Security best practices
KMS, TLS, WAF/Shield, secrets, detection.
Security is a pillar that touches every layer of an architecture. For an associate architect the essentials are encryption, network protection, secrets handling, and detection — applied on top of the IAM least-privilege foundation.
Encryption and network protection
Encrypt data at rest and in transit by default. AWS KMS integrates with S3, EBS, RDS, and most services to encrypt data at rest with keys you control — enabling it is usually a checkbox plus a key policy, and using customer-managed keys lets you rotate and revoke access. In transit, use TLS everywhere (ACM issues and manages certificates for load balancers and CloudFront). At the network edge, AWS WAF filters common web exploits (SQL injection, XSS, bad bots) in front of CloudFront or an ALB, and AWS Shield provides DDoS protection. Combined with private subnets and tight security groups, these give defense in depth around the workload.
# LAYER CONTROL# data at rest → KMS encryption (S3/EBS/RDS), customer-managed keys# data in transit → TLS everywhere (ACM certs on ALB/CloudFront)# web edge → WAF (block SQLi/XSS/bots) + Shield (DDoS)# network → private subnets + tight security groups# secrets → Secrets Manager / SSM Parameter Store (fetch via role)# identity → IAM least privilege + roles (no static keys)
Secrets and detection
Never put secrets in code or AMIs. Store database passwords, API keys, and tokens in AWS Secrets Manager (with rotation) or SSM Parameter Store, and have workloads fetch them at runtime via their IAM role — nothing sensitive ships in the image or config. For detection and posture, enable CloudTrail (the audit trail of every API call — the foundation of investigation), GuardDuty (managed threat detection over your logs), and Security Hub (aggregated findings and posture scoring across accounts). These, plus Config for tracking resource compliance, give you the visibility to catch misconfigurations and threats. The security pillar is not a single feature but this layered combination applied consistently.