Noise

Search
Skip to content
  • Home
  • About

AWS Security Reference Architecture: A guide to designing with AWS security services

2021-06-30 Avik Mukherjee

Post Syndicated from Avik Mukherjee original https://aws.amazon.com/blogs/security/aws-security-reference-architecture-a-guide-to-designing-with-aws-security-services/

Amazon Web Services (AWS) is happy to announce the publication of the AWS Security Reference Architecture (AWS SRA). This is a comprehensive set of examples, guides, and design considerations that you can use to deploy the full complement of AWS security services in a multi-account environment that you manage through AWS Organizations. The architecture and accompanying recommendations are based on our experience here at AWS with enterprise customers. The AWS SRA is built around a single-page architecture that depicts a simple three-tier web architecture, and shows you how the AWS security services help you achieve security objectives; where they are best deployed and managed in your AWS accounts; and, how they interact with other security services. The guidance aligns to AWS security foundations, including the AWS Cloud Adoption Framework (AWS CAF), AWS Well-Architected, and the AWS Shared Responsibility Model.

Security executives, architects, and engineers can use the AWS SRA to gain understanding of AWS security services and features, by seeing a more detailed explanation of the organization of the functional accounts within the architecture and the individual services within individual AWS accounts. The document and accompanying code repository can be used in two ways. First, you can use the AWS SRA as a practical guide to deploying AWS security services—beginning with foundational security guidance, discussing each service and its role in the architecture, and ending with a discussion of implementable code examples. Alternatively, the AWS SRA can serve as a starting point for defining a security architecture for your own multi-account environment. It’s designed to prompt you to consider your own security decisions. For example, you can think about how to leverage virtual private cloud (VPC) endpoints as a layer of security control, or consider which controls are managed in the application account, and how appropriate information can flow to the central security team.

The reference document is accompanied by a GitHub code repository that provides examples of how to deploy the services. The examples use common deployment platforms like Customizations for AWS Control Tower, AWS CloudFormation StackSets, and the AWS Landing Zone solution. All the example solutions are deployed with the recommended configurations and are deliberately very restrictive in order to demonstrate patterns in the AWS SRA guidance. AWS will continue to add additional example solutions for new and existing services on a regular basis.

The AWS SRA document and code repository are living artifacts and will be updated periodically, driven by new service and feature releases, customer feedback, and emerging best practices.

Preview

Here’s the core architecture diagram from the guide: the AWS SRA in its simplest form. The architecture is purposefully modular and provides a high-level abstracted view that represents a generic web application. The AWS organization and account structure follows the latest AWS guidance for using multiple AWS accounts.
 

Figure 1: The AWS Security Reference Architecture

Figure 1: The AWS Security Reference Architecture

How to use the AWS SRA

The AWS SRA guidance can be used as either a narrative or a reference. The topics are organized as a story, so you can read them from the beginning (foundational security guidance) to the end (discussion of implementable code examples). Alternatively, you can navigate the document to focus on the security principles, services, account types, guidance, and examples that are most relevant to your needs.

The AWS SRA documentation has five primary sections that guide you from AWS security fundamentals to the deployment of code examples:

  • Security foundations – Reviews the AWS CAF, the AWS Well-Architected Framework, and the AWS Shared Responsibility Model and highlights elements that are especially relevant to the AWS SRA.
  • AWS Organizations and account strategy – Introduces the AWS Organizations service, discusses its foundational security capabilities and guardrails, and gives an overview of our recommended multi-account strategy.
  • The AWS Security Reference Architecture – A single-page architecture diagram that shows all AWS security services and features, including a detailed explanation of the functional accounts and the individual services within each account.
  • IAM resources – Presents a summary and set of pointers for important AWS Identity and Access Management (IAM) recommendations.
  • Code repository for the AWS SRA examples – Provides an overview of the associated public GitHub repo that contains example AWS CloudFormation templates and code for deploying some of the patterns discussed in the AWS SRA.

The AWS SRA provides a Design Considerations section for each element, which discusses optional features or configurations that might have important security implications or capture common variations in how you implement that element—typically as a result of alternate requirements or constraints.

When to use the AWS SRA

You can refer to the AWS SRA at various stages of your migration to the AWS Cloud. During the initial phase, you can use this document to architect your own multi-account AWS environment and weave in the various security services that AWS has to offer. If you’ve been using AWS for some time, you can use the AWS SRA to evaluate your current architecture and make adjustments to improve your security posture by using the full potential of various AWS security services. If you’re in a mature stage of AWS Cloud adoption, you can use the AWS SRA to independently validate your security architecture against AWS recommended architecture.

