Post

AWS Solutions Architect Associate: Domain 3 - Specify Secure and Compliant Architectures

Complete guide to Domain 3: designing secure and compliant AWS architectures using IAM, encryption, network security, and compliance frameworks.

Posted
By
5 min read

Introduction

Domain 3 covers security and compliance aspects of AWS architecture design. This includes identity and access management, encryption, network security, and regulatory compliance. This domain accounts for approximately 26% of the exam.

IAM Best Practices

Principle of Least Privilege

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListBuckets", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::my-bucket", "Condition": { "StringEquals": { "s3:prefix": "user-uploads/" } } }, { "Sid": "GetPutDeleteObjects", "Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"], "Resource": "arn:aws:s3:::my-bucket/user-uploads/*" } ] }

IAM Roles vs Users

Use IAM Roles for:

  • EC2 instances accessing other AWS services
  • Lambda functions needing permissions
  • Cross-account access
  • Temporary credentials

Use IAM Users for:

  • Individual people with permanent credentials
  • Root account (only for billing/account management)
# Create role for EC2 instances aws iam create-role \ --role-name EC2-Application-Role \ --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole" }] }' # Attach policies aws iam attach-role-policy \ --role-name EC2-Application-Role \ --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Multi-Factor Authentication (MFA)

# Enable MFA on root account aws iam enable-mfa-device \ --user-name root \ --serial-number arn:aws:iam::123456789:mfa/root-mfa \ --authentication-code1 123456 \ --authentication-code2 654321

Encryption Strategy

Encryption at Rest

S3 Encryption

S3Bucket: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: arn:aws:kms:us-east-1:123456:key/12345

EBS Encryption

Volume: Encrypted: true KmsKeyId: arn:aws:kms:us-east-1:123456:key/12345 Size: 100 VolumeType: gp3

RDS Encryption

# Enable encryption for new RDS instance aws rds create-db-instance \ --db-instance-identifier prod-db \ --storage-encrypted \ --kms-key-id arn:aws:kms:us-east-1:123456:key/12345

Encryption in Transit

ALB: Listeners: - Port: 80 Protocol: HTTP DefaultAction: Type: redirect RedirectConfig: Protocol: HTTPS Port: 443 StatusCode: HTTP_301 - Port: 443 Protocol: HTTPS Certificates: - CertificateArn: arn:aws:acm:us-east-1:123456:certificate/12345 DefaultAction: Type: forward TargetGroupArn: arn:aws:elasticloadbalancing:...

AWS KMS and AWS Secrets Manager

Key Management

import boto3 import json kms = boto3.client('kms') # Create customer master key (CMK) response = kms.create_key( Description='Database encryption key', KeyUsage='ENCRYPT_DECRYPT', Origin='AWS_KMS' ) key_id = response['KeyMetadata']['KeyId'] # Encrypt data encrypted = kms.encrypt( KeyId=key_id, Plaintext=b'sensitive-data' ) # Decrypt data decrypted = kms.decrypt( CiphertextBlob=encrypted['CiphertextBlob'] )

Secrets Manager

import boto3 import json secrets = boto3.client('secretsmanager') # Store database credentials secrets.create_secret( Name='prod/database/credentials', Description='Production database credentials', SecretString=json.dumps({ 'username': 'admin', 'password': 'secure-password', 'host': 'prod-db.amazonaws.com', 'port': 5432 }), Tags=[ {'Key': 'Environment', 'Value': 'production'}, {'Key': 'Application', 'Value': 'api'} ] ) # Retrieve secret secret = secrets.get_secret_value( SecretId='prod/database/credentials' ) credentials = json.loads(secret['SecretString'])

Network Security

VPC Architecture

┌──────────────────────────────────────────────────┐ │ VPC (10.0.0.0/16) │ │ │ │ ┌─────────────────────────────────────────────┐ │ │ │ Public Subnets (10.0.1.0/24, 10.0.2.0/24) │ │ │ │ ├── Internet Gateway │ │ │ │ ├── NAT Gateway │ │ │ │ └── Route: 0.0.0.0/0 → IGW │ │ │ └─────────────────────────────────────────────┘ │ │ │ │ ┌─────────────────────────────────────────────┐ │ │ │ Private Subnets (10.0.10.0/24, 10.0.11.0/24) │ │ │ ├── Application Tier │ │ │ │ └── Route: 0.0.0.0/0 → NAT Gateway │ │ │ └─────────────────────────────────────────────┘ │ │ │ │ ┌─────────────────────────────────────────────┐ │ │ │ Database Subnets (10.0.20.0/24, 10.0.21.0/24)│ │ │ ├── RDS Multi-AZ │ │ │ │ └── No route to internet │ │ │ └─────────────────────────────────────────────┘ │ └──────────────────────────────────────────────────┘

