Challenges implementing egress controls in a large AWS environment
Greg Aumann
fwd:cloudsec North America 2025 · Day 2 · Track 1 - Crystal
Greg Aumann, a member of Block's cloud security team (previously on the product security engineering team managing the **Afterpay** AWS environment), presented a detailed and operationally honest account of deploying network egress controls at scale. The environment processes approximately **25 terabytes of egress traffic per day** across nearly **200 VPCs in six AWS regions**. Aumann covered the architecture, the staggering log volumes, the cost dynamics that can actually make egress controls save money, the practical challenges of building and maintaining allow lists, and several methods for bypassing network firewalls — along with the missing AWS features that would make the entire project easier.
AI review
Practitioner-grade war story of deploying egress controls at real scale (25 TB/day, 200 VPCs). The bypass discussion is the most interesting part — SNI forgery, ECH, DNS exfiltration, VPC endpoint abuse — and the Glue connectivity detection bug is a nice operational find. Solid operational content but no novel techniques or tools.