🔐 AWS Network Security

Comprehensive Guide for AWS Certification & Implementation

📋 Table of Contents

🛡️ Security Groups & Network ACLs

Traffic Flow Architecture

graph TB IGW[Internet Gateway] --> ALB[Application Load Balancer] ALB --> SG1[Security Group - Web Tier] SG1 --> WEB[Web Servers
Public Subnet] WEB --> SG2[Security Group - App Tier] SG2 --> APP[Application Servers
Private Subnet] APP --> SG3[Security Group - DB Tier] SG3 --> DB[Database
Private Subnet] NACL1[NACL - Public Subnet] -.-> WEB NACL2[NACL - Private Subnet] -.-> APP NACL3[NACL - Database Subnet] -.-> DB style SG1 fill:#ff9999 style SG2 fill:#99ccff style SG3 fill:#99ff99 style NACL1 fill:#ffcc99 style NACL2 fill:#ffcc99 style NACL3 fill:#ffcc99

🔍 Traffic Flow Explanation

This diagram illustrates how traffic flows through multiple layers of security controls in AWS. Security Groups act as stateful firewalls at the instance level, while NACLs provide stateless filtering at the subnet level. The layered approach ensures defense in depth - traffic must pass through both NACL rules and Security Group rules to reach instances.

Security Group vs NACL Comparison

graph LR subgraph "Security Groups" SG_FEATURES["✅ Stateful
✅ Instance Level
✅ Allow Rules Only
✅ All Rules Evaluated
✅ Supports Security Group References"] end subgraph "Network ACLs" NACL_FEATURES["❌ Stateless
🏗️ Subnet Level
✅ Allow & Deny Rules
🔢 Numbered Rules (Priority)
❌ IP/CIDR Only"] end TRAFFIC[Incoming Traffic] --> NACL_FEATURES NACL_FEATURES --> SG_FEATURES SG_FEATURES --> INSTANCE[EC2 Instance] style SG_FEATURES fill:#e1f5fe style NACL_FEATURES fill:#fff3e0 style TRAFFIC fill:#f3e5f5 style INSTANCE fill:#e8f5e8

🔍 Security Layers Comparison

Security Groups and NACLs provide complementary security controls. NACLs act as the first line of defense at the subnet boundary, while Security Groups provide fine-grained, stateful filtering at the instance level. The stateful nature of Security Groups means return traffic is automatically allowed, while NACLs require explicit rules for both inbound and outbound traffic.

Implementation Commands

1. Create VPC and Subnets (Foundation)

aws ec2 create-vpc \
    --cidr-block 10.0.0.0/16 \
    --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=secure-vpc}]'
🔧 VPC Creation Parameters

Creates the foundational VPC with a /16 CIDR block providing 65,536 IP addresses. This is the first step in any network security implementation.

aws ec2 create-subnet \
    --vpc-id vpc-12345678 \
    --cidr-block 10.0.1.0/24 \
    --availability-zone us-west-2a \
    --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=public-subnet-1},{Key=Tier,Value=web}]'
🔧 Subnet Creation Parameters
  • --cidr-block: Subnet CIDR within VPC range (provides 256 IPs)
  • --availability-zone: Specific AZ for high availability
  • --tag-specifications: Metadata for resource organization

Alternative Options: Use --map-public-ip-on-launch for auto-assignment of public IPs

2. Create Custom Network ACL

aws ec2 create-network-acl \
    --vpc-id vpc-12345678 \
    --tag-specifications 'ResourceType=network-acl,Tags=[{Key=Name,Value=web-tier-nacl}]'
🔧 Network ACL Configuration

Creates a custom NACL that will replace the default permissive NACL. Custom NACLs start with deny-all rules, requiring explicit allow rules for traffic.

aws ec2 create-network-acl-entry \
    --network-acl-id acl-12345678 \
    --rule-number 100 \
    --protocol tcp \
    --port-range From=80,To=80 \
    --cidr-block 0.0.0.0/0 \
    --rule-action allow
🔧 NACL Entry Parameters
  • --rule-number: Priority (1-32766, lower = higher priority)
  • --protocol: tcp, udp, icmp, or protocol number
  • --port-range: Source or destination port range
  • --rule-action: allow or deny

Best Practice: Use rule numbers in increments of 100 to allow insertions

3. Create Security Groups

aws ec2 create-security-group \
    --group-name web-tier-sg \
    --description "Security group for web tier - allows HTTP/HTTPS" \
    --vpc-id vpc-12345678 \
    --tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=web-tier-sg},{Key=Tier,Value=web}]'
🔧 Security Group Creation

Creates a security group for the web tier. Security groups are stateful - if you allow inbound traffic, the response is automatically allowed outbound.

aws ec2 authorize-security-group-ingress \
    --group-id sg-12345678 \
    --protocol tcp \
    --port 80 \
    --cidr 0.0.0.0/0
🔧 Security Group Ingress Rules
  • --protocol: tcp, udp, icmp, or all
  • --port: Single port or range (--from-port/--to-port)
  • --cidr: Source IP range (use specific ranges for security)
  • --source-group: Reference another security group instead of CIDR

Security Best Practice: Use security group references instead of 0.0.0.0/0 when possible

4. Advanced Security Group with References

aws ec2 authorize-security-group-ingress \
    --group-id sg-app-tier \
    --protocol tcp \
    --port 8080 \
    --source-group sg-web-tier
🔧 Security Group References

This creates a rule allowing traffic from the web tier security group to the app tier on port 8080. This is more secure than using CIDR blocks as it automatically adapts to instance changes.

🔄 Implementation Workflow

1 VPC Creation: Create VPC with appropriate CIDR block 
aws ec2 create-vpc --cidr-block 10.0.0.0/16
2 Subnet Creation: Create subnets for each tier 
aws ec2 create-subnet --vpc-id vpc-xxx --cidr-block 10.0.1.0/24
3 NACL Setup: Create and configure Network ACLs 
aws ec2 create-network-acl --vpc-id vpc-xxx
4 Security Groups: Create tiered security groups 
aws ec2 create-security-group --group-name web-tier
5 Rule Configuration: Add ingress/egress rules 
aws ec2 authorize-security-group-ingress

🛡️ AWS WAF, Shield & Network Firewall

Multi-Layer Defense Architecture

graph TB INTERNET[Internet Traffic] --> SHIELD[AWS Shield
DDoS Protection] SHIELD --> R53[Route 53
DNS Protection] R53 --> CF[CloudFront
CDN + Edge Protection] CF --> WAF[AWS WAF
Application Layer Filtering] WAF --> ALB[Application Load Balancer] subgraph VPC["VPC Environment"] ALB --> NFW[Network Firewall
Stateful Deep Packet Inspection] NFW --> TGW[Transit Gateway
Network Segmentation] TGW --> APP[Application Instances] end subgraph "Attack Mitigation" DDOS[DDoS Attacks] -.-> SHIELD SQLI[SQL Injection] -.-> WAF XSS[Cross-Site Scripting] -.-> WAF MALWARE[Malware C&C] -.-> NFW end style SHIELD fill:#ff6b6b style WAF fill:#4ecdc4 style NFW fill:#45b7d1 style DDOS fill:#ff4757 style SQLI fill:#ff4757 style XSS fill:#ff4757 style MALWARE fill:#ff4757

🔍 Multi-Layer Defense Explanation

This architecture implements defense in depth with multiple security services working together. AWS Shield protects against DDoS attacks at the network/transport layers, WAF filters malicious application-layer requests, and Network Firewall provides deep packet inspection within the VPC. Each layer addresses different attack vectors and provides redundant protection.

