Building a Secure AWS VPC

In September 2025, I took my Cloud Resume Challenge to the next level by building a secure AWS VPC for my Cloud Security Portfolio at trisoncloudresume.com. This project pushed me to design a robust network architecture using Terraform, enabling private EC2 instances to securely access the internet via a NAT instance and monitoring the setup with AWS Security Hub. From battling NAT connectivity issues to untangling IAM permission errors and fixing a CI/CD pipeline issue, this journey deepened my cloud security expertise. Here’s how I did it, the challenges I faced, and what it means for my portfolio.

The Challenge: Crafting a Secure Network

The Secure AWS VPC project tasked me with building a VPC in us-east-1 (10.0.0.0/16) with a public subnet (10.0.1.0/24) hosting a NAT instance and a private subnet (10.0.2.0/24) with an EC2 instance accessing the internet via the NAT. I used Terraform to define the VPC, subnets, route tables, security groups, NACLs, and a t2.micro NAT instance. I also integrated AWS Security Hub to monitor compliance with CIS AWS Foundations Benchmarks. This wasn’t just about setting up a network—it was about proving I could secure and troubleshoot complex cloud infrastructure.

Overcoming Challenges

NAT Connectivity Struggles

Getting the private EC2 to connect to the internet was the toughest hurdle—initially, commands like ping 8.8.8.8 and curl google.com failed. I tackled this with a systematic approach:

• Verified the NAT instance’s source/destination check was disabled using aws ec2 describe-instance-attribute, ensuring it could forward traffic.
• Checked the private route table targeted the NAT’s ENI (eni-036f8add8566a3b4f) with aws ec2 describe-route-tables, correcting an outdated route.
• Inspected the NAT instance’s OS via SSH, confirming net.ipv4.ip_forward=1 and updating the iptables MASQUERADE rule to restrict to 10.0.2.0/24 for security.
• Ensured security groups and NACLs allowed outbound traffic and ephemeral ports (1024-65535) for return traffic, using least-privilege principles.

These steps, executed via AWS CLI and codified in Terraform, restored connectivity, proving my ability to troubleshoot network issues.

IAM Permission Battles

Enabling VPC Flow Logs and Security Hub brought a barrage of IAM permission errors for my GitHubActionsUser. Key issues included:

• Missing permissions like iam:CreateRole, iam:CreatePolicy, logs:DeleteLogGroup, and securityhub:EnableSecurityHub, requiring multiple AWS Console updates.
• Terraform state conflicts with Flow Logs, resolved by removing those resources after confirming connectivity.
• Security Hub enablement issues, fixed by adding iam:CreateServiceLinkedRole and other permissions iteratively.

These struggles taught me the critical role of precise IAM policies and persistent debugging in cloud security.

CI/CD Pipeline Syntax Error

Deploying updates to trisoncloudresume.com hit a snag when my GitHub Actions pipeline failed due to a YAML syntax error in deploy.yml. This was my first time creating an index page (blog.html) to link all blog posts and writing this VPC blog, so automating deployments was critical. The issue stemmed from extra code block markers (nested ```yaml) in the workflow file, causing GitHub Actions to reject it. I resolved this by:

• Comparing the broken deploy.yml with a previous working version from my GitHub repository.
• Removing the invalid nested markers to restore proper YAML syntax.
• Testing the pipeline to confirm automated uploads to my S3 bucket and CloudFront cache invalidation.

This fix ensured seamless updates to my portfolio, highlighting my ability to troubleshoot CI/CD pipelines and maintain secure, automated deployments.

Why It Matters

While my resume website at trisoncloudresume.com runs on S3 and CloudFront, this VPC project showcases my ability to build secure backend networks. It’s a cornerstone of my portfolio, highlighting:

• Network Security: Configuring VPCs, NAT instances, security groups, and NACLs with least-privilege access.
• Troubleshooting: Using AWS CLI, Terraform, and GitHub Actions to diagnose connectivity, permission, and pipeline issues.
• Security Monitoring: Enabling Security Hub for compliance and threat detection.
• Infrastructure-as-Code: Managing AWS resources with Terraform for reproducibility.
• Automation: Implementing a CI/CD pipeline with GitHub Actions for secure, automated deployments.

This project demonstrates I can tackle real-world cloud security challenges, strengthening my candidacy for Junior Cloud Security Engineer roles.

What’s Next?

The Secure AWS VPC project has ignited my passion for cloud security. I’m now studying for the AWS Certified Solutions Architect – Associate and AWS Certified Security – Specialty certifications to deepen my expertise. Future projects may include integrating GuardDuty for advanced threat detection or exploring serverless security patterns. Check out my code in the GitHub repository and follow my journey on my blog!