SkarpSkarp

Chapter 23 of 26

Security Pillar in Practice: Hardening Architectures Against Common Threats

Beyond individual services, the exam expects you to think in terms of holistic security posture. This module applies the Security pillar of the AWS Well-Architected Framework to harden end-to-end designs.

27 min readen

From Pillar to Practice: What the Security Pillar Really Asks You To Do

Why This Pillar Matters

You need to move from knowing security buzzwords to being able to evaluate and harden AWS architectures the way the exam expects.

Canonical Definitions

AWS Well-Architected Framework and the Security pillar have fixed definitions you must memorize; they anchor how AWS thinks about security.

Security Pillar Focus Areas

Today the Security pillar emphasizes identity foundations, traceability, security at every layer, automation, data protection, and preparation for security events.

Exam Mindset

In questions, you spot gaps in a scenario and choose options that move the design closer to Security pillar best practices.

Key Mental Question

Always ask: If an incident happened tomorrow, how easily could we detect, contain, and recover from it with this architecture?

Shared Responsibility and Threat Surfaces: What You Secure vs What AWS Secures

Know Who Does What

You cannot harden an architecture unless you know which parts are your job vs AWS’s job. That is the shared responsibility model.

Security of vs in the Cloud

AWS secures the cloud (data centers, hardware, managed internals). You secure in the cloud (identities, configs, data, logging).

Your Responsibilities

You own IAM, VPC design, encryption choices, logging setup, and application security on EC2 and containers.

Common Exam Traps

Watch for answers that assume AWS patches your app, encrypts everything with your keys, or monitors your logs automatically.

Fast Ownership Heuristic

If it is infrastructure operation, think AWS. If it is configuration, identity, or data, think customer responsibility.

Defense in Depth: Identity, Network, and Data Layers Working Together

What is Defense in Depth?

Defense in depth means layering multiple independent controls so that if one fails, others still protect your workload.

Identity Layer

Use IAM roles, policies, Organizations SCPs, and resource-based policies to enforce who can call which APIs and on which resources.

Network Layer

Design VPCs, subnets, security groups, NACLs, WAF, and VPC endpoints to control where traffic can flow from and to.

Data and Application Layer

Encrypt data at rest and in transit, validate input, and store secrets securely with Secrets Manager or Parameter Store.

Exam Design Signal

Strong answer choices usually add or strengthen layers instead of relying on a single control like just a security group.

Worked Example: Hardening a Basic 3-Tier Web App

Baseline Insecure Design

Imagine a 3-tier app where ALB, EC2, and RDS all sit in a public subnet, no IAM roles, hard-coded DB creds, and minimal logging.

Network Hardening

Split into public and private subnets. Place EC2 and RDS in private subnets. Use security groups so only ALB can reach EC2 and only EC2 can reach RDS.

Identity Hardening

Attach IAM roles to EC2 with least privilege. Store DB passwords in Secrets Manager instead of hard-coding credentials.

Data Protection

Enable KMS-based encryption for RDS, EBS, and S3. Use ACM certificates and ALB to enforce HTTPS for all client traffic.

Monitoring and Detection

Enable CloudTrail, ALB access logs, and CloudWatch alarms so you can detect anomalies and investigate incidents.

Identity Foundations: IAM Patterns That Show Up on the Exam

Roles Over Keys

For apps on EC2, ECS, or Lambda, use IAM roles instead of long-lived access keys baked into code or images.

Least Privilege

Grant only the actions and resources required. Policies with Action or Resource set to * are usually a red flag on the exam.

Multi-Account Guardrails

Use AWS Organizations and SCPs to separate environments and prevent risky actions like disabling CloudTrail across accounts.

Resource vs Identity Policies

Identity-based policies attach to users or roles; resource-based policies attach to S3, KMS, SQS, etc., and are great for cross-account access.

Protect the Root User

Do not use the root user for daily work. Enable MFA and store root credentials securely as a break-glass option.

Network Hardening: VPC, Security Groups, NACLs, and Edge Protections

Public vs Private Subnets

Put ALBs and NAT Gateways in public subnets; keep app servers and databases in private subnets with no direct internet route.

Security Groups Basics

Security groups are stateful firewalls attached to ENIs. Allow only required ports and reference other SGs instead of IPs when possible.

Network ACLs Role

NACLs are stateless and apply at subnet level. Many designs keep them simple and rely on SGs for detailed filtering.

