Unpacking my ‘go-to’ architecture for securing large scale highly connected digital assets.
This architecture reflects my current technical acumen and business philosophies:
I use it within my own projects — and as a baseline for related consulting work.
It’s an ideal — secure, performant and modular — platform for delivering:
Inspired — and perpetually evolving — from AWS reference architectures and security best-practices:
Maintained in a library of CloudFormation templates and deployable on-demand — as individual modules or end-to-end.
JSON), so there is no compelling reason to take on the added costs and complexity of a 3rd-party tool
This architecture also fills a key role in a more comprehensive cloud strategy:
So let’s dive in…
Laying the groundwork for identity and access management, logging, monitoring — while optimizing for a multi-account environment.
Automating best practices — least privilege, cross-account roles, etc.
With this solid foundation in place, we can easily enhance functionality using a number of different add-on modules:
Let’s dive a little deeper into those modules…
Add-on microservice for ingesting and analyzing large volumes of logs (EC2 logs, VPC Flow Logs, etc.) in real time.
Analyze streaming data and respond to anomalies in real time.
This add-on module provides a delegation framework and automation for quickly deploying approved cloud services.
Achieve consistent governance and meet compliance requirements.
This add-on module enables an HSM for encryption key management.
KMS is usually my first choice, but stricter project requirements (FIPS 140-2 Level 3, single tenancy, etc.) may require an HSM.