Next steps

You can’t host your workloads on paper, so the next step is to get started building out the reference architecture. You can consume the architecture and the associated code examples and combine these with your organization’s best practices, in order to start building your production grade architecture. If you need assistance, you can reach out to AWS Professional Services, your AWS account team, or the AWS Partner Network, who can work with you to translate the reference architecture into a customized AWS environment that you can then operate.

If you have feedback about this post, submit comments in the Comments section below. If you need assistance with architecting or implementing a secure AWS environment, reach out to AWS Professional Services.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Avik Mukherjee

Avik is a Security Architect with more than a decade of experience in IT governance, security, risk, and compliance. He has deep knowledge of security advisory and assessment work in various industries, including retail, financial, and technology. He’s part of the AWS professional services teams that work with clients to assist them in their journey to transform the security posture of their resources running on AWS. He loves spending time with his family and working on his culinary skills.

Advanced (300)announcementsAWS Security Reference ArchitectureMulti-account securitySecurity BlogSecurity, Identity & Compliance

Post navigation

Previous PostPrime Day 2021 – Two Chart-Topping DaysNext PostCVE-2021-1675 (PrintNightmare) Patch Does Not Remediate Vulnerability

The collective thoughts of the interwebz

Contributors

  • Rapid7 Cybersecurity Blog
  • The Cloudflare Blog
  • Armed and Dangerous
  • arp242.net
  • AWS Architecture Blog
  • AWS Big Data Blog
  • AWS Compute Blog
  • AWS DevOps & Developer Productivity Blog
  • AWS Messaging Blog
  • AWS News Blog
  • AWS Security Blog
  • Backblaze Blog | Cloud Storage & Cloud Backup
  • BeardedTinker
  • Birata.Info
  • Bivol!
  • Bozho's tech blog
  • Bradley M. Kuhn's Blog ( bkuhn )
  • Crosstalk Solutions
  • Curious Droid
  • Darknet – Hacking Tools, Hacker News & Cyber Security
  • Delian’s Tech blog
  • Devil’s Advocate Security
  • digiblur DIY
  • Errata Security
  • Explosm.net
  • fuzzy notepad
  • Geographics
  • Grab Tech
  • Grigor Gatchev – A Weblog
  • Home Assistant
  • IBM 360 Model 20 Rescue and Restoration
  • Joel on Software
  • KENDOV.COM
  • LastWeekTonight
  • laur.ie's blog
  • lcamtuf’s old blog
  • Let's Encrypt
  • LGR
  • LWN.net
  • Matt Granger
  • Matthew Garrett
  • Monty says
  • Nebosystems Ltd
  • Netflix TechBlog – Medium
  • NTPsec Project Blog
  • Oglaf! — Comics. Often dirty.
  • Pid Eins
  • Prometheus Blog
  • Raspberry Pi Foundation blog: news, announcements, stories, ideas
  • Schneier on Security
  • ServeTheHome
  • Show Notes
  • Sprites mods
  • Talks at Google
  • Techmoan
  • Technology Connextras
  • The Atlantic
  • The Codeless Code
  • The History Guy: History Deserves to Be Remembered
  • The Hook Up
  • The latest from GitHub’s engineering team – The GitHub Blog
  • turnoff.us
  • xkcd.com
  • Yahoo Engineering
  • yovko in a nutshell
  • Zabbix Blog
  • БЛОГодаря
  • Блогът на Делян Делчев
  • Блогът на Юруков
  • Дневникът на Георги
  • Дни
  • Како Сийке, не съм от тях!
  • Кътчето на Селин
  • Неосъзнато
  • татко Крокодил
  • Тоест

Tags

Advanced (300) AI Amazon EC2 Amazon QuickSight Amazon Redshift Amazon Simple Storage Service (S3) Analytics announcements Architecture artificial intelligence AWS AWS Glue AWS Lambda AWS re:Invent B2Cloud Best practices Cloud Storage comics Customer Solutions cybersecurity devops Engineering Featured Foundational (100) generative AI intel Intermediate (200) launch networking news Product News Projects research security Security, Identity & Compliance Security Blog serverless squid storage Technical How-to Uncategorized България Водещи Политика общество
Proudly powered by Ants
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}