Cloud Security Architecture

Security is non-negotiable in cloud architecture. Interviewers assess your ability to design secure systems while maintaining usability and performance.

Shared Responsibility Model

Understanding who secures what is fundamental.

AWS Shared Responsibility

AWS Responsibility	Customer Responsibility
Physical security	IAM policies
Network infrastructure	Security groups/NACLs
Hypervisor	OS patching (EC2)
Managed service security	Data encryption
Global infrastructure	Application security

Service-Specific Boundaries

Service Type	AWS Manages	Customer Manages
IaaS (EC2)	Hardware, hypervisor	OS, apps, data
PaaS (RDS)	OS, DB engine	Data, access
SaaS (S3)	All infrastructure	Data, permissions

Identity and Access Management

IAM Best Practices

1. Least Privilege Principle

   • Start with zero permissions
   • Add only what's needed
   • Use IAM Access Analyzer

2. Role-Based Access

   • Prefer roles over users for services
   • Use cross-account roles
   • Implement temporary credentials

3. MFA Everywhere

   • Root account: Hardware MFA
   • Admin users: Virtual MFA minimum
   • Programmatic: STS with MFA

Interview Question: IAM Design

Q: "Design an IAM strategy for a multi-account AWS organization."

A: Implement hub-and-spoke model:

Organization Root
├── Security Account (hub)
│   ├── IAM Identity Center
│   ├── CloudTrail aggregation
│   └── Security tooling
├── Production Account
│   └── Cross-account roles → Security
├── Development Account
│   └── Cross-account roles → Security
└── Sandbox Account
    └── Limited cross-account access

Key Decisions:

• Centralized identity in Security account
• Permission sets managed via IAM Identity Center
• Break-glass procedures for emergencies
• Service Control Policies (SCPs) at OU level

Network Security

Defense in Depth

Internet
    ↓
[WAF] - Layer 7 filtering
    ↓
[CloudFront] - DDoS protection
    ↓
[ALB in Public Subnet] - SSL termination
    ↓
[Security Group] - Stateful firewall
    ↓
[Private Subnet] - Application tier
    ↓
[NACL] - Stateless subnet firewall
    ↓
[Security Group] - Database access
    ↓
[Isolated Subnet] - Data tier

VPC Security Design

Component	Purpose	Best Practice
Security Groups	Instance firewall	Least privilege, reference by SG ID
NACLs	Subnet firewall	Explicit deny rules, logging
VPC Flow Logs	Network monitoring	Enable for all subnets
PrivateLink	Service connectivity	Avoid public internet
Transit Gateway	Multi-VPC routing	Centralized inspection

Interview Question: Zero Trust Architecture

Q: "How would you implement Zero Trust in AWS?"

A: Zero Trust principles in AWS:

1. Verify Explicitly

   • IAM authentication for all requests
   • VPC endpoints for service access
   • mTLS for service-to-service

2. Least Privilege Access

   • Fine-grained IAM policies
   • Security group microsegmentation
   • Time-limited credentials (STS)

3. Assume Breach

   • Network segmentation
   • Encryption everywhere (TLS, KMS)
   • Continuous monitoring (GuardDuty)

Encryption Strategy

Encryption at Rest

Service	Default	Recommended	Key Management
S3	None	SSE-KMS	Customer CMK
EBS	None	KMS encrypted	Customer CMK
RDS	Optional	Encryption enabled	Customer CMK
DynamoDB	None	KMS encryption	AWS or Customer CMK

Encryption in Transit

• External traffic: TLS 1.2+ mandatory
• Internal traffic: TLS between services
• Database: SSL connections enforced
• S3: Bucket policy requiring TLS

KMS Best Practices

1. Key Hierarchy

   • Separate keys per environment
   • Cross-account key sharing via policies
   • Automatic key rotation (1 year)

2. Key Policies

   • Explicit allow for key administrators
   • Separate usage from administration
   • Audit all key usage

Security Monitoring

Detection Services

Service	Detection Type	Use Case
GuardDuty	Threat detection	Malicious activity
Inspector	Vulnerability scanning	EC2, Lambda, ECR
Macie	Data discovery	PII in S3
Security Hub	Aggregation	Unified dashboard
Config	Compliance	Resource configuration

Incident Response

Preparation:

• Runbooks for common incidents
• IAM roles for incident responders
• Forensic account for evidence

Detection → Analysis → Containment → Eradication → Recovery

Key Insight: Security in the cloud is about automation. Manual security processes don't scale—use AWS Config rules, automated remediation, and infrastructure as code.

Next, we'll explore cost optimization strategies. :::