

network-security firewall intrusion-detection waf

Complete first: cc6-1

Implementation steps

1

Restrict network access to systems using firewalls and security groups

Configure network access controls to allow only necessary traffic. Cloud security groups and firewall rules should follow least privilege: block all inbound traffic by default and open only required ports to required sources. Production databases and internal services should not be reachable from the public internet. Use VPNs or private networking for administrative access.

aws-vpc aws-security-groups cloudflare terraform
2

Implement intrusion detection and alerting

Deploy tools that detect and alert on suspicious activity: failed login spikes, access from unexpected geolocations, unexpected port scans, API abuse patterns. Configure alerts to route to a monitored channel. At minimum, enable AWS GuardDuty, GCP Security Command Center, or equivalent cloud-native threat detection.

aws-guardduty cloudflare datadog crowdstrike
3

Protect against application-layer attacks

Implement a Web Application Firewall (WAF) in front of public-facing applications. The WAF should block common attack patterns: SQL injection, XSS, path traversal, and rate limit abuse. Enable DDoS protection at the network edge. Review WAF logs regularly for attack patterns.

cloudflare aws-waf fastly vercel