This post walks through a practical, auditable approach to implement the SC.L1-B.1.XI requirement (segregating publicly accessible components from internal networks) on AWS to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 expectations — with concrete network design patterns, configuration details, and operational controls suitable for a small business contractor.
Why the control matters (risk and compliance context)
FAR 52.204-21 and CMMC Level 1 require "basic safeguarding" — keeping public-facing systems separated from internal systems reduces the attack surface and limits lateral movement if a web server or API is compromised. Without a properly segregated DMZ you risk exposing sensitive contract-related information (including CUI), enabling attackers to pivot into databases and internal tools, and failing audits or contract requirements which can lead to corrective actions or contract loss.
Designing a compliant DMZ on AWS
Network layout and core components
A robust DMZ pattern on AWS starts with a single VPC per environment (dev/test/prod) and at least two Availability Zones for HA. Create designated public subnets (for load balancers, NAT Gateway, bastion if used) and private application and data subnets. Example route table rules: public subnet route table -> 0.0.0.0/0 to Internet Gateway (igw-xxxx); private subnet route table -> 0.0.0.0/0 to NAT Gateway in a public subnet (nat-xxxx). Host only the minimum required public-facing components in the public subnets: Elastic Load Balancer (ALB/ELB), CloudFront + S3 for static content, WAF in front of the ALB. Ensure backend services (ECS tasks, EC2 app servers, RDS instances) live in private subnets with no direct route to the IGW.
Network controls: security groups, NACLs, and defense-in-depth
Use security groups as the primary, stateful control for fine-grained traffic rules and NACLs for coarse, stateless filtering at the subnet level. Example security group model: WebSG — inbound TCP 80/443 from 0.0.0.0/0 to ALB; AppSG — inbound TCP 443 only from WebSG (reference the WebSG as a source); DbSG — inbound TCP 5432 (Postgres) only from AppSG. Do NOT allow SSH/RDP from the internet; instead require administrative sessions via AWS Systems Manager Session Manager or a managed VPN to a dedicated management subnet. Apply AWS WAF on ALB to block common HTTP attacks and AWS Shield Standard for DDoS protection. Use VPC endpoints (Gateway for S3, Interface for Systems Manager and KMS) to keep management and storage traffic off the public internet when possible.
Ingress, egress and access patterns
Design ingress through the ALB (or CloudFront with ALB origin) and terminate TLS at the load balancer with AWS Certificate Manager-managed certificates. Limit ALB listeners to 443 (and 80 only to redirect to 443). For egress, private subnets should contact the internet via a NAT Gateway in a public subnet; consider VPC endpoints to avoid NAT egress charges and to improve security for service-to-service traffic. Block all inbound flows to private subnets from the internet in route tables and NACLs. For admin access, prefer SSM Session Manager or a centralized jump host in the management subnet with strict security group rules and CloudTrail + CloudWatch Logs to capture session activity for auditors.
Logging, monitoring and evidence for auditors
Collect and retain the logs auditors will ask for: enable CloudTrail (management and data events where applicable) with logs delivered to a dedicated, access-controlled S3 bucket; enable VPC Flow Logs for the DMZ and private subnets (to a CloudWatch Logs group or S3); enable ALB access logs and WAF logs. Use AWS Config rules to capture resource configuration snapshots and to prove that your public/private subnet assignments, internet gateway attachments, and security group rules haven't drifted. Set retention policies consistent with contract requirements (e.g., 1 year or as required) and tag log archives with evidence IDs to simplify an audit response.
Operational practices, automation and hardening
Automate the DMZ deployment with CloudFormation or Terraform so each environment is consistent and auditable; store templates in version control. Bake AMIs with a baseline hardening script and use AWS Systems Manager Patch Manager for regular patching. Enforce least privilege with IAM roles per service (ALB -> app role -> DB role), and require MFA for console users. Create runbooks describing how to revoke public access, rotate certificates, and respond to suspected compromises; automate alerts with CloudWatch Alarms and SNS for immediate notification of suspicious patterns in VPC Flow Logs or WAF rules tripping.
Small business example: hosting a customer portal
Imagine a small contractor hosting a customer portal that displays contract deliverables and leads to an internal reporting database. A compliant DMZ would put a CloudFront distribution (with S3 origin for static assets) and an ALB in public subnets. The ALB forwards to application servers in private subnets (ECS Fargate tasks or EC2 autoscaling group). The RDS instance sits in a separate private subnet with no public IP. Security group rules: ALB-SG allow 443 from internet; App-SG allow 443 from ALB-SG; RDS-SG allow 5432 from App-SG. Admin tasks use SSM Session Manager and S3 VPC Endpoint for backups. Maintain a simple diagram, CloudFormation templates, and the S3/CloudTrail logs as evidence for compliance reviewers.
Compliance tips and best practices
Document the logical and physical DMZ design and map each control to the specific FAR/CMMC requirement. Keep a change log and retain evidence: network diagrams, security group snapshots, AWS Config compliance reports, VPC Flow Logs and CloudTrail deliveries. Conduct periodic reviews (quarterly) and a light vulnerability scan or penetration test (annually or on major changes). Where cost is a concern, use VPC endpoints to reduce NAT egress costs, and prefer managed services (ALB, CloudFront, WAF) to lower operational burden while retaining a secure, auditable posture.
In summary, building a compliant DMZ on AWS for FAR 52.204-21 and CMMC 2.0 Level 1 is an achievable combination of correct VPC/subnet topology, least-privilege security groups, managed edge services (ALB, WAF, CloudFront), robust logging (CloudTrail/VPC Flow Logs), and automation to produce the evidence auditors need; implement these controls, document them, and operate them with periodic review to maintain compliance and reduce real-world risk.
