Leadline Inc.Leadline Inc.
Control Requirements

COM-06: Network Diagrams Availability

Implementation of network diagram management and availability for IT security personnel

Control Description

The Company's network diagrams are available to IT security personnel.

Plain Meaning

This control requires maintaining up-to-date network diagrams that show the structure and connectivity of the company's network infrastructure. These diagrams should be easily accessible to IT security personnel so they can understand the network layout, identify potential security risks, and respond effectively to security incidents.

Network Infrastructure Overview

Our production environment utilizes a comprehensive AWS VPC architecture designed for high availability, security, and compliance. The following diagram and details provide IT security personnel with complete visibility into our network infrastructure.

Production VPC Architecture

AWS VPC Network Architecture

Figure 1: Production VPC Network Architecture showing multi-AZ deployment, network segmentation, and security controls

Infrastructure Components

1. Multi-AZ Deployment

Our infrastructure spans three AWS Availability Zones for maximum resilience:

  • us-east-1a: Primary availability zone
  • us-east-1b: Secondary availability zone
  • us-east-1c: Tertiary availability zone

2. Network Segmentation

The VPC implements a three-tier network architecture with proper segmentation:

Public Subnets

  • production-vpc-public-us-east-1a: 10.0.4.0/24 (IPv6: 2600:1f18:74e8:fa00::/64)
  • production-vpc-public-us-east-1b: 10.0.5.0/24 (IPv6: 2600:1f18:74e8:fa01::/64)
  • production-vpc-public-us-east-1c: 10.0.6.0/24 (IPv6: 2600:1f18:74e8:fa02::/64)

Private Subnets

  • production-vpc-private-us-east-1a: 10.0.1.0/24 (IPv6: 2600:1f18:74e8:fa04::/64)
  • production-vpc-private-us-east-1b: 10.0.2.0/24 (IPv6: 2600:1f18:74e8:fa03::/64)
  • production-vpc-private-us-east-1c: 10.0.3.0/24 (IPv6: 2600:1f18:74e8:fa07::/64)

Isolated Subnets

  • production-vpc-isolated-us-east-1a: 10.0.10.0/24 (IPv6: 2600:1f18:74e8:fa06::/64)
  • production-vpc-isolated-us-east-1b: 10.0.11.0/24 (IPv6: 2600:1f18:74e8:fa05::/64)
  • production-vpc-isolated-us-east-1c: 10.0.12.0/24 (IPv6: 2600:1f18:74e8:fa08::/64)

3. Security Controls

Network Gateways

  • Internet Gateway (production-vpc-igw): Provides internet access to public subnets
  • NAT Gateways:
    • production-vpc-nat-us-east-1a: Private subnet internet access via us-east-1a
    • production-vpc-nat-us-east-1b: Private subnet internet access via us-east-1b
    • production-vpc-nat-us-east-1c: Private subnet internet access via us-east-1c
  • Egress-only Gateway (eigw-01b3c430091289473): IPv6 internet access for isolated subnets

Route Table Configuration

  • production-vpc-public: Routes public subnets to internet gateway
  • production-vpc-private-us-east-1a: Routes private subnet to NAT gateway
  • production-vpc-private-us-east-1b: Routes private subnet to NAT gateway
  • production-vpc-private-us-east-1c: Routes private subnet to NAT gateway
  • production-vpc-isolated: Routes isolated subnets to egress-only gateway

Security Implications

Network Security Benefits

  1. Segregation of Concerns: Public, private, and isolated subnets prevent unauthorized access
  2. Controlled Internet Access: NAT gateways provide outbound-only internet access for private resources
  3. Multi-AZ Resilience: Infrastructure redundancy across three availability zones
  4. IPv6 Support: Dual-stack networking for future-proofing and compliance

Compliance Considerations

  • SOC 2 CC6.1: Logical and physical access controls
  • SOC 2 CC6.2: Prior authorization for access
  • SOC 2 CC6.3: System and data access monitoring
  • SOC 2 CC6.4: Access removal and modification procedures

Access and Maintenance

Diagram Availability

  • Primary Location: This documentation page
  • Backup Location: AWS Systems Manager Documents
  • Version Control: Git repository with change tracking
  • Update Frequency: Reviewed monthly, updated as infrastructure changes

Access Controls

  • IT Security Personnel: Full access to all network diagrams
  • Network Administrators: Full access with modification privileges
  • Compliance Team: Read-only access for audit purposes
  • Development Teams: Limited access to relevant subnet information

Monitoring and Alerting

Network Monitoring

  • VPC Flow Logs: Enabled for all subnets
  • CloudWatch Metrics: Network performance and availability
  • Security Hub: Network security findings and compliance status
  • GuardDuty: Threat detection and network anomaly monitoring

Incident Response

  • Network Diagrams: Available 24/7 for incident response teams
  • Contact Information: Network administrators and security team contacts
  • Escalation Procedures: Defined escalation paths for network incidents
  • Documentation: Incident response playbooks reference these diagrams

Official Documentation

Internal Resources

COM-10: Firewall Deployment and Maintenance

Implementation of firewall deployment and maintenance for threat detection and prevention using AWS WAF and AWS Shield

COM-07: Unauthorized Network Access Monitoring

Implementation of monitoring solution to detect unauthorized network access with automated alerts