Update of AWS Security Reference Architecture is now available

We’re happy to announce that an updated version of the AWS Security Reference Architecture (AWS SRA) is now available. The AWS SRA is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment. You can use it to help your organization to design, implement, and manage AWS security services so that they align with AWS best practices. The guidance is deeply informed by our collective experiences with AWS enterprise customers.

The AWS SRA update includes seven additional services and features, as well as updated guidance on all services in the AWS SRA with a special focus on service integrations. The AWS SRA update also includes new content about how your organization can use the AWS SRA to design, review, and assess your security architecture. We used direct customer feedback and our experience helping customers use the AWS SRA, as well as including new AWS service and feature releases, to make these updates.

At the core of the AWS SRA documentation is the AWS Security Reference Architecture, a one-page architecture diagram that includes all the security services in a multi-account environment, as shown in Figure 1.

Figure 1: AWS SRA one-page architecture diagram

In the AWS SRA, you’ll find additional documentation about the AWS SRA architecture diagram that dives deep into account structure, the reasoning behind why a specific security service is deployed in a particular account, and how the security services connect and relate to each other.

Update highlights

Based on direct customer feedback, new service and feature releases, and our experience helping customers use the AWS SRA, we’ve included the following changes in the AWS SRA update:

• Expanded the AWS services in the AWS SRA to include AWS Artifact, Amazon Inspector, AWS Resource Access Manager (AWS RAM), Amazon Route 53 Resolver DNS Firewall, AWS Control Tower, AWS Audit Manager, and Amazon Virtual Private Cloud (Amazon VPC) Network Access Analyzer.
• Updated the guidance for AWS services such as AWS Security Hub, AWS IAM Identity Center (successor to AWS Single Sign-On), AWS Config, Amazon Detective, and AWS Certificate Manager.
• Updated the guidance about using the AWS SRA to design your security architecture. This includes topics such as applying security services across AWS Organizations, balancing distributed and centralized security service guardrails, and using a delegated administrator for AWS security services.

In addition to the architecture diagram and documented guidance, the AWS SRA code repository is regularly updated and has evolved considerably since its initial release. Highlights of the repository include a Quick Setup that uses a centralized AWS CloudFormation template, simplified deployment of the example solutions using nested stacks, updated documentation with diagrams and templates for all solutions, AWS Config management account solution, a Security Hub organization solution, an account alternate contacts solution, and more.

Getting started with the AWS SRA

There are different ways to use the AWS SRA, depending on where you are in your cloud adoption journey. The following are some recommendations to help you get the most value out of the AWS SRA:

• Define the target state of your security architecture.
• Review the designs and capabilities that you’ve already designed.
• Bootstrap the implementation of your security architecture.
• Learn more about AWS security services and features.
• Start a discussion about organizational governance and responsibilities for security.

For more information and to get started, see the updated AWS Security Reference Architecture (AWS SRA) documentation. For example solutions that demonstrate how to implement patterns within the AWS Security Reference Architecture guide, see the aws-security-reference-architecture-examples GitHub repository.

We greatly value feedback and contributions from our community. To share your thoughts and insights about the AWS SRA guide, your experience using it, and what you want to see in future versions of the AWS SRA, complete the AWS Proscriptive Guidance feedback form online. If you have feedback about the example code in the GitHub repository, open a GitHub Issue.

 
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Want more AWS Security news? Follow us on Twitter.