WAF Rule Processing Flow

flowchart TD REQUEST[Incoming Request] --> EVAL{Evaluate WAF Rules} EVAL --> RATE[Rate Limiting Rules] RATE --> GEO[Geographic Restrictions] GEO --> IP[IP Reputation Rules] IP --> MANAGED[AWS Managed Rules] MANAGED --> CUSTOM[Custom Rules] CUSTOM --> DEFAULT[Default Action] RATE -->|Block| BLOCKED[Request Blocked] GEO -->|Block| BLOCKED IP -->|Block| BLOCKED MANAGED -->|Block| BLOCKED CUSTOM -->|Block| BLOCKED DEFAULT -->|Allow| ALLOWED[Request Allowed] DEFAULT -->|Block| BLOCKED ALLOWED --> TARGET[Target Application] BLOCKED --> LOG[CloudWatch Logs] style REQUEST fill:#e1f5fe style BLOCKED fill:#ffebee style ALLOWED fill:#e8f5e8 style TARGET fill:#f3e5f5

🔍 WAF Rule Processing Explanation

WAF evaluates rules in order of priority. Each rule can allow, block, or count requests. If a rule matches and has an action of allow or block, processing stops. If no rules match, the default action is applied. This flow ensures efficient processing while maintaining comprehensive protection.

Implementation Commands

1. Enable AWS Shield Advanced

aws shield subscribe-to-proactive-engagement \
    --proactive-engagement-status ENABLED \
    --emergency-contact-list '[{
        "EmailAddress": "security@company.com",
        "PhoneNumber": "+1-555-123-4567",
        "ContactNotes": "Primary security contact for DDoS incidents"
    }]'
🔧 Shield Advanced Configuration

Enables proactive engagement where AWS DDoS Response Team (DRT) contacts you during potential attacks. Shield Advanced provides enhanced DDoS protection and cost protection against scaling charges during attacks.

2. Create WAF Web ACL

aws wafv2 create-web-acl \
    --name "production-web-acl" \
    --scope CLOUDFRONT \
    --default-action Allow={} \
    --description "Production WAF rules for application protection" \
    --rules '[{
        "Name": "RateLimitRule",
        "Priority": 1,
        "Statement": {
            "RateBasedStatement": {
                "Limit": 1000,
                "AggregateKeyType": "IP"
            }
        },
        "Action": {"Block": {}},
        "VisibilityConfig": {
            "SampledRequestsEnabled": true,
            "CloudWatchMetricsEnabled": true,
            "MetricName": "RateLimitRule"
        }
    }]'
🔧 WAF Web ACL Parameters
  • --scope: CLOUDFRONT (global) or REGIONAL (ALB, API Gateway)
  • --default-action: Action when no rules match (Allow/Block)
  • Priority: Lower numbers = higher priority
  • RateBasedStatement: Requests per 5-minute window per IP

Best Practice: Start with Allow default and gradually add blocking rules

3. Add AWS Managed Rule Groups

aws wafv2 update-web-acl \
    --id "web-acl-id" \
    --scope CLOUDFRONT \
    --default-action Allow={} \
    --rules '[{
        "Name": "AWSManagedRulesCommonRuleSet",
        "Priority": 10,
        "OverrideAction": {"None": {}},
        "Statement": {
            "ManagedRuleGroupStatement": {
                "VendorName": "AWS",
                "Name": "AWSManagedRulesCommonRuleSet"
            }
        },
        "VisibilityConfig": {
            "SampledRequestsEnabled": true,
            "CloudWatchMetricsEnabled": true,
            "MetricName": "CommonRuleSetMetric"
        }
    }]'
🔧 Managed Rule Groups

Available AWS Managed Rules:

  • AWSManagedRulesCommonRuleSet: OWASP Top 10 protections
  • AWSManagedRulesSQLiRuleSet: SQL injection protection
  • AWSManagedRulesLinuxRuleSet: Linux-specific threats
  • AWSManagedRulesAmazonIpReputationList: Known malicious IPs

Override Action: None (use rule actions) or Count (log only)

4. Deploy Network Firewall

aws network-firewall create-firewall-policy \
    --firewall-policy-name "production-network-policy" \
    --firewall-policy '{
        "StatelessDefaultActions": ["aws:forward_to_sfe"],
        "StatelessFragmentDefaultActions": ["aws:forward_to_sfe"],
        "StatefulRuleGroupReferences": [{
            "ResourceArn": "arn:aws:network-firewall:us-west-2:123456789012:stateful-rulegroup/malware-domains"
        }]
    }'
🔧 Network Firewall Policy
  • StatelessDefaultActions: Actions for packets not matching stateless rules
  • aws:forward_to_sfe: Forward to stateful engine
  • aws:pass: Allow traffic to pass
  • aws:drop: Drop packets silently

Processing Order: Stateless rules → Stateful rules → Default actions

aws network-firewall create-firewall \
    --firewall-name "production-firewall" \
    --firewall-policy-arn "arn:aws:network-firewall:us-west-2:123456789012:firewall-policy/production-network-policy" \
    --vpc-id vpc-12345678 \
    --subnet-mappings '[{
        "SubnetId": "subnet-12345678"
    }, {
        "SubnetId": "subnet-87654321"
    }]'
🔧 Network Firewall Deployment

Deploys the firewall in dedicated firewall subnets. Each AZ needs its own subnet mapping for high availability. Network Firewall creates VPC endpoints in these subnets for traffic inspection.

🔄 WAF & Network Firewall Implementation Workflow

1 Shield Advanced: Enable advanced DDoS protection 
aws shield subscribe-to-proactive-engagement
2 WAF Web ACL: Create web access control list 
aws wafv2 create-web-acl --name production-web-acl
3 WAF Rules: Add rate limiting and managed rules 
aws wafv2 update-web-acl --rules '[{...}]'
4 Network Firewall Policy: Create stateful/stateless rules 
aws network-firewall create-firewall-policy
5 Firewall Deployment: Deploy in dedicated subnets 
aws network-firewall create-firewall

🔗 VPC Endpoint Policies

VPC Endpoint Traffic Flow

graph TB subgraph "Private Subnet" EC2[EC2 Instance] --> VPCE[VPC Endpoint] end VPCE --> |"Private Connection"| S3[Amazon S3] VPCE --> |"Private Connection"| DDB[DynamoDB] VPCE --> |"Private Connection"| SQS[Amazon SQS] subgraph "Endpoint Policy" POLICY["{
Effect: Allow,
Principal: {...},
Action: [...],
Resource: [...],
Condition: {...}
}"] end VPCE -.-> POLICY subgraph "Without VPC Endpoint" EC2_NO[EC2 Instance] --> IGW[Internet Gateway] IGW --> |"Public Internet"| S3_PUB[Amazon S3] end style VPCE fill:#4ecdc4 style POLICY fill:#feca57 style EC2 fill:#48dbfb style EC2_NO fill:#ff6b6b style IGW fill:#ff9ff3

🔍 VPC Endpoint Benefits

VPC Endpoints enable private connectivity to AWS services without traversing the internet. This improves security by keeping traffic within the AWS network and provides better performance with lower latency. Endpoint policies provide fine-grained access control at the network level, complementing IAM policies.

