Cloud Security
Module 2
2 / 3
Cloud Security Architecture / Technical / Module 2

Secure AWS & Azure Architecture Design

Deep-dive into platform-specific security architectures. Design secure network topologies, implement identity federation strategies, and configure native security services for workload protection across hybrid and multi-cloud deployments.

~50 minutes
Technical Level
IN THIS MODULE

What You'll Master

Identity & Access Management Strategy
Design least-privilege IAM frameworks and role-based access control for enterprise cloud.
Network Segmentation
Implement VPC isolation, security groups, and firewall strategies for zero-trust networks.
Secure Architecture Patterns
Master multi-account strategies and workload separation for enterprise resilience.
Encryption & Key Management
Understand data protection strategies for data at rest and data in transit.
FOUNDATIONAL CONTROL

Identity & Access Management Strategy

Identity represents the primary control plane for cloud infrastructure. Effective IAM strategy enforces least-privilege access, eliminating unnecessary permissions that create security vulnerabilities.

Least Privilege Principle

Grant users, applications, and services the minimum permissions required to perform their specific functions. Every permission represents a potential attack vector if credentials are compromised. Regular audits ensure permissions remain aligned with actual responsibilities.

❌ Avoid
Action: "*" (all actions)
✓ Implement
Action: "s3:GetObject"

Role-Based Access Control (RBAC)

RBAC organizes permissions into logical roles mapped to job functions. Instead of assigning individual permissions to each user, users assume roles containing permissions needed for their responsibilities.

RBAC Element Purpose Example Role Logical grouping of permissions DatabaseAdministrator Principal User, group, or service john.smith@company.com Permission Specific resource action rds:ModifyDBCluster Assignment Binding principal to role john.smith ← DatabaseAdministrator

IAM Architecture Best Practices

  • Centralized Identity — Use managed identity providers (Azure AD, AWS IAM Identity Center) for single source of truth
  • Multi-Factor Authentication — Require MFA for all human user access, especially privileged roles
  • Regular Audits — Quarterly reviews of IAM policies and active permissions to remove unnecessary access
  • Service Accounts — Use managed identities instead of long-lived credentials for application-to-application access
PERIMETER SECURITY

Network Segmentation in Cloud

Network segmentation eliminates the concept of implicit trust based on network location. By isolating workloads into separate network zones, you contain lateral movement and limit blast radius of compromised resources.

VPC Isolation Concept

Virtual Private Clouds (VPC/VNet) establish isolated network environments with private IP address spaces. Resources within a VPC cannot communicate with external networks unless explicitly permitted through security controls. This foundational isolation prevents unauthorized access across environments.

AWS: VPC with CIDR blocks (e.g., 10.0.0.0/16) | Azure: VNet with address space (e.g., 10.0.0.0/16)

Segmented Network Architecture

📡 Internet Gateway / NAT Gateway

Controlled egress/ingress point for external traffic

🛡️ Public Subnet

Load balancers, API gateways, bastion hosts with public IPs

🔐 Private Subnet (Application)

Application servers, microservices, internal APIs (no direct internet access)

🗄️ Database Subnet

Databases, caches, data stores (isolated from public traffic)

Security Groups & Firewall Awareness

Security groups function as stateful firewalls, controlling traffic between resources. Firewall rules define which protocols, ports, and source IPs can communicate with specific resources.

Inbound Rules (Ingress)

Control incoming traffic TO resources:

  • ✓ Port 443 from 0.0.0.0/0 (HTTPS from anywhere)
  • ✓ Port 3306 from app-sg (MySQL from app tier)
  • ✗ Port 22 from 0.0.0.0/0 (SSH restricted)

Outbound Rules (Egress)

Control outgoing traffic FROM resources:

  • ✓ Port 443 to 0.0.0.0/0 (HTTPS to internet)
  • ✓ Port 53 to DNS (DNS lookups)
  • ✗ Port 22 to 0.0.0.0/0 (SSH outbound restricted)

Benefits of Network Segmentation

Lateral Movement Prevention

Contains compromise to specific segment

Reduced Attack Surface

Limits exposed endpoints and services

Compliance Alignment

Meets regulatory isolation requirements

Traffic Visibility

Enables detailed traffic monitoring

ARCHITECTURAL DESIGN

Secure Architecture Patterns

Enterprise cloud deployments require architectural patterns that provide isolation, resilience, and manageability. Multi-account strategies and workload separation form the foundation of secure, scalable cloud infrastructure.

