Egress control & Network Firewall
Domain allowlists, DNS Firewall, exfiltration defense.
Almost everyone filters inbound and leaves outbound wide open — yet exfiltration and command-and-control both leave through egress. A compromised workload with unrestricted outbound streams your data anywhere and pulls down the next attack stage. Controlling what can leave, and logging the rest, turns a silent breach into a blocked, alerting event.
Constrain and inspect outbound
For most workloads the legitimate egress list is short and stable, which makes an allowlist practical. AWS Network Firewall adds stateful L3–L7 inspection, domain allowlists, and Suricata-style IPS rules at the VPC edge — capabilities security groups and NACLs lack. Route 53 Resolver DNS Firewall blocks resolution of known-malicious or unapproved domains and logs every lookup, cutting off C2 and exfil channels and giving you a high-value hunting record.
# AWS Network Firewall stateful rule group: allow egress only to approved# domains, drop everything else (and log the drops).{"RulesSource": { "RulesString":"pass tls any any -> any any (tls.sni; content:\".amazonaws.com\"; endswith; sid:1;)\n" +"pass tls any any -> any any (tls.sni; content:\".github.com\"; endswith; sid:2;)\n" +"drop tls any any -> any any (msg:\"unapproved egress\"; sid:99;)" }}# Workloads have no direct 0.0.0.0/0 route; the firewall endpoint is the only path out.
Record everything
Layer detection under the controls: VPC flow logs record who talked to what for after-the-fact reconstruction, and DNS query logs expose tunnelling (long, high-entropy subdomains; abnormal query volume to one domain) that is how data leaves networks blocking ordinary egress. Each layer is cheap alone and compounding together — the firewall blocks, DNS filtering catches names, flow logs let you reconstruct intent.