Edge Protections

Use AWS WAF for HTTP-layer threats and rely on AWS Shield Standard for baseline DDoS protection on supported endpoints.

Private Connectivity

VPC endpoints let your workloads reach services like S3 and DynamoDB over the AWS network instead of the public internet.

Data Protection and Encryption: KMS, Keys, and Common Patterns

Encrypting at Rest

Services like S3, EBS, RDS, and DynamoDB support encryption at rest, often with AWS KMS for key management.

Encrypting in Transit

Use TLS/HTTPS for clients and internal services. ACM simplifies certificate provisioning for ALB and API Gateway.

KMS Key Types

AWS managed keys are simple defaults; customer managed keys give you control over rotation, policies, and cross-account use.

Compliance-Driven Choices

If a scenario mentions strict compliance or key control, choose designs using customer managed KMS keys and auditing via CloudTrail.

Default Stance

On a hardened architecture, assume encryption is enabled by default unless there is a strong reason not to.

Monitoring and Detection: CloudTrail, CloudWatch, and AWS Config in Designs

Traceability Matters

You must be able to answer who did what, where, and when. That is why CloudTrail, CloudWatch, and AWS Config are central.

CloudTrail Basics

CloudTrail records API and console activity. Enable it across all Regions and store logs in a secure, centralized S3 bucket.

CloudWatch for Signals

CloudWatch collects metrics and logs, and alarms notify you or trigger automation when something looks wrong.

AWS Config for Compliance

AWS Config tracks configuration changes and can enforce rules like requiring encryption or blocking public S3 buckets.

Exam Design Clues

Prefer answers that enable organization-wide CloudTrail, central logging, alarms, and Config rules over ad-hoc manual checks.

Incident Response at the Architecture Level: Designing for Containment and Recovery

Prepare for Security Events

Security design assumes incidents will happen and focuses on making them visible, containable, and recoverable.

Visibility for Investigation

Enable CloudTrail, app logs, and VPC Flow Logs so you can reconstruct what happened during an incident.

Containment Tools

Use security groups, NACLs, and immutable infrastructure so you can quickly quarantine or replace compromised resources.

Automated Response

CloudWatch and EventBridge can trigger Lambda to disable credentials, quarantine instances, or snapshot volumes automatically.

Recovery Planning

Backups, snapshots, and tested restores let you safely rebuild after an incident with minimal data loss.

Thought Exercise: Spot the Weakest Link

Work through this scenario and decide which control you would add first.

Scenario:

You are reviewing a data analytics workload:

  • Data is ingested via Kinesis Data Streams from on-prem systems.
  • Raw data is stored in an S3 bucket.
  • AWS Glue jobs transform data and write it into another S3 bucket.
  • Athena queries the transformed data.
  • IAM roles are used for Glue and Athena.
  • The S3 buckets are encrypted with SSE-S3.
  • CloudTrail is enabled only in the primary Region. Logs are stored in the same account as the workload.
  • There are no AWS Config rules.

Questions to think about (no single "right" answer, but some are stronger):

  1. If an attacker obtained the Glue role credentials, what could they do? How would you detect it?
  2. Which single architectural change would most improve your ability to detect and respond to misuse?
  • A. Switch S3 to SSE-KMS with customer managed keys.
  • B. Enable AWS Config rules to detect public S3 buckets and unencrypted resources.
  • C. Centralize CloudTrail logs in a dedicated security account and enable in all Regions.
  • D. Add MFA for Athena users.

Reflect:

  • Which option best aligns with traceability and incident response?
  • Which option reduces blast radius if the workload account is compromised?

Think it through before checking the quiz in the next steps; this is how exam scenario reasoning feels.

Quiz 1: Defense in Depth and Shared Responsibility

Test your understanding of core Security pillar ideas.

Which option best demonstrates defense in depth for an internet-facing web application on AWS?

  1. A. Place the application servers in a public subnet and rely on security groups to allow only ports 80 and 443.
  2. B. Use an ALB in a public subnet, place application servers in private subnets, restrict security groups by source, enable WAF on the ALB, and store secrets in AWS Secrets Manager.
  3. C. Put the database in a public subnet with a strong password and enable encryption at rest.
  4. D. Use IAM roles for EC2 instances and allow all inbound traffic to the instances' security group for flexibility.
Show Answer

Answer: B) B. Use an ALB in a public subnet, place application servers in private subnets, restrict security groups by source, enable WAF on the ALB, and store secrets in AWS Secrets Manager.

