Scribd
Upload
140 views

Aws Security Reference Architecture Diagrams

The document describes an AWS Security Reference Architecture that includes organizing accounts by organizational units (OUs) such as Infrastructure, Security, and Workloads. Key accounts are described for organizational management, security tooling, log archives, and networking with roles and services allocated across accounts for security monitoring, logging, and network management.

Uploaded by

naveen k
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
140 views

Aws Security Reference Architecture Diagrams

The document describes an AWS Security Reference Architecture that includes organizing accounts by organizational units (OUs) such as Infrastructure, Security, and Workloads. Key accounts are described for organizational management, security tooling, log archives, and networking with roles and services allocated across accounts for security monitoring, logging, and network management.

Uploaded by

naveen k
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 13

AWS Security Reference Architecture

‒ Diagram reference ‒

For the architecture description and usage, refer to the


AWS Security Reference Architecture

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Reference Architecture

‒ Consolidated main diagram ‒

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Reference Architecture
Consolidated main diagram
OU – Infrastructure

OU – Workloads
OU – Security
Organization
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Reference Architecture

- OU and dedicated account structure-

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Organization

OU and dedicated account structure


AWS Security Reference Architecture
OU – Infrastructure

Org Management
Account
Network
Account

OU – Security

Security Tooling
Account

Log Archive Shared Services


Account Account
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.

OU – Workloads

Application
Account
AWS Security Reference Architecture

‒ Individual accounts ‒

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Reference Architecture
Org Management account

Roles
Org Mgmt Permissions

account AWS CloudTrail ‒ AWS Systems AWS Artifact


organization trail Manager

IAM AWS Control AWS IAM


access advisor Tower Identity Center

AWS Security Hub Amazon AWS Config AWS IAM


GuardDuty Access Analyzer

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Reference Architecture
Security Tooling account

OU – Security

Security Tooling Roles


Permissions Organization
account trail AWS Private CA Amazon Inspector

AWS Artifact AWS Audit Manager AWS Config Amazon EventBridge


aggregator

Amazon GuardDuty AWS Security Hub AWS Firewall Manager AWS Lambda
(response)

AWS IAM
Amazon Macie Amazon Detective AWS KMS
Access Analyzer

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Reference Architecture
Log Archive account

OU – Security

Central logs
Log Archive Roles
Permissions
account

a il
r
T ail
d
u tr
l o
C tion
m za
Fro ani Access DNS
rg logs logs
o Flow logs

AWS Security Amazon Amazon Macie AWS Config AWS IAM Organization
Hub GuardDuty Access Analyzer trail

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Reference Architecture
OU – Infrastructure Network account

DNS ss
Network
Roles
Acce s
Permissions
logs log
account
Amazon Route 53 Amazon CloudFront

Inbound VPC
ss
Acce s
Might include: l og
• NAT
Internet AWS Shield Advanced AWS WAF
gateway

Flow logs

Outbound VPC
AWS Certificate AWS Resource
Manager Access Manager
Might include:
• NAT
Internet • Proxy servers
gateway
Resolver DNS Network access
firewall analyzer
Flow logs

Inspection VPC

Might include:
• IDS/IPS Amazon GuardDuty AWS Security Hub

Firewall subnet

AWS Config AWS IAM


Access Analyzer

AWS Network
Firewall
Organization trail

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Reference Architecture
Shared Services account

OU – Infrastructure

Shared Services Roles


Permissions
account
AWS IAM Identity Center
(delegated)

AWS Managed
AWS Systems AWS Directory Microsoft AD
Manager Service

AWS Security Amazon Amazon Macie AWS Config AWS IAM Organization
Hub GuardDuty Access Analyzer trail

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Reference Architecture
Application account

OU – Workloads

Roles
Application Permissions AWS Security Hub
account
Amazon S3
AWS Secrets AWS KMS
data bucket
Manager
Amazon GuardDuty
VPC

Application Amazon KMS


Private subnet Load Balancer endpoint AWS Private CA AWS Config

EC2 instances Systems Manager Amazon Macie


endpoint

Private subnet AWS CloudHSM

AWS IAM
Amazon S3 Access Analyzer
endpoint
AWS Systems
Amazon Aurora Manager Agent
Flow logs Amazon Cognito
Organization
trail

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources
To get started with customizing your architecture diagram, refer to the following resources.

• For all service icons, refer to AWS Architecture Icons.


• For more strategies, guides, and patterns to help accelerate
your cloud migration, modernization, and optimization
projects, refer to AWS Prescriptive Guidance.
• For more architecture diagrams, refer to
AWS Architecture Center.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.

You might also like