AWS Well-Architected design considerations - Security Insights on AWS

AWS Well-Architected design considerations

This solution uses the best practices from the AWS Well-Architected Framework, which helps customers design and operate reliable, secure, efficient, and cost-effective workloads in the cloud.

This section describes how the design principles and best practices of the Well-Architected Framework benefit this solution.

Operational excellence

This section describes how we architected this solution using the principles and best practices of the operational excellence pillar.

  1. The Lambda functions in the solution store the processing logs in the CloudWatch Logs. You can use these logs to debug and troubleshoot any errors.

  2. The solution also sends Amazon SNS notifications for Athena query run failures.

Security

This section describes how we architected this solution using the principles and best practices of the security pillar.

  1. All roles used by the solution follow least-privilege access. The solution uses roles with only the necessary permissions to:

    • Limit the actions that can be performed

    • Restrict the actions to only the resources provisioned by the solution

  2. The solution configures the S3 bucket created with server-side encryption with Amazon S3 managed keys (SSE-S3) and Block Public Access enabled.

  3. The solution configures the Amazon SNS topic with encryption enabled.

  4. The Athena workgroup provisioned by the solution has a security setting enabled to validate the account owner when making requests to the S3 bucket.

  5. The solution provisions QuickSight user groups, which provide a way to restrict and manage access to the QuickSight analysis and dashboard.

Reliability

This section describes how we architected this solution using the principles and best practices of the reliability pillar.

  1. The solution deploys a serverless architecture with Lambda functions for compute. Each Lambda function performs one independent function.

  2. Every data source has its own Systems Manager parameters used to enable or disable data sources.

  3. The solution creates an S3 bucket to store Athena results, providing high availability.

Performance efficiency

This section describes how we architected this solution using the principles and best practices of the performance efficiency pillar.

  1. The solution runs Athena queries on Security Lake data, which is partitioned and compressed using Parquet columnar format.

  2. You can configure the duration for insights, which reduces the data scanned by the Athena queries.

  3. You can configure the refresh cycles for the data sources to reduce the number of times the Athena queries are run.

Cost optimization

This section describes how we architected this solution using the principles and best practices of the cost optimization pillar.

  1. The solution uses serverless architecture, and you pay only for what you use.

  2. The solution helps you save costs by providing option to choose which data sources you want to use for the QuickSight analysis.

  3. The solution uses a lifecycle policy for the S3 bucket to delete objects after a year to help reduce the storage cost.

Sustainability

This section describes how we architected this solution using the principles and best practices of the sustainability pillar.

The solution uses serverless architecture to minimize the environmental impact of the backend services. This design helps reduce the carbon footprint compared to the footprint of continually operating on-premises servers.