Beta

AWS Solutions Architect Associate Certification

Designing for Reliability

Turning up Reliability on Security Services

Welcome back, Solutions Architects. This article, presented by Michael Forrester, is the final installment in our Reliability Pillar Series. In this guide, we examine how various AWS security services are inherently designed for high resiliency and review best practices for leveraging these resilient architectures.

AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) is built with default resiliency at its core—similar to services like CloudWatch. IAM's design ensures that it remains robust without requiring further tuning. Enhancing its reliability is unnecessary as any failure would jeopardize AWS operations.

The image is an infographic about AWS Identity and Access Management (IAM), highlighting its role in managing permissions, users, and resources within an AWS organization. It emphasizes IAM's resilience as a foundational service for AWS access.

Although you might receive inquiries regarding identity-based policies or role delegation, note that IAM's reliability is inherent to the service’s design.

The image presents a question about which AWS service would help meet a reliability requirement for managing user access, with four options: AWS IAM, AWS Organizations, AWS Control Tower, and AWS AppConfig.

The same reasoning applies to the IAM Identity Center (formerly AWS SSO). By integrating with trusted identity brokers, the Identity Center enables single sign-on without the need for additional reliability configurations.

The image is a diagram illustrating the IAM Identity Center (SSO) process, showing how an administrator creates application assignments in AWS IAM Identity Center, which then assigns users or groups to Amazon Redshift. It highlights the centralization of user management and access.

User Authentication with Amazon Cognito

Amazon Cognito offers a highly managed and fault-tolerant approach for user authentication in mobile and web applications. With built-in multi-resiliency, Cognito provides robust identity management without additional configuration.

The image is a flowchart illustrating the process of user authentication using Amazon Cognito User Pools, showing interactions between the user, Cognito, identity provider, app, and API/database. It highlights steps like sign-in requests, token provision, and data retrieval.

Similarly, AWS Directory Service, including Active Directory integrations, is deployed with multi-AZ resilience. For enhanced cross-region resiliency, snapshots and replication can be configured, though its default deployment within a single VPC is already highly robust.

Verified Permissions

Verified Permissions allows you to enforce application access policies as code, ensuring adherence to least privilege principles. Its functionality is built to operate reliably, eliminating the need for further enhancements.

The image is a diagram explaining Amazon Verified Permissions, detailing the process of creating schemas, managing policies, and authorizing access for applications. It highlights integration with services like Amazon API Gateway, AWS Lambda, and AWS AppSync.

Auditing Services

AWS CloudTrail

AWS CloudTrail automatically captures all API calls and activities, providing a resilient auditing solution without further adjustments. Integration with CloudWatch, EventBridge, and other monitoring tools further enhances its observability.

The image shows a screenshot of the AWS CloudWatch dashboard, highlighting various monitoring features, alongside a note about CloudTrail's adherence to AWS reliability policies.

AWS Config

AWS Config continuously monitors resource configurations, evaluating them against compliance baselines with inherent redundancy. Its built-in resiliency means that tracking non-compliance does not require additional manual adjustments.

The image shows an AWS Config dashboard displaying rule compliance statistics, highlighting noncompliant rules and accounts. It includes a bar chart and lists detailing noncompliant resources and accounts.

The image presents a scenario about deploying a multi-tier web application on AWS, asking which AWS Config capability would help meet the requirement. It lists four options, highlighting AWS Config's ability to monitor resource configurations and evaluate compliance.

AWS Artifact

AWS Artifact provides a secure repository for compliance and attestation documents, without any active reliability tuning. Its role is solely to host essential documents while inheriting AWS's overall infrastructure resiliency.

The image shows a screenshot of AWS Artifact, displaying a list of compliance and agreement documents, along with a description stating that Artifact shares these documents without reliability implications.

Threat Detection Services

Amazon GuardDuty

Amazon GuardDuty uses machine learning and anomaly detection to monitor network traffic and detect potential threats. Its inherent design provides seamless threat monitoring without requiring custom reliability configurations.