Gateway vs Interface Endpoints

graph LR subgraph "Gateway Endpoints" GW_S3[S3
Gateway Endpoint] GW_DDB[DynamoDB
Gateway Endpoint] GW_FEATURES["✅ No Additional Cost
✅ Route Table Based
✅ Highly Available
📍 Only S3 & DynamoDB"] end subgraph "Interface Endpoints" INT_SQS[SQS
Interface Endpoint] INT_SNS[SNS
Interface Endpoint] INT_FEATURES["💰 Hourly + Data Processing
🌐 DNS Based
🏗️ ENI in Subnet
🔧 Most AWS Services"] end VPC[VPC] --> GW_S3 VPC --> GW_DDB VPC --> INT_SQS VPC --> INT_SNS style GW_S3 fill:#e1f5fe style GW_DDB fill:#e1f5fe style INT_SQS fill:#fff3e0 style INT_SNS fill:#fff3e0 style GW_FEATURES fill:#e8f5e8 style INT_FEATURES fill:#fff8e1

🔍 Endpoint Type Comparison

Gateway endpoints are cost-effective for S3 and DynamoDB, using route tables for traffic direction. Interface endpoints provide broader service support through Elastic Network Interfaces (ENIs) placed in your subnets, but incur hourly and data processing charges. Choose based on service requirements and cost considerations.

Implementation Commands

1. Create S3 Gateway Endpoint

aws ec2 create-vpc-endpoint \
    --vpc-id vpc-12345678 \
    --service-name com.amazonaws.us-west-2.s3 \
    --vpc-endpoint-type Gateway \
    --route-table-ids rtb-12345678 rtb-87654321 \
    --policy-document '{
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-secure-bucket/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalTag/Department": "Engineering"
                }
            }
        }]
    }'
🔧 S3 Gateway Endpoint Configuration
  • --service-name: AWS service endpoint (region-specific)
  • --route-table-ids: Route tables that will receive endpoint routes
  • --policy-document: JSON policy controlling access through endpoint

Policy Controls: Restricts access to specific buckets and requires Department tag

2. Create Interface Endpoint for SQS

aws ec2 create-vpc-endpoint \
    --vpc-id vpc-12345678 \
    --service-name com.amazonaws.us-west-2.sqs \
    --vpc-endpoint-type Interface \
    --subnet-ids subnet-12345678 subnet-87654321 \
    --security-group-ids sg-12345678 \
    --private-dns-enabled \
    --policy-document '{
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "sqs:SendMessage",
                "sqs:ReceiveMessage",
                "sqs:DeleteMessage"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::123456789012:role/SQSProcessorRole"
                }
            }
        }]
    }'
🔧 Interface Endpoint Configuration
  • --subnet-ids: Subnets where ENIs will be created
  • --security-group-ids: Controls network access to endpoint ENIs
  • --private-dns-enabled: Enables private DNS resolution

Security: Policy restricts access to specific IAM role

3. Advanced Endpoint Policy with Conditions

aws ec2 modify-vpc-endpoint \
    --vpc-endpoint-id vpce-12345678 \
    --policy-document '{
        "Version": "2012-10-17",
        "Statement": [{
            "Sid": "RestrictToBusinessHours",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "*",
            "Condition": {
                "DateGreaterThan": {
                    "aws:CurrentTime": "08:00Z"
                },
                "DateLessThan": {
                    "aws:CurrentTime": "18:00Z"
                },
                "IpAddress": {
                    "aws:SourceIp": "10.0.0.0/16"
                }
            }
        }, {
            "Sid": "DenyHighRiskActions",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:DeleteBucket",
                "s3:PutBucketAcl"
            ],
            "Resource": "*"
        }]
    }'
🔧 Advanced Policy Conditions

Time-Based Controls:

  • aws:CurrentTime: UTC time-based access control
  • aws:SourceIp: IP address restrictions

Explicit Deny: Always overrides Allow statements for critical actions

4. Create Security Group for Interface Endpoints

aws ec2 create-security-group \
    --group-name vpc-endpoint-sg \
    --description "Security group for VPC interface endpoints" \
    --vpc-id vpc-12345678
aws ec2 authorize-security-group-ingress \
    --group-id sg-endpoint-12345678 \
    --protocol tcp \
    --port 443 \
    --source-group sg-application-12345678
🔧 Endpoint Security Group

Interface endpoints require security groups to control network access. This configuration allows HTTPS traffic from application security groups to the endpoint ENIs, enabling secure communication.

🔄 VPC Endpoint Implementation Workflow

1 Identify Services: Determine which AWS services need private access 
aws ec2 describe-vpc-endpoint-services
2 Choose Endpoint Type: Gateway (S3/DDB) or Interface (others) 
# Gateway: Route table based, no cost
# Interface: ENI based, hourly cost
3 Create Security Groups: For interface endpoints only 
aws ec2 create-security-group --group-name endpoint-sg
4 Create Endpoint: With appropriate policy 
aws ec2 create-vpc-endpoint --service-name com.amazonaws...
5 Test Connectivity: Verify private access works 
aws s3 ls --endpoint-url https://vpce-xxx.s3.region.vpce.amazonaws.com

🏗️ Three-Tier Architecture & Perimeter Security

Comprehensive Three-Tier Security Architecture

graph TB subgraph "Internet/Edge Security" USERS[Users] --> CF[CloudFront + WAF] CF --> R53[Route 53
Resolver] end subgraph "Perimeter Security" R53 --> ALB[Application Load Balancer] ALB --> |"HTTPS Only"| WEB_SG[Web Tier Security Group] end subgraph "Public Subnet - Web Tier" WEB_SG --> WEB1[Web Server 1
10.0.1.10] WEB_SG --> WEB2[Web Server 2
10.0.1.11] WEB_NACL[Web NACL
Port 80,443,22] -.-> WEB1 WEB_NACL -.-> WEB2 end subgraph "Private Subnet - Application Tier" WEB1 --> APP_SG[App Tier Security Group] WEB2 --> APP_SG APP_SG --> APP1[App Server 1
10.0.2.10] APP_SG --> APP2[App Server 2
10.0.2.11] APP_NACL[App NACL
Port 8080,22] -.-> APP1 APP_NACL -.-> APP2 end subgraph "Private Subnet - Database Tier" APP1 --> DB_SG[Database Security Group] APP2 --> DB_SG DB_SG --> DB1[Database Primary
10.0.3.10] DB_SG --> DB2[Database Replica
10.0.3.11] DB_NACL[DB NACL
Port 3306] -.-> DB1 DB_NACL -.-> DB2 end subgraph "Management & Monitoring" BASTION[Bastion Host
Jump Server] --> WEB1 BASTION --> APP1 BASTION --> DB1 CW[CloudWatch
Monitoring] -.-> WEB1 CW -.-> APP1 CW -.-> DB1 end style CF fill:#ff6b6b style WEB_SG fill:#4ecdc4 style APP_SG fill:#45b7d1 style DB_SG fill:#96ceb4 style BASTION fill:#feca57

🔍 Three-Tier Architecture Explanation

This architecture implements defense in depth with multiple security layers. Each tier has dedicated security groups and NACLs with least-privilege access. Web tier handles user requests, application tier processes business logic, and database tier manages data persistence. Traffic flows unidirectionally through tiers, with each layer having specific security controls and monitoring.

