Domain 3: Design Secure Applications and Architectures (24%)
🎯 Overview
Thiết kế các architecture bảo mật, implementing security best practices để protect data, applications, và infrastructure trên AWS.
🛡️ Security Fundamentals
Shared Responsibility Model
AWS Responsibility (Security OF the Cloud):
├── Physical security of data centers
├── Infrastructure hardware/software
├── Network infrastructure
├── Virtualization infrastructure
└── Managed services operations
Customer Responsibility (Security IN the Cloud):
├── Guest operating system updates
├── Application software updates
├── Security group configurations
├── Network ACLs, firewall rules
├── Account management và access controls
├── Data encryption (at rest và in transit)
└── Network traffic protection
Security by Design Principles
- Defense in Depth: Multiple security layers
- Least Privilege: Minimum necessary permissions
- Fail Securely: Secure defaults, fail safely
- Zero Trust: Verify everything, trust nothing
- Encrypt Everything: Data at rest và in transit
🔐 Identity & Access Management (IAM)
IAM Components
IAM Structure:
Users:
- Individual AWS account access
- Long-term credentials
- Direct policy attachment
Groups:
- Collection of users
- Simplified permission management
- Cannot be nested
Roles:
- Temporary security credentials
- Cross-account access
- Service-to-service communication
- Identity federation
IAM Policy Example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::company-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}
🏗️ Network Security
Security Groups vs NACLs
Security Groups (Instance Level):
Features:
- Stateful (return traffic allowed)
- Allow rules only
- All rules evaluated
- Default: Deny all inbound, allow all outbound
Network ACLs (Subnet Level):
Features:
- Stateless (return traffic must be explicitly allowed)
- Allow và deny rules
- Rules processed in order
- Default: Allow all traffic
Network Segmentation
Internet Gateway
↓
Public Subnets (Web Tier)
├── Security Group: Web-SG
├── Allow: HTTP/HTTPS from Internet
└── Allow: SSH from Bastion only
↓
Private Subnets (App Tier)
├── Security Group: App-SG
├── Allow: App ports from Web-SG
└── Deny: Direct internet access
↓
Database Subnets (Data Tier)
├── Security Group: DB-SG
├── Allow: DB ports from App-SG only
└── No internet access
🔒 Data Protection
S3 Encryption Options
SSE-S3 (Server-Side Encryption):
- AWS managed keys
- AES-256 encryption
- Transparent to applications
SSE-KMS (Key Management Service):
- Customer managed keys
- Key rotation
- Access logging
- Granular permissions
SSE-C (Customer Provided Keys):
- Customer manages keys
- AWS performs encryption
- Key included in requests
CSE (Client-Side Encryption):
- Customer encrypts before upload
- Customer manages keys
- End-to-end encryption
Database Encryption
RDS Encryption:
At Rest:
- Database storage encryption
- Backup encryption
- Snapshot encryption
- Read replica encryption
In Transit:
- SSL/TLS connections
- Certificate validation
- Force SSL connections
DynamoDB Encryption:
At Rest:
- Service managed keys (default)
- Customer managed KMS keys
- Global table encryption
In Transit:
- HTTPS endpoints
- VPC endpoints
🔍 Monitoring & Logging
AWS CloudTrail
CloudTrail Best Practices:
Multi-Region Trail:
- Global service events
- All AWS regions
- S3 bucket protection
Log File Validation:
- Integrity verification
- Tamper detection
- Cryptographic hashing
Event History:
- API call logging
- User activity tracking
- Resource change monitoring
- Compliance auditing
Amazon GuardDuty
GuardDuty Features:
Data Sources:
- VPC Flow Logs
- DNS logs
- CloudTrail event logs
- Malware protection
Threat Types:
- Reconnaissance attacks
- Instance compromises
- Cryptocurrency mining
- Data exfiltration
Response:
- CloudWatch Events
- Lambda functions
- SNS notifications
- Security Hub integration
🎯 Security Scenarios
Scenario 1: Multi-Tier Web Application
Requirements: Secure web application với database Solution:
Architecture:
Internet Gateway → WAF → CloudFront
↓
ALB (HTTPS only) → Security Group (Web)
↓
EC2 Instances (Private Subnet) → Security Group (App)
↓
RDS (Database Subnet) → Security Group (DB)
Security Measures:
- WAF rules cho common attacks
- TLS 1.2+ encryption
- IAM roles cho EC2 instances
- Database encryption
- VPC Flow Logs
- CloudTrail logging
📝 Security Best Practices
Identity & Access Management
- [ ] Enable MFA cho root và privileged accounts
- [ ] Use IAM roles thay vì long-term credentials
- [ ] Implement least privilege principle
- [ ] Regular access reviews
- [ ] Monitor với CloudTrail
Network Security
- [ ] Use VPC với proper subnet design
- [ ] Configure security groups restrictively
- [ ] Implement network segmentation
- [ ] Enable VPC Flow Logs
- [ ] Use WAF cho web applications
Data Protection
- [ ] Encrypt data at rest và in transit
- [ ] Use KMS cho key management
- [ ] Implement proper backup strategies
- [ ] Regular security assessments
- [ ] Data classification và handling