AWS Shield 网络安全总监（预览版）是一个旨在简化网络安全配置的工具，可以帮助用户识别和修复网络安全问题，如 SQL 注入和 DDoS 攻击。该服务通过分析网络资源、连接和配置，并将其与 AWS 最佳实践进行比较，从而生成网络拓扑，突出需要保护的资源。该工具提供详细的修复建议，支持与 Amazon Q Developer 集成，使用户能够通过自然语言查询了解其安全状况。AWS Shield 网络安全总监旨在帮助组织维护强大的网络安全态势，简化安全管理流程。

🛡️AWS Shield 网络安全总监能够全面分析 AWS 账户中的资源，识别资源间的连接，并确定当前已配置的网络安全服务和配置。

💡该服务根据 AWS 网络安全最佳实践和威胁情报，按严重程度对资源进行优先级排序，帮助用户专注于最重要的安全问题。

✅AWS Shield 网络安全总监提供具体的修复建议，包括实施正确的 AWS 安全服务（如 AWS WAF、Amazon VPC 安全组和网络访问控制列表）的分步说明，以保护资源。

🗺️用户可以通过网络拓扑图查看特定资源与其他资源的连接方式，从而了解安全配置的潜在影响，并识别暴露的路径。

💬该服务与 Amazon Q Developer 集成，用户可以使用自然语言查询，快速了解其安全状况并获得实施最佳实践的指导。

<section class="blog-post-content lb-rtxt"><table id="amazon-polly-audio-table"><tbody><tr><td id="amazon-polly-audio-tab"><p></p></td></tr></tbody></table><p>Today, I’m happy to announce <a href="https://aws.amazon.com/shield/&quot;&gt;AWS Shield</a> network security director (preview), a capability that simplifies identification of configuration issues related to threats such as SQL injections and distributed denial of service (DDoS) events, and proposes remediations. This feature identifies and analyzes network resources, connections, and configurations. It compares them against AWS best practices to create a network topology that highlights resources requiring protection.</p><p>Organizations today face significant challenges in maintaining a robust network security posture. Security teams often struggle to efficiently discover all resources in their environments, understand how these resources are interconnected, and identify which security services are currently configured. Additionally, they find determining how well resources are configured relative to AWS best practices requires considerable expertise and effort. Many teams find it difficult to identify which network security services and rule sets would best protect their applications from common and emerging threats.</p><p>AWS Shield network security director addresses these challenges through three key capabilities. First, it performs comprehensive analysis to discover resources across your AWS accounts, identify connectivity between resources, and determine which network security services and configurations are currently in place. Second, it prioritizes resources by severity level based on AWS network security best practices and threat intelligence. Finally, it provides specific remediation recommendations such as step-by-step instructions for implementing the right AWS security services, including <a href="https://aws.amazon.com/waf&quot;&gt;AWS WAF</a>, <a href="https://aws.amazon.com/vpc/&quot;&gt;Amazon Virtual Private Cloud (Amazon VPC)</a> <a href="https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html&quot;&gt;security groups</a>, and Amazon VPC <a href="https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html&quot;&gt;network access control lists (ACLs)</a> to protect your resources.</p><p>The service supports critical network security use cases, including protecting applications against internet-born threats and controlling human access to resources based on port, protocol, or IP address range. It provides network analysis to discover assets and delivers analysis that eliminates time-consuming manual processes for identifying resources that need protection. The service offers resource prioritization by assigning security findings a severity level based on network context and adherence to AWS best practices, helping you focus on what matters most. Additionally, it supplies actionable recommendations with specific guidance on which services and configurations will address each security gap. You can also get answers, in natural language, from AWS Shield network security director from within <a href="https://aws.amazon.com/q/developer/&quot;&gt;Amazon Q Developer</a> in the <a href="https://console.aws.amazon.com/&quot;&gt;AWS Management Console</a> and chat applications.</p><p><strong>Getting started with AWS Shield network security director<br /></strong> To use AWS Shield network security director, I need to initiate a network analysis of my AWS resources. I go to the <a href="http://console.aws.amazon.com/wafv2/homev2&quot;&gt;AWS WAF &amp; Shield console</a> and choose <strong>Getting started</strong> under <strong>AWS Shield network security director</strong> in the navigation pane. I choose <strong>Get started</strong>, which takes me to the configuration page. On this page, I can choose how to perform my first network analysis: I can assess findings from across all supported Regions or from my current Region only. I select <strong>Start network analysis</strong>.</p><p><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/LM1545-6.png&quot;&gt;&lt;img class="alignnone size-full wp-image-97059" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/LM1545-6.png&quot; alt="" width="1924" height="880" /></a></p><p>After the analysis is completed, the dashboard page shows a breakdown of resource types by severity level and the most common categories of network security findings associated with their resources. Resources are categorized by type and severity level (critical, high, medium, low, informational), making it easy to identify which areas need immediate attention.