The image is a diagram explaining AWS GuardDuty, showing data sources, security analytics, security findings, and integration with other AWS services. It highlights the use of machine learning and AI to detect network anomalies and suspicious activities.

The image presents a scenario where a company needs an AWS service to monitor threats for critical applications with sensitive data. It lists four AWS services, highlighting Amazon GuardDuty as the one that continuously monitors for malicious activity and provides threat alerts.

AWS Inspector

AWS Inspector performs automated vulnerability scanning across various AWS platforms, including Lambda, EC2, and container images in ECR. Its automated report generation and scanning are reliable by design.

The image shows a dashboard of AWS Inspector, a tool for scanning AWS platforms for vulnerabilities, highlighting environment coverage and critical findings. It includes statistics on accounts, instances, repositories, and Lambda functions, along with a list of risk-based remediations.

Amazon Macie

Amazon Macie utilizes advanced machine learning to detect and classify sensitive information in S3 buckets. Designed for fault tolerance, Macie requires no additional reliability tuning.

The image presents a question about which AWS service can secure sensitive customer data in S3 buckets, with options including Amazon Macie, AWS CloudTrail, AWS Config, and AWS Trusted Advisor.

Reliability Hub

Reliability Hub aggregates security findings from various AWS services into a single, unified interface. This consolidation relies on the inherent reliability of the underlying services.

The image shows a screenshot of a "Reliability Hub" interface displaying security findings with details like severity, company, product, and status. It includes a humorous caption about the hub's reliability.

Encryption Services

AWS KMS and CloudHSM

AWS KMS offers a software-based solution for encryption key management with minimal administrative overhead. In contrast, CloudHSM, a hardware-based solution, enhances reliability through clustering and multi-AZ deployments for high availability and fault tolerance.

The image illustrates AWS encryption using KMS and CloudHSM, showing a flow from a KMS key to an encrypted data key, decryption algorithm, and plaintext data key. It highlights the role of KMS and CloudHSM in providing encryption keys for data protection.

The image presents a scenario where a financial company needs to encrypt sensitive data and manage encryption keys, asking which AWS service would meet this requirement. It lists four AWS services: AWS KMS, AWS CloudHSM, AWS Secrets Manager, and AWS Certificate Manager, with brief descriptions of each.

The image illustrates the architecture of AWS CloudHSM, showing its integration with a customer VPC, including applications, ENIs, HSMs, and a backup/restore process with a bucket. It highlights CloudHSM's secure, single-tenancy, hardware-based cryptography, supporting backups and clustering.

Note

For organizations requiring dedicated hardware security modules with multi-AZ deployment and clustering for extra security assurance, CloudHSM is the optimal choice.

AWS Certificate Manager and AWS Private Certificate Authority

AWS Certificate Manager (ACM) and AWS Private Certificate Authority (PCA) offer managed services to simplify the deployment of certificates and private infrastructure. Both services come with built-in high availability, requiring no additional reliability tuning.

The image illustrates the use of AWS Certificate Manager to manage SSL/TLS certificates, showing its integration with a client, Amazon EC2, and an Application Load Balancer. It notes that the service has limited reliability levers.

The image is a diagram explaining AWS Private Certificate Authority, showing how it issues and manages private certificates for various AWS services and users. It highlights the integration with AWS CLI, SDK, and AWS Certificate Manager for secure communications.

AWS Secrets Manager

AWS Secrets Manager ensures secure storage of sensitive information such as database credentials. Its primary mechanism for enhancing reliability is cross-region replication, which provides standby copies in other regions without additional configuration within a single region.

The image presents a scenario about designing a failover for database access using AWS Secrets Manager, with four options for capabilities, highlighting cross-region replication as a solution.

Network Security

Network Access Control Lists (NACLs) and Security Groups

Network ACLs and security groups function respectively as stateless and stateful firewalls inherently built with redundancy. In the unlikely event of an issue, a simple instance restart or contact with AWS support can restore functionality.

The image is a diagram illustrating the structure of a Virtual Private Cloud (VPC) with public and private subnets, web servers, database servers, and security groups within availability zones. It highlights the importance of security groups and NACLs in AWS operations.

