AWS Security Reference Architecture (AWS SRA) - AWS Prescriptive Guidance

AWS Security Reference Architecture (AWS SRA)

Global Services Security Team, Amazon Web Services (AWS)

June 2024 (document history)

Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a short survey.

The Amazon Web Services (AWS) Security Reference Architecture (AWS SRA) is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment. Use it to help design, implement, and manage AWS security services so that they align with AWS recommended practices. The recommendations are built around a single-page architecture that includes AWS security serviceshow they help achieve security objectives, where they can be best deployed and managed in your AWS accounts, and how they interact with other security services. This overall architectural guidance complements detailed, service-specific recommendations such as those found on the AWS Security Documentation website.

The architecture and accompanying recommendations are based on our collective experiences with AWS enterprise customers. This document is a reference—a comprehensive set of guidance for using AWS services to secure a particular environment—and the solution patterns in the AWS SRA code repository were designed for the specific architecture illustrated in this reference. Each customer will have different requirements. As a result, the design of your AWS environment might differ from the examples provided here. You will need to modify and tailor these recommendations to suit your individual environment and security needs. Throughout the document, where appropriate, we suggest options for frequently seen alternative scenarios. 

The AWS SRA is a living set of guidance and is updated periodically based on new service and feature releases, customer feedback, and the constantly changing threat landscape. Each update will include the revision date and the associated change log

Although we rely on a one-page diagram as our foundation, the architecture goes deeper than a single block diagram and must be built on a well-structured foundation of fundamentals and security principles. You can use this document in two ways: as a narrative or as a reference. The topics are organized as a story, so you can read them from the beginning (foundational security guidance) to the end (discussion of code samples you can implement). Alternatively, you can navigate the document to focus on the security principles, services, account types, guidance, and examples that are most relevant to your needs. 

This document is divided into the following sections and an appendix:

  • The value of the AWS SRA discusses the motivation for building the AWS SRA, describes how you can use it to help improve your security, and lists key takeaways.

  • Security foundations reviews the AWS Cloud Adoption Framework (AWS CAF), the AWS Well-Architected Framework, and the AWS Shared Responsibility Model, and highlights elements that are especially relevant to the AWS SRA.

  • AWS Organizations, accounts, and IAM guardrails introduces the AWS Organizations service, discusses the foundational security capabilities and guardrails, and gives an overview of our recommended multi-account strategy.

  • The AWS Security Reference Architecture is a single-page architecture diagram that shows functional AWS accounts, and the security services and features that are generally available.

  • Architecture deep dive discusses advanced architectural patterns based on specific security functionality that you might want to focus on after you build your baseline security architecture.

  • AI/ML for security describes how different AWS services use artificial intelligence and machine learning (AI/ML) in the background to help you achieve specific security objectives. You can include these AWS services in your design to take advantage of advanced security features.

  • Building your security architecture – A phased approach provides guidance on how you can build your own security architecture in six iterative phases, based on the reference provided by the AWS SRA.

  • IAM resources presents a summary and set of pointers for AWS Identity and Access Management (IAM) guidance that are important to your security architecture.

  • Code repository for AWS SRA examples provides an overview of the associated GitHub repository that will help developers and engineers deploy some of the guidance and architecture patterns presented in this document. You can deploy the samples by using AWS CloudFormation or Terraform by HashiCorp. They support both AWS Control Tower and non‒AWS Control Tower environments.

  • AWS Privacy Reference Architecture (AWS PRA) introduces an additional security reference architecture that is built on the AWS SRA to support privacy compliance requirements.

The appendix contains a list of the individual AWS security, identity, and compliance services, and provides links to more information about each service. The Document history section provides a change log for tracking versions of this document. You can also subscribe to an RSS feed for change notifications.


To customize the reference architecture diagrams in this guide based on your business needs, you can download the following .zip file and extract its contents.

Download the diagram source file (Microsoft PowerPoint format)