Design Secure Workloads and Applications

Designing secure architectures on AWS involves more than just perimeter defense; it requires a layered approach known as Defense in Depth. This guide covers the critical services and strategies for protecting cloud workloads from the network edge to the application logic.

Learning Objectives

By the end of this module, you should be able to:

• Identify key AWS security services for workload protection (GuardDuty, Macie, WAF, Shield).
• Differentiate between Security Groups and Network Access Control Lists (NACLs).
• Design a multi-tier VPC architecture using public and private subnets for network segmentation.
• Implement secure identity management and application-level protection against common web attacks.

Key Terms & Glossary

• Defense in Depth: A security strategy where multiple layers of defense are placed throughout an IT system to protect data.
• VPC (Virtual Private Cloud): A logically isolated section of the AWS Cloud where you can launch AWS resources.
• Security Group (SG): A virtual firewall for your EC2 instance to control inbound and outbound traffic (Resource-level).
• Network ACL (NACL): An optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets (Subnet-level).
• Stateful: A firewall property where return traffic is automatically allowed regardless of rules (e.g., Security Groups).
• Stateless: A firewall property where return traffic must be explicitly allowed by a rule (e.g., NACLs).

The "Big Idea"

Security on AWS is a Shared Responsibility. While AWS secures the "Cloud itself" (infrastructure), you are responsible for security "in" the cloud. The big idea is to create a resilient architecture that doesn't just block entry but monitors, detects, and automates responses to threats at every layer—from the network boundary to the individual data objects.

Formula / Concept Box

[!TIP] Exam Tip: Use Security Groups as your primary defense. Use NACLs for broad "Deny" rules (e.g., blocking a specific malicious IP range for the entire subnet).

Hierarchical Outline

1. Network Infrastructure Security
   • VPC Design: Segmentation using Public (Internet-facing) and Private (Backend) subnets.
   • Connectivity: Protecting external connections via VPN or AWS Direct Connect.
2. Application Layer Protection
   • AWS WAF: Filtering Layer 7 (HTTP/HTTPS) traffic to block SQL Injection and Cross-Site Scripting (XSS).
   • AWS Shield: DDoS protection; Standard is free/automatic, Advanced provides 24/7 Response Team support.
3. Identity & Access Management
   • Amazon Cognito: User pools for authentication and Identity pools for authorizing access to AWS resources.
   • Secrets Manager: Securely store, rotate, and manage API keys and database credentials.
4. Threat Detection & Monitoring
   • Amazon GuardDuty: Intelligent threat detection using machine learning to monitor VPC Flow Logs and CloudTrail.
   • Amazon Macie: Uses ML to discover, classify, and protect sensitive data (PII) in S3.

Visual Anchors

The Layers of Defense in Depth

Multi-Tier VPC Segmentation

Definition-Example Pairs

• Amazon GuardDuty
  • Definition: A managed threat detection service that continuously monitors for malicious activity and unauthorized behavior.
  • Example: If an EC2 instance starts communicating with a known Bitcoin-mining command-and-control server, GuardDuty triggers an alert.
• Amazon Macie
  • Definition: A data security service that uses machine learning and pattern matching to discover and protect sensitive data in AWS.
  • Example: Macie scans an S3 bucket and identifies files containing unencrypted Credit Card Numbers or Social Security Numbers.
• AWS Secrets Manager
  • Definition: A service that helps you protect secrets needed to access your applications, services, and IT resources.
  • Example: Instead of hardcoding a DB password in your app code, the app calls Secrets Manager to retrieve the current password, which is rotated every 30 days automatically.

Worked Examples

Example 1: Protecting against a DDoS Attack

Scenario: A company's website is being overwhelmed by a massive flood of UDP traffic, causing a service outage. Solution:

1. Ensure AWS Shield Standard is active (it is by default).
2. If the attack is sophisticated, upgrade to AWS Shield Advanced for Layer 3/4 protection.
3. Deploy AWS WAF on the Application Load Balancer (ALB) to filter out malicious requests at Layer 7.
4. Use Amazon CloudFront to distribute traffic globally, absorbing the attack at the edge locations.

Example 2: Implementing Least Privilege for Applications

Scenario: An application running on EC2 needs to upload logs to an S3 bucket. Step-by-Step Breakdown:

1. Create an IAM Role: Define a role with an inline policy allowing s3:PutObject only on the specific log bucket.
2. Attach Instance Profile: Assign this IAM role to the EC2 instance.
3. Remove Long-term Credentials: Ensure no access keys (AKIA...) are stored in the application's configuration files.
4. Result: The application uses temporary security tokens provided by the metadata service, minimizing the risk of credential theft.

Checkpoint Questions

1. Which service is best suited for identifying PII (Personally Identifiable Information) stored in S3 buckets?
2. True or False: Security Groups are stateless, meaning you must write a rule for both inbound and outbound traffic.
3. A Solutions Architect needs to block a specific list of malicious IP addresses from reaching an entire subnet. Which tool should they use?
4. What is the primary difference between AWS WAF and AWS Shield?

▶Click to see Answers

1. Amazon Macie.
2. False. Security Groups are stateful; return traffic is automatically allowed.
3. Network ACL (NACL), because it supports explicit "Deny" rules.
4. AWS WAF protects at Layer 7 (Application/HTTP), while AWS Shield protects against Layer 3/4 (Network/Transport) DDoS attacks.