Security Control Matrix

graph TD subgraph "Security Controls by Tier" subgraph "Web Tier Controls" WEB_CTRL["🌐 ALB with SSL termination
🛡️ WAF protection
🔒 Security Group: 80,443
📊 NACL: HTTP/HTTPS only
🔄 Auto Scaling based on load"] end subgraph "App Tier Controls" APP_CTRL["🔐 Internal load balancer
🛡️ Security Group: 8080 from Web only
📊 NACL: App ports only
🔍 Application-level authentication
📈 Health checks enabled"] end subgraph "Database Tier Controls" DB_CTRL["🗄️ RDS with encryption
🛡️ Security Group: 3306 from App only
📊 NACL: Database ports only
🔄 Multi-AZ deployment
💾 Automated backups"] end end subgraph "Cross-Tier Security" CROSS_CTRL["🔐 IAM roles for each tier
📋 VPC Flow Logs
🔍 CloudTrail for API calls
📊 CloudWatch monitoring
🚨 SNS alerts for security events"] end WEB_CTRL --> APP_CTRL APP_CTRL --> DB_CTRL CROSS_CTRL -.-> WEB_CTRL CROSS_CTRL -.-> APP_CTRL CROSS_CTRL -.-> DB_CTRL style WEB_CTRL fill:#ffecb3 style APP_CTRL fill:#e1f5fe style DB_CTRL fill:#e8f5e8 style CROSS_CTRL fill:#fce4ec

🔍 Security Control Matrix Explanation

Each tier implements specific security controls appropriate to its function. Web tier focuses on perimeter defense and SSL termination, application tier handles business logic security and authentication, while database tier emphasizes data protection and access control. Cross-tier security provides comprehensive monitoring and governance across all layers.

Implementation Commands

1. Create Three-Tier VPC Infrastructure

aws ec2 create-vpc \
    --cidr-block 10.0.0.0/16 \
    --enable-dns-hostnames \
    --enable-dns-support \
    --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=three-tier-vpc},{Key=Environment,Value=production}]'
🔧 VPC Foundation

Creates the foundational VPC with DNS support enabled. This is essential for proper name resolution within the VPC and for VPC endpoints to function correctly.

2. Create Tiered Subnets

# Web Tier - Public Subnets
aws ec2 create-subnet \
    --vpc-id vpc-12345678 \
    --cidr-block 10.0.1.0/24 \
    --availability-zone us-west-2a \
    --map-public-ip-on-launch \
    --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=web-subnet-1a},{Key=Tier,Value=web}]'

# Application Tier - Private Subnets
aws ec2 create-subnet \
    --vpc-id vpc-12345678 \
    --cidr-block 10.0.2.0/24 \
    --availability-zone us-west-2a \
    --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=app-subnet-1a},{Key=Tier,Value=application}]'

# Database Tier - Private Subnets
aws ec2 create-subnet \
    --vpc-id vpc-12345678 \
    --cidr-block 10.0.3.0/24 \
    --availability-zone us-west-2a \
    --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=db-subnet-1a},{Key=Tier,Value=database}]'
🔧 Tiered Subnet Design
  • Web Tier: Public subnets with internet gateway access
  • App Tier: Private subnets with NAT gateway access
  • DB Tier: Private subnets with no internet access

High Availability: Create identical subnets in multiple AZs

3. Create Tiered Security Groups

# Web Tier Security Group
aws ec2 create-security-group \
    --group-name web-tier-sg \
    --description "Web tier - allows HTTP/HTTPS from internet" \
    --vpc-id vpc-12345678

aws ec2 authorize-security-group-ingress \
    --group-id sg-web-12345678 \
    --protocol tcp \
    --port 80 \
    --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress \
    --group-id sg-web-12345678 \
    --protocol tcp \
    --port 443 \
    --cidr 0.0.0.0/0
🔧 Web Tier Security

Web tier accepts HTTP/HTTPS traffic from the internet. In production, redirect HTTP to HTTPS and consider using ALB for SSL termination.

# Application Tier Security Group
aws ec2 create-security-group \
    --group-name app-tier-sg \
    --description "App tier - allows traffic from web tier only" \
    --vpc-id vpc-12345678

aws ec2 authorize-security-group-ingress \
    --group-id sg-app-12345678 \
    --protocol tcp \
    --port 8080 \
    --source-group sg-web-12345678
🔧 Application Tier Security

Application tier only accepts traffic from web tier security group. This implements zero-trust networking where each tier only trusts the previous tier.

# Database Tier Security Group
aws ec2 create-security-group \
    --group-name db-tier-sg \
    --description "Database tier - allows traffic from app tier only" \
    --vpc-id vpc-12345678

aws ec2 authorize-security-group-ingress \
    --group-id sg-db-12345678 \
    --protocol tcp \
    --port 3306 \
    --source-group sg-app-12345678
🔧 Database Tier Security

Database tier only accepts connections from application tier on the database port (3306 for MySQL). No direct internet or web tier access is allowed.

4. Create Application Load Balancer with Security

aws elbv2 create-load-balancer \
    --name production-web-alb \
    --subnets subnet-web-1a subnet-web-1b \
    --security-groups sg-web-12345678 \
    --scheme internet-facing \
    --type application \
    --ip-address-type ipv4 \
    --tags Key=Name,Value=production-web-alb Key=Tier,Value=web
🔧 Load Balancer Configuration

ALB provides Layer 7 load balancing with SSL termination capabilities. It's deployed in public subnets but can forward traffic to private subnet targets.

aws elbv2 create-listener \
    --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/production-web-alb/1234567890123456 \
    --protocol HTTPS \
    --port 443 \
    --certificates CertificateArn=arn:aws:acm:us-west-2:123456789012:certificate/12345678-1234-1234-1234-123456789012 \
    --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/web-servers/1234567890123456
🔧 HTTPS Listener Setup

Configures HTTPS listener with SSL certificate from ACM. This ensures all traffic between users and the web tier is encrypted in transit.

5. Create Bastion Host for Management

aws ec2 create-security-group \
    --group-name bastion-sg \
    --description "Bastion host - SSH access from specific IPs" \
    --vpc-id vpc-12345678

aws ec2 authorize-security-group-ingress \
    --group-id sg-bastion-12345678 \
    --protocol tcp \
    --port 22 \
    --cidr 203.0.113.0/24  # Your office IP range
🔧 Bastion Host Security

Bastion host provides secure SSH access to private instances. Restrict source IPs to known administrative locations and consider using Session Manager instead for better security.

🔄 Three-Tier Implementation Workflow

1 VPC Foundation: Create VPC with DNS support 
aws ec2 create-vpc --cidr-block 10.0.0.0/16
2 Subnet Architecture: Create public/private subnets per tier 
aws ec2 create-subnet --cidr-block 10.0.1.0/24  # Web
aws ec2 create-subnet --cidr-block 10.0.2.0/24  # App
aws ec2 create-subnet --cidr-block 10.0.3.0/24  # DB
3 Security Groups: Create tiered security groups 
aws ec2 create-security-group --group-name web-tier-sg
aws ec2 create-security-group --group-name app-tier-sg
aws ec2 create-security-group --group-name db-tier-sg
4 Network ACLs: Configure subnet-level controls 
aws ec2 create-network-acl --vpc-id vpc-xxx
5 Load Balancer: Deploy ALB for web tier 
aws elbv2 create-load-balancer --name production-web-alb
6 Routing & Gateways: Configure internet and NAT gateways 
aws ec2 create-internet-gateway
aws ec2 create-nat-gateway