Security Groups

# Web server security group aws ec2 create-security-group \ --group-name web-sg \ --description "Web server security group" # Allow HTTP/HTTPS from internet aws ec2 authorize-security-group-ingress \ --group-id sg-web \ --protocol tcp \ --port 80 \ --cidr 0.0.0.0/0 aws ec2 authorize-security-group-ingress \ --group-id sg-web \ --protocol tcp \ --port 443 \ --cidr 0.0.0.0/0 # App server security group aws ec2 create-security-group \ --group-name app-sg \ --description "Application server security group" # Allow traffic from web servers only aws ec2 authorize-security-group-ingress \ --group-id sg-app \ --protocol tcp \ --port 8080 \ --source-security-group-id sg-web

Network Access Control Lists (NACLs)

NetworkAcl: Rules: - RuleNumber: 100 Protocol: 6 # TCP RuleAction: allow CidrBlock: 0.0.0.0/0 PortRange: From: 80 To: 80 - RuleNumber: 110 Protocol: 6 # TCP RuleAction: allow CidrBlock: 0.0.0.0/0 PortRange: From: 443 To: 443 - RuleNumber: 32767 Protocol: -1 # All RuleAction: deny CidrBlock: 0.0.0.0/0

Compliance Frameworks

HIPAA Compliance

HIPAA_Requirements: Encryption: - AtRest: AES-256 with customer-managed keys - InTransit: TLS 1.2+ AccessControl: - MFA: Enabled for all users - PasswordPolicy: Min 14 characters, complexity required Auditing: - CloudTrail: All API calls logged - CloudWatch: Real-time monitoring DynamoDB: PointInTimeRecovery: enabled SSESpecification: SSEEnabled: true SSEType: KMS

PCI-DSS Compliance

PCI_DSS_Requirements: Firewalls: - NACLs: Restrict to necessary ports - SecurityGroups: Least privilege Encryption: - CardData: Never stored unencrypted - Transmission: TLS 1.2+ required AccessControl: - UniqueID: Every user has unique credential - RestrictAccess: By job function Monitoring: - CloudTrail: 1 year retention - VPC Flow Logs: All traffic

SOC 2 Type II Compliance

# Logging and monitoring setup import boto3 logs = boto3.client('logs') cloudtrail = boto3.client('cloudtrail') # Enable CloudTrail multi-region logging cloudtrail.create_trail( Name='soc2-trail', S3BucketName='soc2-trail-logs', IncludeGlobalServiceEvents=True, IsMultiRegionTrail=True, EnableLogFileValidation=True ) # Create log group for application logs logs.create_log_group(logGroupName='/app/soc2') # Set retention policy logs.put_retention_policy( logGroupName='/app/soc2', retentionInDays=365 # 1 year retention )

Data Protection and Privacy

Data Classification

DataClassification: Public: Encryption: Optional Access: Unrestricted Internal: Encryption: Recommended Access: Employees only Confidential: Encryption: Required Access: Need-to-know basis Restricted: Encryption: Required (CMK) Access: Approval required Audit: Full tracking

VPC Endpoints for Private Access

# S3 Gateway Endpoint aws ec2 create-vpc-endpoint \ --vpc-id vpc-12345 \ --service-name com.amazonaws.us-east-1.s3 \ --route-table-ids rtb-12345 # RDS Proxy Endpoint (security group required) aws rds create-db-proxy \ --db-proxy-name secure-db-proxy \ --engine-family MYSQL \ --auth-schemes SECRETS

Common Exam Questions

Q: How should you store database passwords in an EC2 application? A: Use AWS Secrets Manager or Systems Manager Parameter Store, never hardcode

Q: What’s the difference between security groups and NACLs? A: Security groups are stateful (instance-level), NACLs are stateless (subnet-level)

Q: How do you ensure RDS encryption is enabled? A: Set StorageEncrypted: true and provide KMS key ARN during creation

Key Takeaways

  1. Implement least privilege for all IAM policies
  2. Encrypt data at rest and in transit
  3. Use managed services for key management
  4. Design VPCs with proper segmentation
  5. Enable comprehensive logging and monitoring
  6. Implement compliance frameworks appropriately
  7. Regular security audits and reviews

Resources

AWS, Certification, Security
aws certification architect domain-3 security compliance iam
This post is licensed under CC BY 4.0 by the author.