The AWS Security Reference Architecture

Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a short survey

The following diagram illustrates the AWS SRA. This architectural diagram brings together all the AWS security-related services. It is built around a simple, three-tier web architecture that can fit on a single page. In such a workload, there is a web tier through which users connect and interact with the application tier, which handles the actual business logic of the application: taking inputs from the user, doing some computation, and generating outputs. The application tier stores and retrieves information from the data tier. The architecture is purposefully modular and provides high-level abstraction for many modern web applications.

Notes

For simplicity, the following diagram shows the architecture at an intentionally high level and obscures the details of each account. To view the diagrams for individual accounts in more detail, see the separate sections for OUs and accounts.

To customize the reference architecture diagrams in this guide based on your business needs, you can download the following .zip file and extract its contents.

Download the diagram source file (Microsoft PowerPoint format)

AWS Security Reference Architecture diagram

For this reference architecture, the actual web application and data tier are deliberately represented as simply as possible, through Amazon Elastic Compute Cloud (Amazon EC2) instances and an Amazon Aurora database, respectively. Most architecture diagrams focus and dive deep on the web, application, and data tiers. For readability, they often omit the security controls. This diagram flips that emphasis to show security wherever possible, and keeps the application and data tiers as simple as necessary to show security features meaningfully.

The AWS SRA contains all AWS security-related services available at the time of publication. (See document history.) However, not every workload or environment, based on its unique threat exposure, has to deploy every security service. Our goal is to provide a reference for a range of options, including descriptions of how these services fit together architecturally, so that your business can make decisions that are most appropriate for your infrastructure, workload, and security needs, based on risk.

The following sections walk through each OU and account to understand its objectives and the individual AWS security services associated with it. For each element (typically an AWS service), this document provides the following information:

Brief overview of the element and its security purpose in the AWS SRA. For more detailed descriptions and technical information about individual services, see the appendix.
Recommended placement to most effectively enable and manage the service. This is captured in the individual architecture diagrams for each account and OU.
Configuration, management, and data sharing links to other security services. How does this service rely on, or support, other security services?
Design considerations. First, the document highlights optional features or configurations that have important security implications. Second, where our teams' experience includes common variations in the recommendations we make—typically as a result of alternate requirements or constraints—the document describes those options.

OUs and accounts

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Apply security services across your AWS organization

Org Management account