Skip to main content
VVMExam

Design Secure Architectures on AWS

Designing secure AWS architectures requires applying the principle of least privilege, encrypting data in transit and at rest, and isolating resources using VPC controls. These concepts are heavily tested in the SAA-C03 exam's 'Design Secure Architectures' domain, which accounts for approximately 30% of scored questions.

2 min read

Identity and Access Management (IAM)

  • Apply least privilege: grant only the permissions required to perform a task.
  • Use IAM roles for EC2 instances, Lambda functions, and cross-account access instead of embedding long-term credentials.
  • Use IAM policies (identity-based and resource-based) to control access; understand the difference between allow and explicit deny.
  • Enable MFA for the root account and privileged IAM users.

Data Protection

  • Encryption at rest: Use AWS KMS-managed keys (SSE-KMS), S3-managed keys (SSE-S3), or customer-provided keys (SSE-C) for S3. EBS volumes and RDS instances support KMS encryption.
  • Encryption in transit: Enforce TLS/HTTPS using ACM certificates with CloudFront, ALB, or API Gateway. Use SSL/TLS for RDS connections.
  • Secrets Manager stores and rotates database credentials and API keys; prefer it over hardcoding secrets or using SSM Parameter Store for credentials requiring automatic rotation.

Network Security

  • Security Groups are stateful firewalls applied at the instance/ENI level; deny all inbound by default.
  • Network ACLs (NACLs) are stateless and applied at the subnet level; rules are evaluated in order by rule number.
  • Place sensitive resources (databases, application servers) in private subnets; expose only necessary services through public subnets or load balancers.
  • Use VPC endpoints (Gateway for S3/DynamoDB; Interface for most other services) to keep traffic off the public internet.
  • AWS WAF filters web exploits (SQL injection, XSS) at the application layer; attach to CloudFront, ALB, or API Gateway.
  • AWS Shield Standard is included automatically; Shield Advanced adds enhanced DDoS protection for additional cost.

Monitoring and Threat Detection

  • AWS CloudTrail logs all API calls; enable in all regions and store logs in a secured S3 bucket.
  • Amazon GuardDuty uses machine learning to detect threats from CloudTrail, VPC Flow Logs, and DNS logs.
  • AWS Config tracks resource configuration changes and evaluates compliance against rules.
  • Amazon Inspector performs automated vulnerability assessments on EC2 instances and container images.

Key Exam Tips

  • Prefer IAM roles over access keys whenever a service needs to call another AWS service.
  • An explicit Deny always overrides Allow in IAM policy evaluation.
  • S3 Block Public Access settings can override bucket and object ACLs — use this to prevent accidental public exposure.
  • Security Groups cannot explicitly deny; use NACLs to block specific IP ranges.

Ready to practice this topic?