AWS Security

AWS Security is a layered discipline — every workload sits behind a stack of identity, encryption, network, detection, and governance controls. This section covers the AWS-native services that implement those layers, the patterns that combine them effectively, and the operational practices that keep the layers from drifting apart over time.

1. AWS Security Layered Architecture

The diagram below shows the five layers that compose a defensible AWS account, ordered from the principal making the call down to the resource being protected. Findings flow back upward through the Detection layer, where Security Hub aggregates and EventBridge routes them to automated response.

┌──────────────────────────────────────────────────────────────────────────────┐
│                         IDENTITY LAYER                                       │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────────────────┐            │
│  │     IAM      │  │   Identity   │  │     STS / OIDC / SAML    │            │
│  │ Users, Roles │  │   Center     │  │   Federation, AssumeRole │            │
│  └──────────────┘  └──────────────┘  └──────────────────────────┘            │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│                      DATA PROTECTION LAYER                                   │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────────────────┐            │
│  │     KMS      │  │   Secrets    │  │          Macie           │            │
│  │ Encrypt Keys │  │   Manager    │  │   PII / S3 Discovery     │            │
│  └──────────────┘  └──────────────┘  └──────────────────────────┘            │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│                          NETWORK LAYER                                       │
│ ┌──────────────┐  ┌──────────────┐  ┌────────────┐  ┌────────────┐           │
│ │   VPC SG     │  │     NACL     │  │   Shield   │  │    WAF     │           │
│ │  (stateful)  │  │ (stateless)  │  │ DDoS Guard │  │  L7 Rules  │           │
│ └──────────────┘  └──────────────┘  └────────────┘  └────────────┘           │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│                         DETECTION LAYER                                      │
│ ┌──────────┐ ┌────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐           │
│ │CloudTrail│ │ Config │ │GuardDuty │ │Inspector │ │ Security Hub │           │
│ │ API Logs │ │ State  │ │  Threat  │ │   CVE    │ │  Aggregator  │           │
│ └──────────┘ └────────┘ └──────────┘ └──────────┘ └──────────────┘           │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│                        GOVERNANCE LAYER                                      │
│  ┌──────────────────┐  ┌──────────────────┐  ┌──────────────────┐            │
│  │  Lake Formation  │  │   Organizations  │  │ Firewall Manager │            │
│  │   Data Access    │  │    SCPs / OUs    │  │  Cross-Account   │            │
│  └──────────────────┘  └──────────────────┘  └──────────────────┘            │
└──────────────────────────────────────────────────────────────────────────────┘

2. Identity & Access

• IAM — Identity & Access Management: Foundational service for users, groups, roles, policies, and STS short-lived credentials. The policy decision point for almost every AWS API call.

3. Data Protection

• KMS — Key Management Service: Centralized creation, rotation, and audit of symmetric and asymmetric encryption keys backed by FIPS 140-2 HSMs.
• AWS Secrets Manager: Secret storage with automatic rotation for RDS, Redshift, and custom Lambda rotators — KMS-encrypted at rest.
• Amazon Macie: ML-driven discovery of sensitive data (PII, PHI, credentials, financial) inside S3 buckets, with severity-graded findings.

4. Network Security

• VPC Security Groups & NACLs: Stateful (SG) and stateless (NACL) packet filters that form the layered perimeter for VPC workloads, plus VPC endpoints and PrivateLink for keeping traffic off the public internet.
• AWS Shield & WAF: Edge DDoS protection (Shield) and L7 web application firewall (WAF) deployed in front of CloudFront, ALB, API Gateway, and AppSync.

5. Detection & Response

• AWS CloudTrail: Immutable record of every authorized API call across the account — the canonical "who did what, when" log.
• AWS Config & Inspector: Config records resource state and rule compliance over time; Inspector scans EC2, ECR images, and Lambda functions for CVEs and exposure.
• Amazon GuardDuty: Continuous threat detection across VPC Flow Logs, DNS, CloudTrail, EKS audit logs, S3 data events, and RDS login activity, fused with managed threat intelligence.
• AWS Security Hub: Central aggregator that normalises findings from GuardDuty, Inspector, Macie, Config, and third-party tools into the AWS Security Finding Format (ASFF) and runs CIS / PCI-DSS / NIST standard checks.

↑ Back to Top