🎯 Threat Modeling & Mitigation Strategies

Threat Landscape & Attack Vectors

graph TB subgraph "External Threats" DDOS[DDoS Attacks] --> SHIELD_MIT[AWS Shield
CloudFront
Route 53] SQLI[SQL Injection] --> WAF_MIT[AWS WAF
Managed Rules] XSS[Cross-Site Scripting] --> WAF_MIT BOTNET[Botnet Traffic] --> WAF_MIT end subgraph "Network Layer Threats" PORT_SCAN[Port Scanning] --> SG_MIT[Security Groups
NACLs
Network Firewall] LATERAL[Lateral Movement] --> MICRO_SEG[Micro-segmentation
Zero Trust] MAN_MIDDLE[Man-in-the-Middle] --> TLS_MIT[TLS Encryption
Certificate Pinning] end subgraph "Application Layer Threats" AUTH_BYPASS[Authentication Bypass] --> IAM_MIT[IAM Policies
MFA
Federated Identity] DATA_BREACH[Data Exfiltration] --> DLP_MIT[VPC Flow Logs
CloudTrail
GuardDuty] PRIV_ESC[Privilege Escalation] --> RBAC_MIT[Role-Based Access
Least Privilege] end subgraph "Infrastructure Threats" INSIDER[Insider Threats] --> MONITOR_MIT[CloudWatch
Config
Security Hub] MISCONFIG[Misconfiguration] --> AUTO_MIT[Config Rules
Systems Manager
CloudFormation] end style DDOS fill:#ff6b6b style SQLI fill:#ff6b6b style PORT_SCAN fill:#ffa502 style AUTH_BYPASS fill:#ff4757 style INSIDER fill:#ff3838

🔍 Threat Landscape Analysis

This comprehensive threat model identifies attack vectors across multiple layers and maps them to appropriate AWS security services. Each threat category requires specific mitigation strategies, from perimeter defense against DDoS attacks to internal monitoring for insider threats. The layered approach ensures that if one control fails, others provide backup protection.

STRIDE Threat Model Implementation

graph LR subgraph "STRIDE Framework" S[Spoofing
Identity] --> S_MIT[Certificate-based Auth
IAM Roles
MFA] T[Tampering
Data] --> T_MIT[Encryption in Transit
Signed Requests
Integrity Checks] R[Repudiation
Actions] --> R_MIT[CloudTrail Logging
Non-repudiation
Digital Signatures] I[Information
Disclosure] --> I_MIT[Encryption at Rest
VPC Isolation
Access Controls] D[Denial of
Service] --> D_MIT[Auto Scaling
Rate Limiting
DDoS Protection] E[Elevation of
Privilege] --> E_MIT[Least Privilege
Resource-based Policies
Temporary Credentials] end subgraph "AWS Security Services" S_MIT --> IAM[AWS IAM] T_MIT --> KMS[AWS KMS] R_MIT --> CT[CloudTrail] I_MIT --> S3_ENC[S3 Encryption] D_MIT --> SHIELD[AWS Shield] E_MIT --> STS[AWS STS] end style S fill:#ff9999 style T fill:#ffcc99 style R fill:#99ccff style I fill:#99ff99 style D fill:#ff99cc style E fill:#ccff99

🔍 STRIDE Implementation

STRIDE provides a systematic approach to threat modeling by categorizing threats into six types. Each category maps to specific AWS security services and controls. This framework ensures comprehensive coverage of potential threats and helps prioritize security investments based on risk assessment.

Implementation Commands

1. Enable Comprehensive Logging

aws cloudtrail create-trail \
    --name security-audit-trail \
    --s3-bucket-name security-logs-bucket \
    --include-global-service-events \
    --is-multi-region-trail \
    --enable-log-file-validation \
    --event-selectors '[{
        "ReadWriteType": "All",
        "IncludeManagementEvents": true,
        "DataResources": [{
            "Type": "AWS::S3::Object",
            "Values": ["arn:aws:s3:::sensitive-data-bucket/*"]
        }]
    }]'
🔧 CloudTrail Security Configuration
  • --is-multi-region-trail: Captures events from all regions
  • --enable-log-file-validation: Detects tampering with log files
  • DataResources: Tracks data-level events for sensitive resources

Security Benefit: Provides comprehensive audit trail for forensics and compliance

2. Enable VPC Flow Logs for Network Monitoring

aws ec2 create-flow-logs \
    --resource-type VPC \
    --resource-ids vpc-12345678 \
    --traffic-type ALL \
    --log-destination-type cloud-watch-logs \
    --log-group-name /aws/vpc/flowlogs \
    --deliver-logs-permission-arn arn:aws:iam::123456789012:role/flowlogsRole \
    --log-format '${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${windowstart} ${windowend} ${action}'
🔧 VPC Flow Logs Configuration
  • --traffic-type ALL: Captures accepted, rejected, and all traffic
  • --log-format: Custom format for security analysis
  • CloudWatch destination: Enables real-time analysis and alerting

Use Cases: Network forensics, anomaly detection, compliance monitoring

3. Deploy GuardDuty for Threat Detection

aws guardduty create-detector \
    --enable \
    --finding-publishing-frequency FIFTEEN_MINUTES \
    --datasources '{
        "S3Logs": {"Enable": true},
        "Kubernetes": {"AuditLogs": {"Enable": true}},
        "MalwareProtection": {"ScanEc2InstanceWithFindings": {"EbsVolumes": true}}
    }'
🔧 GuardDuty Advanced Configuration
  • S3Logs: Monitors S3 data events for suspicious activity
  • Kubernetes: Analyzes EKS audit logs
  • MalwareProtection: Scans EBS volumes for malware

Detection Capabilities: Machine learning-based threat detection using AWS threat intelligence

4. Create Security Hub with Custom Insights

aws securityhub enable-security-hub \
    --enable-default-standards

aws securityhub create-insight \
    --name "High Severity Network Security Findings" \
    --filters '{
        "SeverityLabel": [{"Value": "HIGH", "Comparison": "EQUALS"}],
        "ProductName": [{"Value": "GuardDuty", "Comparison": "EQUALS"}],
        "Category": [{"Value": "Network", "Comparison": "EQUALS"}]
    }' \
    --group-by-attribute "ResourceId"
🔧 Security Hub Centralization

Security Hub aggregates security findings from multiple AWS security services and third-party tools. Custom insights help security teams focus on the most critical network security issues requiring immediate attention.

5. Implement Automated Response with Lambda

aws lambda create-function \
    --function-name security-auto-response \
    --runtime python3.9 \
    --role arn:aws:iam::123456789012:role/lambda-security-role \
    --handler index.lambda_handler \
    --zip-file fileb://security-response.zip \
    --environment Variables='{
        "SNS_TOPIC_ARN":"arn:aws:sns:us-west-2:123456789012:security-alerts",
        "SLACK_WEBHOOK":"https://hooks.slack.com/services/..."
    }'
🔧 Automated Incident Response

Lambda function automatically responds to security events by isolating compromised instances, revoking suspicious access keys, or notifying security teams. This reduces response time and minimizes potential damage.

6. Create EventBridge Rules for Security Events

aws events put-rule \
    --name guardduty-high-severity \
    --event-pattern '{
        "source": ["aws.guardduty"],
        "detail-type": ["GuardDuty Finding"],
        "detail": {
            "severity": [7, 8, 9, 10]
        }
    }' \
    --state ENABLED

aws events put-targets \
    --rule guardduty-high-severity \
    --targets '[{
        "Id": "1",
        "Arn": "arn:aws:lambda:us-west-2:123456789012:function:security-auto-response"
    }]'
🔧 Event-Driven Security Response

EventBridge rules trigger automated responses based on security events. This configuration responds to high-severity GuardDuty findings with immediate automated actions.