Option B layers multiple controls: ALB in a public subnet, app servers in private subnets, tightly scoped security groups, WAF for HTTP-layer protection, and Secrets Manager for credential storage. This is a classic defense-in-depth pattern. A relies only on SGs and public instances. C exposes the database directly to the internet. D uses roles but leaves the network wide open.

Quiz 2: Monitoring, Detection, and the Thought Exercise

Apply Security pillar thinking to the analytics scenario.

In the analytics scenario from the thought exercise, which change most improves your ability to detect and respond to misuse of the Glue role while aligning with the Security pillar?

  1. A. Switch S3 encryption from SSE-S3 to SSE-KMS with customer managed keys.
  2. B. Enable AWS Config rules to detect public S3 buckets and unencrypted resources.
  3. C. Centralize CloudTrail logs in a dedicated security account and enable CloudTrail in all Regions.
  4. D. Require MFA for all Athena users.
Show Answer

Answer: C) C. Centralize CloudTrail logs in a dedicated security account and enable CloudTrail in all Regions.

Option C directly targets traceability and blast-radius reduction: organization-wide CloudTrail and centralized logging in a separate security account make it harder for an attacker to tamper with logs and easier for security teams to detect suspicious API calls by the Glue role. A and B are valuable but focus more on data protection and configuration compliance than on detection and response. D is good practice but does not address the main risk of role misuse by automated services.

Key Term Review: Security Pillar Essentials

Use these flashcards to reinforce core definitions and patterns you need for the exam.

AWS Well-Architected Framework
The AWS Well-Architected Framework provides a consistent set of best practices for customers and partners to evaluate architectures, and a set of questions you can use to evaluate how well an architecture is aligned to AWS best practices.
Security pillar
The security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture.
Shared responsibility model
The AWS shared responsibility model describes how AWS is responsible for security of the cloud, while customers are responsible for security in the cloud, including the configuration of their services and data.
Defense in depth (AWS context)
A security strategy that layers controls across identity (IAM, SCPs), network (VPC, security groups, WAF), and data/application (encryption, secrets management) so that if one control fails, others still protect the workload.
CloudTrail primary purpose
To record API calls and console actions across your AWS accounts, providing an audit trail for security analysis, compliance, and incident response.
CloudWatch primary purpose
To collect and visualize metrics and logs from AWS services and applications, and to trigger alarms or automated actions when thresholds or patterns are detected.
AWS Config primary purpose
To record configuration changes of supported AWS resources and evaluate them against desired configurations using rules, supporting continuous compliance and drift detection.
Public vs private subnet (exam shorthand)
A public subnet has a route to an Internet Gateway and can host internet-facing resources (e.g., ALB). A private subnet has no direct internet route and is used for internal resources like app servers and databases.
When to choose customer managed KMS keys
When you need fine-grained control over key policies, rotation, and cross-account access, or when compliance requires explicit ownership and auditability of encryption keys.
Immutable infrastructure (security angle)
A pattern where servers are not patched in place; instead, new instances are created from a known-good image and old ones are terminated, making it easier to recover from compromise by redeploying.

Key Terms

AWS Config
Service that records configuration changes and evaluates resources against rules for continuous compliance.
CloudTrail
AWS service that logs API calls and console actions for auditing, compliance, and incident response.
CloudWatch
AWS monitoring service for metrics, logs, and alarms that helps detect and respond to operational and security events.
Security group
A stateful virtual firewall for EC2 instances and other resources, controlling inbound and outbound traffic at the ENI level.
Security pillar
Describes how to use cloud technologies to protect data, systems, and assets in a way that can improve your security posture.
Defense in depth
A layered security approach across identity, network, and data/application so that multiple independent controls protect the workload.
Network ACL (NACL)
A stateless network filter applied at the subnet level, controlling inbound and outbound traffic based on rules.
Shared responsibility model
Clarifies that AWS secures the cloud infrastructure, while customers secure configurations, identities, and data in the cloud.
AWS Well-Architected Framework
Provides a consistent set of best practices and questions to evaluate how well an architecture is aligned to AWS best practices.
KMS (AWS Key Management Service)
Managed service that lets you create and control cryptographic keys used to encrypt data across AWS services.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself