What Is AWS Security Architecture?

In today’s digitally-driven world, more organizations are relying on cloud computing for mission-critical services like data analytics, data backup, email, software development, web applications, and more. In fact, Gartner estimates that by 2025, over 95% of new digital workloads will be released on cloud-native platforms—a number that’s expected to grow substantially from just 30% in 2021.

While the cloud brings about significant opportunities for growth and innovation, this new emphasis does come with its own set of challenges. How do you ensure that your cloud environment is properly maintained and secured? For a lot of organizations, the answer lies in managed cloud services. It doesn’t matter whether you’re looking for managed cloud services for AWS or Azure—there’s a solution out there for your organization! Keep reading to find out more about cloud security and how InterVision can help. 


What Is Security Architecture?

At a high level, security architecture is one of the foundational building blocks of an organization’s cybersecurity strategy. It includes the concepts, processes, tools, and procedures needed to protect a business from potential cyber threats. For organizations that operate in cloud services—where some or all of their data exists in public, private, or hybrid clouds—security architecture is especially important. Being able to identify, assess, and mitigate security threats directly relates to two critical elements:

  1. Your ability to protect your business’s sensitive information that lives on the cloud.
  2. Your ability to maintain, update, and strengthen security protocols.

Most cloud computing platforms—whether you’re using Azure, AWS, or something else—will employ security architecture and recommended practices to help businesses protect their data. For AWS, security architecture best practices exist in their Security Reference Architecture. In the rest of this article, we’ll discuss more about AWS security architecture and how a managed cloud services provider like InterVision helps organizations implement and maintain it.


What Is AWS Security Architecture?

For organizations that use AWS for their cloud computing services, the AWS Security Reference Architecture (AWS SRA) is the gold standard. Amazon Web Services reports that their SRA can be used to “help design, implement, and manage AWS security services so that they align with AWS recommended practices.” In other words, it’s a holistic set of guidelines that dictates how enterprise-level organizations should deploy the full range of AWS security services in their multi-account environments. 

To take a step deeper, the AWS SRA aligns three AWS security foundations into a single document: the AWS Cloud Adoption Framework (AWS CAF), the AWS Shared Responsibility Model, and AWS Well-Architected. By combining each of these models and frameworks into a single document, users can access a comprehensive security architecture model across the entire IT lifecycle.

In the current version at the time of writing (released December 2022), the AWS SRA includes direction for six accounts and organizational units (OUs):

  • Org Management Account: What are AWS security best practices for org management? They include maintaining correct administrative and contact information, enabling multi-factor authentication, and routinely reviewing who has access to your org management account.
  • Security OU – Security Tooling Account: This account is responsible for the managing and monitoring of security services within AWS. These include using resources like:
    • AWS Security Hub
    • AWS Guard Duty
    • AWS Config
    • AWS Macie
    • AWS IAM Access Analyzer
    • Amazon EventBridge
    • Amazon Detective
    • AWS Audit Manager
    • AWS Artifact
    • AWS KMI
    • AWS Private CA
    • Amazon Inspector
  • Security OU – Log Archive Account: With this account, businesses can ingest and archive logs associated with security and operations into a centralized location. This empowers organizations to monitor, audit, and alert on actions like Amazon S3 object access, IAM policy changes, unauthorized activity, and more.
  • Infrastructure OU – Network Account: The network account is responsible for managing the connection between an organization’s application and the rest of the internet—ultimately creating a stronger and more secure application.
  • Infrastructure OU – Shared Services Account: This account is designed to support the services needed to power applications and deliver outcomes. It includes Active Directory, messaging, and metadata services.
  • Workloads OU – Application Account: Finally, the application account hosts the services and infrastructure that power and maintain enterprise applications. This includes:
    • Application VPC
    • VPC endpoints
    • Amazon EC2
    • Application Load Balancers
    • AWS Private CA
    • Amazon Inspector
    • Amazon Systems Manager
    • Amazon Aurora
    • Amazon S3
    • AWS KMS
    • AWS CloudHSM
    • AWS Secrets Manager
    • Amazon Cognito
    • Layered Defense


What’s the Best Way to Manage Your AWS Security?

For a lot of organizations, taking on the full responsibility of AWS security architecture is an overwhelming prospect. Fortunately, you don’t have to do it on your own. When you partner with InterVision for AWS Managed Cloud Services, you can modernize, optimize, and secure your cloud workloads. As an AWS Premier Services Partner, InterVision brings a team of AWS security specialty experts who can help your organization:

  • Mitigate business risk
  • Address staffing challenges
  • Focus on key business initiatives
  • Optimize costs
  • Modernize and automate 

Ready to learn more about the many benefits of AWS managed cloud services? Reach out today to get started.