🔄 Threat Detection & Response Workflow

1 Enable Logging: CloudTrail, VPC Flow Logs, CloudWatch 
aws cloudtrail create-trail --name security-audit-trail
aws ec2 create-flow-logs --resource-type VPC
2 Deploy Detection: GuardDuty, Security Hub, Config 
aws guardduty create-detector --enable
aws securityhub enable-security-hub
3 Configure Alerting: SNS topics, EventBridge rules 
aws events put-rule --name security-events
aws sns create-topic --name security-alerts
4 Automated Response: Lambda functions, Systems Manager 
aws lambda create-function --function-name auto-response
5 Incident Management: Security Hub insights, response playbooks 
aws securityhub create-insight --name "Critical Findings"

🔐 Network Encryption (IPsec, TLS)

Encryption in Transit Architecture

graph TB subgraph "Client-Side Encryption" CLIENT[Client Application] --> TLS_CLIENT[TLS 1.3
Certificate Validation] end subgraph "Edge Encryption" TLS_CLIENT --> CF[CloudFront
SSL/TLS Termination] CF --> |"TLS 1.3"| ALB[Application Load Balancer
SSL Termination] end subgraph "Internal Network Encryption" ALB --> |"Backend TLS"| EC2[EC2 Instances
Application Servers] EC2 --> |"Database TLS"| RDS[RDS Database
SSL/TLS Required] end subgraph "VPN & Site-to-Site" OFFICE[Corporate Office] --> |"IPsec VPN"| VGW[Virtual Private Gateway] VGW --> |"Encrypted Tunnel"| VPC[VPC Private Subnets] end subgraph "Service-to-Service" SERVICE_A[Service A] --> |"mTLS"| SERVICE_B[Service B] SERVICE_B --> |"API Gateway TLS"| API_GW[API Gateway] end subgraph "Key Management" KMS[AWS KMS] -.-> |"Key Rotation"| CF KMS -.-> |"Certificate Keys"| ALB ACM[AWS Certificate Manager] -.-> |"SSL Certificates"| CF ACM -.-> |"SSL Certificates"| ALB end style TLS_CLIENT fill:#4ecdc4 style CF fill:#ff6b6b style ALB fill:#45b7d1 style VGW fill:#feca57 style KMS fill:#96ceb4 style ACM fill:#dda0dd

🔍 Comprehensive Encryption Strategy

This architecture implements encryption at every network boundary. TLS 1.3 provides end-to-end encryption from client to application, IPsec VPN secures site-to-site connectivity, and mTLS ensures secure service-to-service communication. AWS KMS and ACM provide centralized key and certificate management with automatic rotation capabilities.

TLS/SSL Configuration Hierarchy

graph TD subgraph "TLS Configuration Layers" subgraph "CloudFront TLS" CF_TLS["🌐 CloudFront
• TLS 1.2/1.3 minimum
• HSTS headers
• Perfect Forward Secrecy
• Custom SSL certificates"] end subgraph "Load Balancer TLS" ALB_TLS["⚖️ Application Load Balancer
• SNI support
• Security policies
• Backend encryption
• Health check encryption"] end subgraph "Instance-Level TLS" EC2_TLS["🖥️ EC2 Applications
• Application TLS
• Client certificate auth
• Internal service mesh
• Database connections"] end end CIPHER_SUITE[Strong Cipher Suites
AES-256-GCM
ChaCha20-Poly1305
ECDHE-RSA/ECDSA] -.-> CF_TLS CIPHER_SUITE -.-> ALB_TLS CIPHER_SUITE -.-> EC2_TLS CERT_MGMT[Certificate Management
ACM Auto-renewal
Certificate Transparency
OCSP Stapling] -.-> CF_TLS CERT_MGMT -.-> ALB_TLS style CF_TLS fill:#e1f5fe style ALB_TLS fill:#f3e5f5 style EC2_TLS fill:#e8f5e8 style CIPHER_SUITE fill:#fff3e0 style CERT_MGMT fill:#fce4ec

🔍 TLS Configuration Hierarchy

TLS configuration follows a layered approach with CloudFront providing edge termination, ALB handling regional termination, and applications managing internal encryption. Each layer uses strong cipher suites and modern TLS versions. Certificate management is automated through ACM with automatic renewal and validation.

Implementation Commands

1. Request and Configure SSL Certificate

aws acm request-certificate \
    --domain-name "*.example.com" \
    --subject-alternative-names "example.com" "api.example.com" \
    --validation-method DNS \
    --key-algorithm RSA_2048 \
    --options CertificateTransparencyLoggingPreference=ENABLED \
    --tags Key=Name,Value=wildcard-ssl-cert Key=Environment,Value=production
🔧 SSL Certificate Request
  • --validation-method DNS: Automated validation via DNS records
  • --key-algorithm RSA_2048: Strong encryption key size
  • CertificateTransparencyLoggingPreference: Enables CT logging for security

Best Practice: Use wildcard certificates for subdomains, enable transparency logging

2. Configure CloudFront with Strong TLS

aws cloudfront create-distribution \
    --distribution-config '{
        "CallerReference": "secure-distribution-2024",
        "Origins": {
            "Quantity": 1,
            "Items": [{
                "Id": "alb-origin",
                "DomainName": "alb-123456.us-west-2.elb.amazonaws.com",
                "CustomOriginConfig": {
                    "HTTPPort": 80,
                    "HTTPSPort": 443,
                    "OriginProtocolPolicy": "https-only",
                    "OriginSslProtocols": {
                        "Quantity": 1,
                        "Items": ["TLSv1.2"]
                    }
                }
            }]
        },
        "DefaultCacheBehavior": {
            "TargetOriginId": "alb-origin",
            "ViewerProtocolPolicy": "redirect-to-https",
            "AllowedMethods": {
                "Quantity": 7,
                "Items": ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
            },
            "Compress": true
        },
        "ViewerCertificate": {
            "ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
            "SSLSupportMethod": "sni-only",
            "MinimumProtocolVersion": "TLSv1.2_2021"
        },
        "Enabled": true,
        "Comment": "Secure distribution with strong TLS"
    }'
🔧 CloudFront Security Configuration
  • OriginProtocolPolicy: https-only: Forces HTTPS to origin
  • ViewerProtocolPolicy: redirect-to-https: Redirects HTTP to HTTPS
  • MinimumProtocolVersion: TLSv1.2_2021: Strong TLS version
  • SSLSupportMethod: sni-only: Modern SSL support

Security Benefits: End-to-end encryption, modern cipher suites, HSTS support

3. Configure ALB with Security Policy

aws elbv2 create-listener \
    --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/secure-alb/1234567890123456 \
    --protocol HTTPS \
    --port 443 \
    --ssl-policy ELBSecurityPolicy-TLS-1-2-2017-01 \
    --certificates CertificateArn=arn:aws:acm:us-west-2:123456789012:certificate/12345678-1234-1234-1234-123456789012 \
    --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/secure-targets/1234567890123456
🔧 ALB Security Policy

Available Security Policies:

  • ELBSecurityPolicy-TLS-1-2-2017-01: TLS 1.2+ with strong ciphers
  • ELBSecurityPolicy-FS-1-2-Res-2020-10: Forward secrecy required
  • ELBSecurityPolicy-TLS-1-1-2017-01: Legacy support (not recommended)

Recommendation: Use most recent policy supporting required TLS versions

4. Enable Backend Encryption to Targets

aws elbv2 modify-target-group-attributes \
    --target-group-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/secure-targets/1234567890123456 \
    --attributes Key=protocol,Value=HTTPS \
                 Key=port,Value=443 \
                 Key=health_check.protocol,Value=HTTPS \
                 Key=health_check.port,Value=443 \
                 Key=health_check.path,Value=/health
🔧 Backend Encryption

Configures end-to-end encryption by enabling HTTPS communication between the load balancer and target instances. Health checks are also performed over HTTPS to maintain security.

