Noise

Search
Skip to content
  • Home
  • About

Update of AWS Security Reference Architecture is now available

2022-08-03 Balu Mathew

Post Syndicated from Balu Mathew original https://aws.amazon.com/blogs/security/update-of-aws-security-reference-architecture-is-now-available/

We’re happy to announce that an updated version of the AWS Security Reference Architecture (AWS SRA) is now available. The AWS SRA is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment. You can use it to help your organization to design, implement, and manage AWS security services so that they align with AWS best practices. The guidance is deeply informed by our collective experiences with AWS enterprise customers.

The AWS SRA update includes seven additional services and features, as well as updated guidance on all services in the AWS SRA with a special focus on service integrations. The AWS SRA update also includes new content about how your organization can use the AWS SRA to design, review, and assess your security architecture. We used direct customer feedback and our experience helping customers use the AWS SRA, as well as including new AWS service and feature releases, to make these updates.

At the core of the AWS SRA documentation is the AWS Security Reference Architecture, a one-page architecture diagram that includes all the security services in a multi-account environment, as shown in Figure 1.

Figure 1: AWS SRA one-page architecture diagram

Figure 1: AWS SRA one-page architecture diagram

In the AWS SRA, you’ll find additional documentation about the AWS SRA architecture diagram that dives deep into account structure, the reasoning behind why a specific security service is deployed in a particular account, and how the security services connect and relate to each other.

Update highlights

Based on direct customer feedback, new service and feature releases, and our experience helping customers use the AWS SRA, we’ve included the following changes in the AWS SRA update:

  • Expanded the AWS services in the AWS SRA to include AWS Artifact, Amazon Inspector, AWS Resource Access Manager (AWS RAM), Amazon Route 53 Resolver DNS Firewall, AWS Control Tower, AWS Audit Manager, and Amazon Virtual Private Cloud (Amazon VPC) Network Access Analyzer.
  • Updated the guidance for AWS services such as AWS Security Hub, AWS IAM Identity Center (successor to AWS Single Sign-On), AWS Config, Amazon Detective, and AWS Certificate Manager.
  • Updated the guidance about using the AWS SRA to design your security architecture. This includes topics such as applying security services across AWS Organizations, balancing distributed and centralized security service guardrails, and using a delegated administrator for AWS security services.

In addition to the architecture diagram and documented guidance, the AWS SRA code repository is regularly updated and has evolved considerably since its initial release. Highlights of the repository include a Quick Setup that uses a centralized AWS CloudFormation template, simplified deployment of the example solutions using nested stacks, updated documentation with diagrams and templates for all solutions, AWS Config management account solution, a Security Hub organization solution, an account alternate contacts solution, and more.

Getting started with the AWS SRA

There are different ways to use the AWS SRA, depending on where you are in your cloud adoption journey. The following are some recommendations to help you get the most value out of the AWS SRA:

  • Define the target state of your security architecture.
  • Review the designs and capabilities that you’ve already designed.
  • Bootstrap the implementation of your security architecture.
  • Learn more about AWS security services and features.
  • Start a discussion about organizational governance and responsibilities for security.

For more information and to get started, see the updated AWS Security Reference Architecture (AWS SRA) documentation. For example solutions that demonstrate how to implement patterns within the AWS Security Reference Architecture guide, see the aws-security-reference-architecture-examples GitHub repository.

We greatly value feedback and contributions from our community. To share your thoughts and insights about the AWS SRA guide, your experience using it, and what you want to see in future versions of the AWS SRA, complete the AWS Proscriptive Guidance feedback form online. If you have feedback about the example code in the GitHub repository, open a GitHub Issue.

 
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Want more AWS Security news? Follow us on Twitter.

Balu Mathew

Balu Mathew

Balu Mathew is a Senior Security Consultant with expertise in DevOps, AppSec and Data Protection. His mission is to help customers understand solution best practices that can reduce the time and resources required for improving their company’s security and compliance outcomes.

Advanced (300)announcementsAWS Security Reference ArchitectureMulti-account securitysecuritySecurity BlogSecurity, Identity & ComplianceSRA

Post navigation

Previous PostBest practices to optimize cost and performance for AWS Glue streaming ETL jobsNext Post[Security Nation] Curt Barnard on Defaultinator (Black Hat Arsenal Preview)

The collective thoughts of the interwebz

Contributors

  • Rapid7 Cybersecurity Blog
  • The Cloudflare Blog
  • Armed and Dangerous
  • arp242.net
  • AWS Architecture Blog
  • AWS Big Data Blog
  • AWS Compute Blog
  • AWS DevOps & Developer Productivity Blog
  • AWS Messaging Blog
  • AWS News Blog
  • AWS Security Blog
  • Backblaze Blog | Cloud Storage & Cloud Backup
  • BeardedTinker
  • Birata.Info
  • Bivol!
  • Bozho's tech blog
  • Bradley M. Kuhn's Blog ( bkuhn )
  • Crosstalk Solutions
  • Curious Droid
  • Darknet – Hacking Tools, Hacker News & Cyber Security
  • Delian’s Tech blog
  • Devil’s Advocate Security
  • digiblur DIY
  • Errata Security
  • Explosm.net
  • fuzzy notepad
  • Geographics
  • Grab Tech
  • Grigor Gatchev – A Weblog
  • Home Assistant
  • IBM 360 Model 20 Rescue and Restoration
  • Joel on Software
  • KENDOV.COM
  • LastWeekTonight
  • laur.ie's blog
  • lcamtuf’s old blog
  • Let's Encrypt
  • LGR
  • LWN.net
  • Matt Granger
  • Matthew Garrett
  • Monty says
  • Nebosystems Ltd
  • Netflix TechBlog – Medium
  • NTPsec Project Blog
  • Oglaf! — Comics. Often dirty.
  • Pid Eins
  • Prometheus Blog
  • Raspberry Pi Foundation blog: news, announcements, stories, ideas
  • Schneier on Security
  • ServeTheHome
  • Show Notes
  • Sprites mods
  • Talks at Google
  • Techmoan
  • Technology Connextras
  • The Atlantic
  • The Codeless Code
  • The History Guy: History Deserves to Be Remembered
  • The Hook Up
  • The latest from GitHub’s engineering team – The GitHub Blog
  • turnoff.us
  • xkcd.com
  • Yahoo Engineering
  • yovko in a nutshell
  • Zabbix Blog
  • БЛОГодаря
  • Блогът на Делян Делчев
  • Блогът на Юруков
  • Дневникът на Георги
  • Дни
  • Како Сийке, не съм от тях!
  • Кътчето на Селин
  • Неосъзнато
  • татко Крокодил
  • Тоест

Tags

Advanced (300) AI Amazon EC2 Amazon QuickSight Amazon Redshift Amazon Simple Storage Service (S3) Analytics announcements Architecture artificial intelligence AWS AWS Glue AWS Lambda AWS re:Invent B2Cloud Best practices Cloud Storage comics Customer Solutions cybersecurity devops Engineering Featured Foundational (100) generative AI intel Intermediate (200) launch networking news Product News Projects research security Security, Identity & Compliance Security Blog serverless squid storage Technical How-to Uncategorized България Водещи Политика общество
Proudly powered by Ants
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}