AWS Security Reference Architecture (AWS SRA) - AWS Prescriptive Guidance

AWS Security Reference Architecture (AWS SRA)

AWS Professional Services team

June 2021

The Amazon Web Services (AWS) Security Reference Architecture (AWS SRA) is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment. It can be used to help design, implement, and manage AWS security services so that they align with AWS best practices. The recommendations are built around a single-page architecture that includes AWS security services—how they help achieve security objectives, where they can be best deployed and managed in your AWS accounts, and how they interact with other security services. This overall architectural guidance complements detailed, service-specific recommendations such as those found on the AWS security website.

The architecture and accompanying recommendations are based on our collective experiences with AWS enterprise customers. This document is a reference—a comprehensive set of guidance for using AWS services to secure a particular environment—and the solution patterns in the AWS SRA code repository were designed for the specific architecture illustrated in this reference. Each enterprise has some unique requirements. As a result, the design of your AWS environment may differ from the examples provided here. You will need to modify and tailor these recommendations to suit your individual environment and security needs. Throughout the document, where appropriate, we suggest options for frequently seen alternative scenarios.

The AWS SRA is a living set of guidance and will be updated periodically based on new service and feature releases, customer feedback, and the constantly changing threat landscape. Each update will include the revision date and the associated change log.

Although we rely on a one-page diagram as our foundation, an architecture goes deeper than a single block diagram and must be built on a well-structured foundation of fundamentals and security principles. You can use this document in two ways: as a narrative or as a reference. The topics are organized as a story, so you can read them from the beginning (foundational security guidance) to the end (discussion of code samples you can implement). Alternatively, you can navigate the document to focus on the security principles, services, account types, guidance, and examples that are most relevant to your needs.

This document is divided into five sections and an appendix:

  • Security foundations reviews the AWS Cloud Adoption Framework (AWS CAF), the AWS Well-Architected Framework, and the AWS Shared Responsibility Model, and highlights elements that are especially relevant to the AWS SRA.

  • AWS Organizations, accounts, and IAM guardrails introduces the AWS Organizations service, discusses the foundational security capabilities and guardrails, and gives an overview of our recommended multi-account strategy.

  • The AWS Security Reference Architecture is a single-page architecture diagram that shows functional AWS accounts, and the security services and features that are generally available.

  • IAM resources presents a summary and set of pointers for AWS Identity and Access Management (IAM) guidance that are important to your security architecture.

  • Code repository for AWS SRA examples provides an overview of the associated public Github repo that contains example AWS CloudFormation templates and code for deploying some of the patterns discussed in the AWS SRA.

The appendix contains a list of the individual AWS security, identity, and compliance services, and provide links to more information about each service. The Document history section provides a change log for tracking versions of this document. You can also subscribe to an RSS feed for change notifications.