Multi-Account Strategy

Organizations deploy separate cloud accounts (AWS or Azure subscriptions) for different purposes: development, staging, production, security, and logging. This strategy provides:

  • Blast Radius Containment — Compromise in dev doesn't affect production
  • Access Isolation — Different teams have separate accounts with distinct permissions
  • Audit Clarity — Each account generates distinct audit logs for compliance
  • Cost Allocation — Separate billing per department or business unit

Recommended Account Structure

Management Account

Central billing, organization management, cross-account policies

Security Account

Centralized IAM, GuardDuty, CloudTrail, vulnerability scanning

Logging Account

Centralized CloudTrail logs, VPC Flow Logs, application logs

Development Account

Development and testing workloads with limited scope

Production Account(s)

Isolated production workloads with strictest controls

Separation of Workloads

Workloads with different security requirements or compliance obligations must be isolated to prevent cross-contamination and ensure compliance audit clarity.

By Compliance Domain — HIPAA, PCI-DSS, GDPR workloads in separate accounts
By Environment Lifecycle — Dev, staging, production in distinct accounts
By Organizational Unit — Marketing, Finance, Engineering workloads isolated
By Risk Profile — High-risk customer data separate from internal systems
DATA PROTECTION

Encryption & Key Management

Encryption transforms plaintext data into ciphertext, rendering it unintelligible without correct decryption keys. Cloud-native encryption strategies must address data across its entire lifecycle.

Data at Rest

Data stored on disks, databases, or storage services when not actively transmitted.

Encryption examples:

  • • S3/Blob server-side encryption
  • • Database encryption (RDS, Cosmos DB)
  • • EBS/Managed Disk encryption
  • • Backup vault encryption

Protection: Compromised hardware cannot expose data

Data in Transit

Data moving between systems across networks or over the internet.

Encryption examples:

  • • TLS/SSL for HTTP (HTTPS)
  • • VPN tunnels between datacenters
  • • Encrypted database connections
  • • Service-to-service encryption

Protection: Network eavesdropping cannot expose data

Cloud-Native Security Mindset

Cloud-native encryption shifts responsibility from hardware-level controls to application and platform-level controls. Organizations must actively enable and manage encryption rather than relying on implicit physical security.

Default Encryption Enabled

Cloud providers offer encryption by default for most services — verify it's explicitly enabled and cannot be disabled

Customer-Managed Keys

Use AWS KMS, Azure Key Vault to maintain control over encryption keys separate from provider infrastructure

Key Rotation Policies

Implement automated key rotation to minimize risk from key compromise

Encryption in Application Code

Apply additional encryption layer at application level for highly sensitive data (defense-in-depth)

Layered Encryption Strategy

Layer 1: Transport Security

TLS 1.2+ for all network communication; certificate pinning for critical connections

Layer 2: Service-Level Encryption

Cloud-native encryption (S3 SSE, RDS encryption) for all data stores

Layer 3: Application-Level Encryption

Encrypt sensitive fields before storing (field-level encryption for PII)

Layer 4: Key Management

Customer-managed keys in KMS/Key Vault with audit logging and access controls

EXTERNAL REFERENCES

Official Platform Security Documentation

Expand your platform-specific knowledge with official AWS and Azure security architecture resources:

AWS Security Architecture

AWS Well-Architected Framework

Security pillar with best practices for AWS workloads

Read Framework

AWS Security Best Practices

IAM, encryption, and network security guidance

View Security Docs

Azure Security Architecture

Azure Well-Architected Framework

Security pillar with Azure-specific guidance

Read Framework

Azure Security Best Practices

Identity, network, and data protection documentation

View Security Docs
🎓

Verified Certificate Notice

Complete all 3 modules of this course to unlock your Verified Cyber Security Certificate with unique ID and QR verification. Your certificate demonstrates mastery of cloud security architecture fundamentals.

Module 2 Complete ✓

  • Mastered IAM strategy and RBAC concepts
  • Designed network segmentation architectures
  • Understood multi-account and workload separation strategies
  • Applied encryption and key management principles

1 / 3 modules remaining • Approximately 45 minutes total