Design Secure Architectures
Put each control at the layer that owns it
Designing a secure architecture on AWS is mostly about placement: sending each requirement to the layer that actually controls it. Three layers cover this whole domain. Identity decides who can do what, Network decides where traffic may flow, and Data decides how information is protected. Most exam questions are really asking "which layer owns this problem?", and the classic trap dresses an identity problem up in network clothing, or the other way around. Name the layer first and the right service usually follows.
The domain unfolds in three steps: access, then workloads, then data
Read this page as a map, then follow the three subtopics in order. Secure Access goes deep on the Identity layer: IAM, federation, and the policy-evaluation model that decides every API call. Secure Workloads covers the Network layer: security groups and network ACLs inside the VPC, plus the edge defenses WAF and Shield. Data Controls covers protecting the data itself: encryption with AWS KMS and where keys live. Each subtopic carries the mechanisms, the worked examples, and the traps; this overview just shows how they fit together.
When in doubt, choose the more managed, shorter-lived option
Across all three layers AWS rewards the same instinct: pick the most secure option that still meets the requirement. In practice that means roles and temporary credentials over long-lived access keys, encryption on by default, and the narrowest network path that works. You rarely need to memorise an exception. The managed, least-privilege default is the exam-correct answer far more often than not, and each subtopic shows where the genuine exceptions live.
The three security layers (and where each is covered)
| Layer | Decides | Key controls | Drill into |
|---|---|---|---|
| Identity | Who can do what | IAM policies & roles, federation, SCPs | Secure Access to AWS Resources |
| Network | Where traffic can flow | Security groups, NACLs, VPC endpoints, WAF, Shield | Secure Workloads and Applications |
| Data | How data is protected | Encryption at rest (KMS) & in transit (TLS) | Data Security Controls |