</p><p><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/LM1545-7.png&quot;&gt;&lt;img class="alignnone size-full wp-image-97060" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/LM1545-7.png&quot; alt="" width="1924" height="2399" /></a></p><p>Next, I explore the <strong>Resources</strong> section to understand the distribution of my assets and filter by severity level in my environment. I can use <strong>Resource overview</strong> to review a specific severity level, which will redirect me to the <strong>Resources</strong> under <strong>Network security director</strong> with the associated severity level filter. I choose the resources that have <strong>Medium</strong> severity level.</p><p><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/LM1545-8.png&quot;&gt;&lt;img class="alignnone size-full wp-image-97061" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/LM1545-8.png&quot; alt="" width="1924" height="792" /></a></p><p>I choose a specific resource to view its network topology map showing how it connects to other resources and associated findings. This visualization helps me understand the potential impact of security configurations and identify exposed paths. I review detailed findings such as “Allows unrestricted inbound access (0.0.0.0/0) on all ports” with severity ratings.</p><p><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/LM1545-8b.png&quot;&gt;&lt;img class="alignnone size-full wp-image-97063" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/LM1545-8b.png&quot; alt="" width="1906" height="1688" /></a></p><p>Next, I go to <strong>Findings</strong> under <strong>Network security director</strong>, which shows common configuration issues. For each finding, I receive detailed information and recommended remediation steps. The service rates the severity of findings (high, medium, low) to help me prioritize my response. Critical-severity findings such as “CloudFront origin is also internet accessible without CloudFront protections” or high-severity findings such as “Allows unrestricted inbound access (0.0.0.0/0) on all ports” are presented first, followed by medium- and low-severity issues.</p><p><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/LM1545-9.png&quot;&gt;&lt;img class="alignnone size-full wp-image-97064" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/LM1545-9.png&quot; alt="" width="1924" height="815" /></a></p><p>You can analyze your network security configurations, in natural language, with AWS Shield network security director within Amazon Q Developer in the AWS Management Console and chat applications. For example, you can say “Do I have any network security issues on my CloudFront distributions?” or “Are any of my resources vulnerable to bots and scrapers?” This integration helps security teams quickly understand their security posture and receive guidance on implementing best practices without having to navigate through extensive documentation.</p><p>To explore this capability, I ask “What are my most critical network security issues?” in the <strong>Explore with Amazon Q</strong> section. Amazon Q analyzes my network security configuration and generates a response based on the security assessment of my AWS environment.</p><p><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/13/LM1545-13.png&quot;&gt;&lt;img class="alignnone size-full wp-image-97213" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/13/LM1545-13.png&quot; alt="" width="1627" height="846" /></a></p><p>With this comprehensive view of your network security, you can now make data-driven decisions to strengthen your defenses against emerging threats.</p><p><strong>Join the preview<br /></strong> AWS Shield network security director is available in the US East (N. Virginia) and Europe (Stockholm) Regions. The Amazon Q Developer capability to analyze network security configurations is available in preview in US East (N. Virginia). To begin strengthening your network security, visit the <a href="https://console.aws.amazon.com/wafv2/network-security-director&quot;&gt;AWS Shield network security director console</a> and initiate your first network security analysis.</p><p>For more information, visit the <a href="https://aws.amazon.com/shield/&quot;&gt;AWS Shield product page</a>.</p><a href="https://www.linkedin.com/in/esrakayabali/&quot;&gt;— Esra</a></section><aside id="Comments" class="blog-comments"><div data-lb-comp="aws-blog:cosmic-comments" data-env="prod" data-content-id="097dc48c-2bea-4480-821e-d1e9432b488c" data-title="New AWS Shield feature discovers network security issues before they can be exploited (Preview)" data-url="https://aws.amazon.com/blogs/aws/new-aws-shield-feature-discovers-network-security-issues-before-they-can-be-exploited-preview/&quot;&gt;&lt;p data-failed-message="Comments cannot be loaded… Please refresh and try again.">Loading comments…</p></div></aside>