For additional centralized management across multiple accounts and applications, AWS Firewall Manager can enforce consistent firewall policies.

AWS Security Lake

AWS Security Lake aggregates security data from various AWS services into a centralized repository to provide a holistic view of your security posture. Its design leverages AWS’s inherent reliability, ensuring automation and remediation actions within a robust framework.

The image presents a question about AWS capabilities for managing firewall rules across multiple VPCs and accounts, with four options explaining different AWS services.

The image is a diagram illustrating the components and workflow of Amazon Security Lake, highlighting integration with AWS services like Amazon VPC, S3, and CloudTrail, and the use of analytics tools like Amazon Athena and SageMaker. It emphasizes centralizing security data and taking action based on insights.

AWS Web Application Firewall (WAF)

AWS WAF is a globally distributed, highly managed service that protects web applications from common attacks including SQL injection and cross-site scripting. Its distributed architecture provides excellent reliability in managing web threats.

The image is a diagram illustrating the design for reliability using AWS Web Application Firewall (WAF) with components like an Application Load Balancer and Amazon Lightsail. It highlights AWS WAF as a highly managed and reliable service.

The image presents a question about which AWS service can protect an e-commerce site against web attacks, with four options: AWS WAF, AWS Shield, AWS Firewall Manager, and Amazon CloudFront. Each option includes a brief description of its capabilities.

AWS Shield

AWS Shield provides always-on DDoS protection. The standard tier delivers inherent reliability, while Shield Advanced (with additional cost and commitment) integrates with services like AWS WAF and Firewall Manager to offer proactive DDoS threat mitigation.

The image is a diagram illustrating the AWS Shield protection process, showing how users interact with AWS Edge Services, including AWS WAF, Amazon Route 53, and Amazon CloudFront, which are protected by AWS Shield Standard. It also indicates that the infrastructure can be within AWS Cloud or outside with third-party providers.

The image is an informational graphic about AWS Shield Advanced, highlighting its proactive integration for DDoS prevention and detailing its features like AWS WAF, Firewall Manager, and custom mitigations.

The image presents a scenario where an e-commerce company needs to protect its web applications from large-scale DDoS attacks, and it lists four AWS services with descriptions to determine which would meet the requirement.

AWS Network Firewall and Firewall Manager

AWS Network Firewall offers a virtual, multi-AZ firewall solution that ensures redundancy across availability zones. Combined with AWS Firewall Manager, organizations can centrally manage and enforce security policies across multiple accounts and VPCs.

The image is a diagram illustrating a network firewall setup with multiple protected VPCs, each containing a firewall endpoint and a workload. It highlights the redundancy of the network firewall as a virtual endpoint pointing to multiple "firewall" machines.

The image is a diagram explaining AWS Firewall Manager, highlighting its role in managing firewall rules across accounts with compliance tracking and integration with services like AWS WAF and AWS Shield. It describes Firewall Manager as reliable and redundant, similar to AWS Organizations but for firewalls.

The image presents a scenario where a company needs consistent firewall policies across multiple AWS accounts and VPCs, suggesting AWS Firewall Manager as the suitable service. It contrasts this with AWS WAF, security groups, and network ACLs, which require individual management.

Conclusion

In summary, most AWS security services are engineered with high reliability out-of-the-box. While some services—such as CloudHSM and Secrets Manager—offer additional features like clustering and cross-region replication to further enhance resiliency, many services (including IAM, CloudTrail, and AWS Certificate Manager) remain dependable without additional intervention.

The integration of these services with AWS monitoring tools such as CloudWatch, CloudTrail, Security Hub, and Reliability Hub further supports centralized observability and alerting.

I'm Michael Forrester, and this concludes our final section on reliability services tailored for the AWS Solutions Architect Associate exam. Thank you for reading, and feel free to join the discussion on our forums or contact me at [email protected].

We will talk again soon.

Watch Video

Watch video content

Previous
Turning up Reliability on Management Services
Next
Agenda and Introduction to Performance