Skip to main content
Welcome back, Future Solutions Architects. I’m Michael Forrester, and in this lesson we dive deep into designing for security—also known as the “Citadel of Security.” In this session, we will cover AWS-recommended design principles, explore the four foundations of cybersecurity, and review the AWS Shared Responsibility Model. This practical guide is aligned with the AWS Solutions Architect Associate Certification. After the cost optimization module, your first design challenge will focus on security. The course format includes diagrams, analytical questions, and in-depth answers, so be sure to take thorough notes to reinforce your learning. Below is the agenda diagram for the security design section:
The image is an agenda for a presentation titled "Designing For Security," outlining topics such as design principles, cybersecurity foundations, shared responsibility, and specific security services.

Section 1: Design Principles

In this section, we introduce the key design principles that form the backbone of the Citadel of Security. The topics include:
  • Maintaining Traceability
  • Applying Security at All Layers
  • Automating Best Practices
These foundational concepts set the stage for the more detailed discussions that follow.
The image illustrates design principles for security, featuring a central laptop icon with a shield, surrounded by three principles: "Maintain Traceability," "Apply Security at All Layers," and "Automate Best Practices."

Section 2: Categories for Security in Design

This section defines the four fundamental categories that govern all security actions in AWS:
  1. Identity and Access Management (IAM): Controlling and managing access.
  2. Detection: Identifying issues as soon as they occur.
  3. Protection: Defending against potential threats.
  4. Response: Taking corrective action to resolve issues.
Understanding these categories helps pinpoint the focus areas for enhancing security within AWS.
The image outlines four major categories for security in design: Identity and Access Management, Detection, Protection, and Response.

Section 3: The Shared Responsibility Model

Next, we explore the AWS Shared Responsibility Model, which clearly delineates security responsibilities between the customer and AWS. Key points include:
  • Customer Responsibilities (Security “in” the Cloud): Tasks that customers must handle, such as data protection and access management.
  • AWS Responsibilities (Security “of” the Cloud): AWS covers the security of the underlying infrastructure.
We will also review new services and their specific responsibilities within this model.
The image illustrates the Shared Responsibility Model for Security, dividing responsibilities between the customer and AWS. It outlines customer responsibilities for security "in" the cloud and AWS responsibilities for security "of" the cloud.

Sections 4 to 12: Enhancing Security Across Services

In these sections, we delve into security specifics for various AWS service categories including network, compute, storage, management, data, and machine learning. Topics include:
  • Adjusting security on management and compute services.
  • Enhancing network and storage security.
  • Exploring available configuration options (“knobs”) for each AWS service.
A detailed diagram below illustrates these layers and highlights opportunities for fine-tuning security settings.
The image is a diagram illustrating layers of services related to security, including transfer, security, database, and storage, connected to functions like data/machine learning, management, application integration, compute, and network.

Section 13: Designing for Security Challenge

The final section features an interactive design challenge. You will be presented with a diagram similar to the one below, where one or more elements are intentionally missing. Your task is to select the correct AWS services and features (such as Route 53, WAF, DynamoDB, Amazon EC2, or Lambda) and drag them to their appropriate positions in the diagram.
The image is a flowchart titled "Designing for Security – Design Challenge," illustrating a security design process using AWS services like Route 53, CloudFront, and others, with various decision points and components.

Lesson Summary

To recap, this lesson on designing for security includes:
  • A refresher on AWS Security Fundamentals based on the Well-Architected Framework.
  • An introduction to key security design principles and the four essential security categories.
  • A detailed examination of the AWS Shared Responsibility Model.
  • Insights into security configurations across various AWS service categories.
  • An engaging design challenge that reinforces the concepts discussed.
The image is a summary slide outlining four sections related to AWS security, including design aspects, security fundamentals, exam questions, and a security challenge.
This comprehensive approach is tailored to strengthen your architectural analysis skills and prepare you for the AWS Solutions Architect Associate Certification while honing practical security design abilities.
Thank you for joining this session. Be sure to take detailed notes as you progress through the lesson. I’m Michael Forrester, and I look forward to seeing you in the next lesson.

Watch Video