AWS Public Sector Blog
Notre Dame sets new standard for higher education with enterprise AWS security implementation
When the University of Notre Dame commissioned a penetration test of their Amazon Web Services (AWS) environment in the summer of 2024, they expected strong results. As a leader in higher education cloud adoption, the university was already ahead of many institutions, with almost 90% of their central IT infrastructure running on AWS.
The test confirmed that Notre Dame’s security was above average compared to their peers but also identified an opportunity to strengthen their web application defenses even further. Following the penetration-testing firm’s recommendation to implement web application firewalls, Notre Dame embarked on a journey to become the first US higher education institution to take a comprehensive, enterprise-wide approach to deploying AWS Web Application Firewall (WAF), AWS Shield Advanced, and AWS Firewall Manager across the entirety of their AWS infrastructure. This meticulous implementation also established a blueprint for other institutions to follow.
Advanced cloud infrastructure creates security complexity across 140+ accounts
Notre Dame operates one of the higher education sector’s most advanced cloud infrastructures, serving roughly 13,000 students and 6,000 staff through a multi-account strategy spanning over 140 AWS accounts. This cloud-first approach supports the university’s diverse academic and administrative operations.
“We have adopted a multi-account AWS strategy,” said Amy Ren, security architect at Notre Dame. “Though this strategy definitely improves isolation and governance, it also introduces complexity in security oversight.”
Before the penetration test, the university had deployed single WAF instances in individual accounts over the years, including one implemented five years ago during the widespread Log4J vulnerability crisis. However, as Notre Dame’s cloud footprint expanded to over 140 accounts, this account-by-account approach limited the team’s ability to provide comprehensive, automated protection at scale.
Collaborating with AWS to deploy enterprise-scale protection
Notre Dame’s philosophy of “FANS,” favor AWS native services—guided their response to this security challenge. When chief information security officer (CISO) Leilani Lauger prioritized WAF deployment for the entire organization, the team selected AWS Firewall Manager for centralized management, Shield Advanced for DDoS protection, and WAF for application-layer security.
As the first non-commercial AWS customer to participate in the AWS Security Improvement Program (SIP), Notre Dame had the opportunity to work closely with AWS Enterprise Support throughout the entire eight-month, 600-hour project—relying on numerous emails, meetings, technical experts, and support tickets to resolve roadblocks. Notre Dame also found themselves providing feedback to AWS to evolve the SIP program for the education sector by building repeatable processes alongside AWS, establishing them as leaders in comprehensive cloud security for higher education.
This intensive collaboration was matched by Notre Dame’s commitment to advanced deployment methods. Rather than relying on manual “ClickOps” deployments common at other universities, Notre Dame used Infrastructure as Code (IaC) through AWS CloudFormation templates, testing configurations in a separate environment to validate results before production deployment. The phased deployment strategy reflected this methodical approach, starting with Shield Advanced to enable Firewall Manager access, followed by WAF implementation in “count mode” to gather metrics and identify potential issues before transitioning to enforcement mode.
Managing technical complexity and organizational change
Implementing WAF at Notre Dame’s scale required thoughtful customization of AWS-managed rulesets to accommodate the university’s diverse application portfolio and complex load balancer architecture. Single load balancers serve up to 40 applications, meaning exceptions for one application affect all others on the same balancer. The team had to create custom rulesets targeted to support specific applications, such as the business intelligence platform Tableau, among others. The application triggered firewall rules for first-time users, requiring additional configuration to allow legitimate access while maintaining security.
Beyond this, organizational change management required careful navigation across Notre Dame’s distributed departmental structure. Central IT was implementing security rules that could potentially impact applications managed by different departments across the university. The team proactively engaged with stakeholders to address questions and ensure smooth implementation.
When asked whether having the CISO’s support helped navigate these departmental concerns, Jared Bulosan, cloud engineer and architect at Notre Dame, was unequivocal: “I think that’s the only way we could have done this in this environment.” This executive sponsorship proved essential, as Ren noted: “If she doesn’t sponsor this, we can’t have this project.”
Achieving measurable security improvements and industry recognition
The implementation delivered impressive results that validated the extensive effort invested by Notre Dame. Today, the system identifies and blocks nearly one-third of all malicious traffic—a metric that demonstrates the solution’s effectiveness in protecting university systems at scale. The AWS-managed rules help block the Open Web Application Security Project (OWASP) Top 10 threats, and IP reputation rulesets block malicious IP threats, providing comprehensive coverage against common attack vectors. The solution also provides unified protection across all web applications with zero manual overhead as new resources automatically inherit security configurations through Firewall Manager’s automated policy deployment.
This comprehensive coverage gave leadership confidence in their security approach. “Our CISO is now much more comfortable with our web application security,” said Ren.
The project’s success made positive ripples through the higher education community when Ren, alongside AWS solutions architect Luke Coady, presented their experience at EDUCAUSE’s 2025 Cybersecurity and Privacy Professionals Conference. The presentation received perfect 5-out-of-5 feedback ratings from attendees, with extensive questions from other universities eager to learn from Notre Dame’s pioneering approach.
Creating a new roadmap for higher education cloud security
According to Bulosan and Ren, Notre Dame’s security transformation depended on three fundamental factors:
- Strong executive support
- Organizational alignment
- Strategic partnerships with AWS
The CISO’s backing was essential for navigating organizational complexity and bringing departments together around centralized security policies. But leadership alone wasn’t enough—the team also had to reframe how the university viewed security itself.
Rather than positioning security as a barrier to academic work, they aligned it with Notre Dame’s educational mission. “Security helps enable teaching and learning and research,” Ren explained, successfully repositioning security as an enabler of the university’s core purpose rather than an impediment to it.
The technical foundation was also critical. Well-structured AWS organizations enabled policy application at scale rather than requiring manual configuration across over 140 accounts, which would have been prohibitively complex. Notre Dame’s decision to work closely with AWS specialists rather than attempting implementation alone also accelerated their success and helped resolve technical challenges throughout the process.
Through their coordinated effort with AWS, Notre Dame’s IT security team established their institution as a leader in enterprise-scale cloud security for higher education, creating a proven blueprint that other institutions can adapt to strengthen their own security posture while advancing their educational missions.