AWS Network Access Analyser is a tool which enables you to easily discover all of the possible routes a packet can take between two resources within your network.

You can use this to gain a greater understanding of your network and demonstrate compliance with security policies. It's commonly used to verify and monitor an array of potential compliance issues such as ensuring network segmentation, for example verifying that your production environment cannot access your development environments, or to verify that your servers cannot be accessed from the public internet.

So how does Network Access Analyser help achieve this level of visibility?

You have to define a Network Access Scope with a source and destination resource type or resource id, such as an Internet Gateway or EC2 Instance, and then AWS will use automated reasoning algorithms to analyse all of the potential network paths a packet can take, and then generate a list of findings, which will each contain the full network path that the packet would take for that route.

Conclusion

In conclusion, AWS Network Access Analyser is a super helpful tool for verifying compliance or to improve visibility into your networks security posture, although while there are upsides to it being a static analysis tool, it also means there are some resources and network configuration where it may be unable to analyse all network paths.