CoursesAWS Solutions Architect AssociateSecurity, cost & Well-Architected

Security best practices

KMS, TLS, WAF/Shield, secrets, detection.

Advanced30 min · lesson 13 of 15

Security is a pillar that touches every layer of an architecture. For an associate architect the essentials are encryption, network protection, secrets handling, and detection — applied on top of the IAM least-privilege foundation.

Encryption and network protection

Encrypt data at rest and in transit by default. AWS KMS integrates with S3, EBS, RDS, and most services to encrypt data at rest with keys you control — enabling it is usually a checkbox plus a key policy, and using customer-managed keys lets you rotate and revoke access. In transit, use TLS everywhere (ACM issues and manages certificates for load balancers and CloudFront). At the network edge, AWS WAF filters common web exploits (SQL injection, XSS, bad bots) in front of CloudFront or an ALB, and AWS Shield provides DDoS protection. Combined with private subnets and tight security groups, these give defense in depth around the workload.

the security baseline
# LAYER CONTROL
# data at rest → KMS encryption (S3/EBS/RDS), customer-managed keys
# data in transit → TLS everywhere (ACM certs on ALB/CloudFront)
# web edge → WAF (block SQLi/XSS/bots) + Shield (DDoS)
# network → private subnets + tight security groups
# secrets → Secrets Manager / SSM Parameter Store (fetch via role)
# identity → IAM least privilege + roles (no static keys)

Secrets and detection

Never put secrets in code or AMIs. Store database passwords, API keys, and tokens in AWS Secrets Manager (with rotation) or SSM Parameter Store, and have workloads fetch them at runtime via their IAM role — nothing sensitive ships in the image or config. For detection and posture, enable CloudTrail (the audit trail of every API call — the foundation of investigation), GuardDuty (managed threat detection over your logs), and Security Hub (aggregated findings and posture scoring across accounts). These, plus Config for tracking resource compliance, give you the visibility to catch misconfigurations and threats. The security pillar is not a single feature but this layered combination applied consistently.

Defense in depth
protect
KMS + TLS
encrypt at rest and in transit
WAF + Shield
web exploits and DDoS
Secrets Manager
no secrets in code
detect
CloudTrail
audit trail of all API calls
GuardDuty + Security Hub
threat detection + posture
Layer encryption, edge protection, managed secrets, and detection on top of IAM least privilege — no single control is enough.
CloudTrail is the control to turn on first
Without CloudTrail you have no record of who did what in the account, making both security investigation and compliance impossible. Enable an organization CloudTrail delivering to a locked, central logging account from day one — it is the audit foundation everything else (GuardDuty, incident response, compliance) builds on.