5. Create Site-to-Site VPN with IPsec

aws ec2 create-vpn-gateway \
    --type ipsec.1 \
    --tag-specifications 'ResourceType=vpn-gateway,Tags=[{Key=Name,Value=corporate-vpn-gw}]'

aws ec2 create-customer-gateway \
    --type ipsec.1 \
    --public-ip 203.0.113.12 \
    --bgp-asn 65000 \
    --tag-specifications 'ResourceType=customer-gateway,Tags=[{Key=Name,Value=corporate-office-gw}]'

aws ec2 create-vpn-connection \
    --type ipsec.1 \
    --customer-gateway-id cgw-12345678 \
    --vpn-gateway-id vgw-12345678 \
    --options '{
        "StaticRoutesOnly": true,
        "TunnelInsideIpVersion": "ipv4"
    }' \
    --tag-specifications 'ResourceType=vpn-connection,Tags=[{Key=Name,Value=corporate-vpn-connection}]'
🔧 IPsec VPN Configuration
  • --type ipsec.1: Standard IPsec VPN protocol
  • --bgp-asn: Border Gateway Protocol autonomous system number
  • StaticRoutesOnly: Use static routing instead of BGP

Encryption: Automatic IPsec encryption with AES-256 and SHA-256

6. Configure Database Encryption in Transit

aws rds create-db-instance \
    --db-instance-identifier secure-database \
    --db-instance-class db.t3.medium \
    --engine mysql \
    --master-username admin \
    --master-user-password SecurePassword123! \
    --allocated-storage 100 \
    --vpc-security-group-ids sg-database-12345678 \
    --db-subnet-group-name private-db-subnet-group \
    --storage-encrypted \
    --kms-key-id arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012 \
    --backup-retention-period 7 \
    --deletion-protection \
    --enable-performance-insights
🔧 Database Security Configuration

Enables storage encryption and sets up the database for SSL/TLS connections. Applications must configure their database connections to require SSL for complete encryption in transit.

# Database SSL connection parameter
aws rds modify-db-parameter-group \
    --db-parameter-group-name secure-mysql-params \
    --parameters ParameterName=require_secure_transport,ParameterValue=ON,ApplyMethod=immediate
🔧 Force SSL Connections

Forces all database connections to use SSL/TLS encryption. This parameter group setting ensures that unencrypted connections are rejected by the database.

🔄 Encryption Implementation Workflow

1 Certificate Management: Request SSL certificates 
aws acm request-certificate --domain-name "*.example.com"
2 Edge Encryption: Configure CloudFront TLS 
aws cloudfront create-distribution --viewer-protocol-policy redirect-to-https
3 Load Balancer TLS: Configure ALB with security policy 
aws elbv2 create-listener --protocol HTTPS --ssl-policy ELBSecurityPolicy-TLS-1-2
4 Backend Encryption: Enable HTTPS to targets 
aws elbv2 modify-target-group-attributes --Key protocol,Value=HTTPS
5 VPN Setup: Configure IPsec for site-to-site 
aws ec2 create-vpn-connection --type ipsec.1
6 Database TLS: Force SSL connections 
aws rds modify-db-parameter-group --parameters require_secure_transport=ON

📜 Certificate Management (ACM, ACM PCA)

Certificate Management Architecture

graph TB subgraph "Public Certificate Authority" ACM[AWS Certificate Manager
Public Certificates] --> PUB_CERT[Public SSL/TLS Certificates
DV, OV, EV Validation] PUB_CERT --> CF[CloudFront] PUB_CERT --> ALB[Application Load Balancer] PUB_CERT --> API_GW[API Gateway] end subgraph "Private Certificate Authority" ACM_PCA[ACM Private CA
Internal PKI] --> PRIV_CERT[Private Certificates
Internal Services] PRIV_CERT --> EC2[EC2 Internal Services] PRIV_CERT --> EKS[EKS Service Mesh] PRIV_CERT --> RDS[RDS SSL Certificates] end subgraph "Certificate Lifecycle" REQUEST[Certificate Request] --> VALIDATE[Domain Validation] VALIDATE --> ISSUE[Certificate Issuance] ISSUE --> DEPLOY[Automatic Deployment] DEPLOY --> MONITOR[Certificate Monitoring] MONITOR --> RENEW[Automatic Renewal] RENEW --> DEPLOY end subgraph "Integration Services" SECRETS[AWS Secrets Manager] -.-> PRIV_CERT IAM[IAM Policies] -.-> ACM CW[CloudWatch Metrics] -.-> MONITOR SNS[SNS Notifications] -.-> RENEW end style ACM fill:#4ecdc4 style ACM_PCA fill:#ff6b6b style PUB_CERT fill:#45b7d1 style PRIV_CERT fill:#feca57 style MONITOR fill:#96ceb4

🔍 Certificate Management Strategy

AWS provides comprehensive certificate management through ACM for public certificates and ACM Private CA for internal PKI. Public certificates are automatically validated and renewed, while private certificates enable secure internal communication. The architecture supports both internet-facing and internal services with appropriate certificate types and validation methods.

Certificate Validation & Deployment Flow

sequenceDiagram participant User as Administrator participant ACM as AWS ACM participant DNS as Route 53 participant ALB as Load Balancer participant Monitor as CloudWatch User->>ACM: Request Certificate ACM->>DNS: Create Validation Records DNS->>ACM: Validation Complete ACM->>ACM: Issue Certificate ACM->>ALB: Deploy Certificate ALB->>ALB: Configure HTTPS Listener loop Certificate Monitoring Monitor->>ACM: Check Expiration ACM->>ACM: Auto Renewal (30 days before) ACM->>ALB: Deploy New Certificate ACM->>User: Send Notification end Note over ACM,ALB: Zero-downtime renewal Note over Monitor,User: Proactive monitoring

🔍 Certificate Lifecycle Management

ACM automates the entire certificate lifecycle from request to renewal. DNS validation enables automated issuance, and integration with AWS services ensures seamless deployment. Certificates are automatically renewed 30 days before expiration with zero downtime. CloudWatch monitoring and SNS notifications provide visibility into certificate health and renewal status.

Implementation Commands

1. Request Public Certificate with Multiple Domains

aws acm request-certificate \
    --domain-name "example.com" \
    --subject-alternative-names "*.example.com" "api.example.com" "admin.example.com" \
    --validation-method DNS \
    --key-algorithm RSA_2048 \
    --options '{
        "CertificateTransparencyLoggingPreference": "ENABLED"
    }' \
    --tags '[
        {"Key": "Name", "Value": "production-wildcard-cert"},
        {"Key": "Environment", "Value": "production"},
        {"Key": "Team", "Value": "security"}
    ]'
🔧 Multi-Domain Certificate Request
  • --subject-alternative-names: Additional domains covered by certificate
  • --validation-method DNS: Automated validation via DNS records
  • CertificateTransparencyLoggingPreference: Enables CT logging for transparency

Best Practice: Use wildcard certificates for subdomains, specific SANs for known endpoints

2. Validate Certificate with Route 53

aws acm describe-certificate \
    --certificate-arn arn:aws:acm:us-west-2:123456789012:certificate/12345678-1234-1234-1234-123456789012 \
    --query 'Certificate.DomainValidationOptions[0].ValidationRecord'

aws route53 change-resource-record-sets \
    --hosted-zone-id Z123456789012 \
    --change-batch '{
        "Changes": [{
            "Action": "CREATE",
            "ResourceRecordSet": {
                "Name": "_amazonacm.example.com",
                "Type": "CNAME",
                "TTL": 300,
                "ResourceRecords": [{
                    "Value": "validation-record-from-acm.acm-validations.aws"
                }]
            }
        }]
    }'
🔧 DNS Validation Process

Creates DNS CNAME records for domain validation. ACM provides the validation record values that must be added to your DNS configuration. Validation typically completes within minutes of adding the records.

3. Create Private Certificate Authority

aws acm-pca create-certificate-authority \
    --certificate-authority-configuration '{
        "KeyAlgorithm": "RSA_2048",
        "SigningAlgorithm": "SHA256WITHRSA",
        "Subject": {
            "Country": "US",
            "Organization": "Example Corp",
            "OrganizationalUnit": "IT Security",
            "CommonName": "Example Corp Internal CA"
        }
    }' \
    --certificate-authority-type ROOT \
    --permanent-deletion-time-in-days 30 \
    --tags '[
        {"Key": "Name", "Value": "internal-root-ca"},
        {"Key": "Purpose", "Value": "internal-services"}
    ]'
🔧 Private CA Configuration
  • KeyAlgorithm RSA_2048: Strong encryption for CA private key
  • SigningAlgorithm SHA256WITHRSA: Secure signing algorithm
  • --certificate-authority-type ROOT: Creates root CA (vs subordinate)

Cost: Private CA incurs monthly charges plus per-certificate issuance fees

4. Install CA Certificate

aws acm-pca get-certificate-authority-csr \
    --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 \
    --output text > ca.csr

aws acm-pca issue-certificate \
    --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 \
    --csr fileb://ca.csr \
    --signing-algorithm SHA256WITHRSA \
    --template-arn arn:aws:acm-pca:::template/RootCACertificate/V1 \
    --validity Value=10,Type=YEARS
🔧 CA Certificate Installation

Generates and installs the root CA certificate. This is a one-time process that activates the Private CA for issuing certificates. The root certificate is self-signed and valid for the specified period.

5. Issue Private Certificate

aws acm request-certificate \
    --domain-name "internal-api.corp.local" \
    --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 \
    --subject-alternative-names "*.internal.corp.local" "db.corp.local" \
    --key-algorithm RSA_2048 \
    --tags '[
        {"Key": "Name", "Value": "internal-services-cert"},
        {"Key": "Purpose", "Value": "service-mesh"}
    ]'
🔧 Private Certificate Issuance

Issues private certificates for internal services using the Private CA. These certificates are trusted within your organization but not publicly. Perfect for internal APIs, databases, and service-to-service communication.

6. Configure Certificate Monitoring

aws logs create-log-group \
    --log-group-name /aws/acm/certificate-monitoring

aws events put-rule \
    --name acm-certificate-expiration \
    --event-pattern '{
        "source": ["aws.acm"],
        "detail-type": ["Certificate Approaching Expiration"],
        "detail": {
            "daysToExpiry": [45, 30, 15, 7]
        }
    }' \
    --state ENABLED

aws events put-targets \
    --rule acm-certificate-expiration \
    --targets '[{
        "Id": "1",
        "Arn": "arn:aws:sns:us-west-2:123456789012:certificate-alerts",
        "MessageGroupId": "certificate-monitoring"
    }]'
🔧 Certificate Monitoring Setup

Creates EventBridge rules to monitor certificate expiration and send alerts at various intervals. This provides early warning for certificates that may not auto-renew, such as imported certificates or those with validation issues.

7. Export Private Certificate for External Use

aws acm export-certificate \
    --certificate-arn arn:aws:acm:us-west-2:123456789012:certificate/12345678-1234-1234-1234-123456789012 \
    --passphrase "SecureExportPassword123!" \
    --output json > exported-certificate.json
🔧 Certificate Export

Exports private certificates for use outside AWS services. The certificate, private key, and certificate chain are encrypted with the provided passphrase. Only private certificates can be exported.

8. Create IAM Policy for Certificate Management

aws iam create-policy \
    --policy-name CertificateManagerPolicy \
    --policy-document '{
        "Version": "2012-10-17",
        "Statement": [{
            "Sid": "ACMManagement",
            "Effect": "Allow",
            "Action": [
                "acm:RequestCertificate",
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:GetCertificate"
            ],
            "Resource": "*"
        }, {
            "Sid": "Route53Validation",
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets",
                "route53:GetChange"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/*",
                "arn:aws:route53:::change/*"
            ]
        }, {
            "Sid": "PrivateCAAccess",
            "Effect": "Allow",
            "Action": [
                "acm-pca:IssueCertificate",
                "acm-pca:GetCertificate"
            ],
            "Resource": "arn:aws:acm-pca:*:*:certificate-authority/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": ["us-west-2", "us-east-1"]
                }
            }
        }]
    }'
🔧 Certificate Management Permissions

Creates least-privilege IAM policy for certificate management operations. Includes permissions for ACM operations, Route 53 validation, and Private CA certificate issuance with regional restrictions.

🔄 Certificate Management Workflow

1 Public Certificates: Request with DNS validation 
aws acm request-certificate --validation-method DNS
2 DNS Validation: Create Route 53 validation records 
aws route53 change-resource-record-sets --change-batch
3 Private CA: Create and activate Private Certificate Authority 
aws acm-pca create-certificate-authority --certificate-authority-type ROOT
4 Private Certificates: Issue certificates for internal services 
aws acm request-certificate --certificate-authority-arn
5 Deployment: Associate certificates with AWS services 
aws elbv2 create-listener --certificates CertificateArn=...
6 Monitoring: Set up expiration alerts and monitoring 
aws events put-rule --name acm-certificate-expiration

📝 Certificate Best Practices

Public Certificates: Use for internet-facing services, enable Certificate Transparency logging, implement HSTS headers.

Private Certificates: Use for internal services, implement certificate pinning, regularly rotate certificates.

Monitoring: Set up alerts for expiration, validation failures, and compliance issues.

Automation: Use Infrastructure as Code for certificate requests and validation.

💡 Cost Optimization Tips

Public Certificates: No charge for ACM-managed certificates when used with AWS services.

Private CA: $400/month per CA plus $0.75 per certificate issued. Consider consolidating CAs and using longer certificate lifetimes for cost efficiency.

Certificate Limits: 2,048 certificates per account per year. Request limit increases if needed.

⚠️ Security Considerations

Private Key Protection: ACM manages private keys securely - they cannot be extracted from ACM.

Certificate Export: Only export certificates when absolutely necessary for external systems.

Validation Security: Protect DNS zones used for certificate validation from unauthorized changes.

Certificate Transparency: Enable CT logging for public certificates to detect mis-issuance.