Why This Matters for Consultancy Practices

Consultancies are often measured on three things at once: speed, consistency, and assurance. Clients want rapid delivery, but they also want architecture decisions robust enough for internal security review, audit scrutiny, and long-term operations. A secure AWS reference architecture bridges that gap.
Secure by Design — AWS Reference Architecture Five design principles layered end-to-end · Private by default · Defence in depth · Visibility from day one INTERNET Clients CDN / DNS 1. PRIVATE BY DEFAULT CloudFront + WAF Public edge only ALB — Private Internal VPC only Private Subnets Multi-AZ · No public IPs API Gateway Private VPC endpoint only No workload has a public IP address 2. CONTROLLED ACCESS VPC Endpoints S3 · STS · ECR · SSM ECS Fargate Private · Task roles only RDS Aurora Private subnet · KMS enc S3 Private Endpoint Block public access SCP AWS backbone only No public routing 3. LEAST PRIVILEGE IAM Roles Only No long-lived keys Task Execution Roles Scoped per container SCP Guardrails Deny admin · Deny root Secrets Manager Rotation enabled IAM Access Analyser Validates all policies 4+5. DEPTH + VISIBILITY WAF + Network Firewall Edge + VPC layers GuardDuty + Inspector Runtime + vuln detection CloudTrail + Config All API calls logged Security Hub + SIEM Centralised findings VPC Flow Logs East-west + egress BAS Validation Controls verified post-deploy ALL LAYERS DEPLOYED VIA IaC — Terraform · GitHub Actions · tfsec · No manual console changes · Drift detection alerts Repeatable · Auditable · Secure by default from first deployment · saleemyousaf.co.uk
// Secure by design AWS reference architecture

Secure by Design in Practice

1. Private by Default

Application workloads placed in private subnets across multiple Availability Zones. This reduces direct exposure and forces ingress and egress decisions to be explicit.

2. Controlled Service Access

VPC endpoints keep traffic on the AWS backbone wherever possible, reducing unnecessary public routing and strengthening boundary control.

3. Least Privilege Everywhere

IAM roles, endpoint policies, task roles, and security groups defined with minimal access in mind. This reduces the blast radius of compromised identities or workloads.

4. Defence in Depth

Controls layered across the edge, network, application, identity, and logging planes. WAF, NACLs, security groups, private DNS, logging, and runtime roles all contribute to risk reduction.

5. Visibility by Design

Logging, metrics, and auditability built in from the start so teams can investigate issues and evidence control operation throughout the project lifecycle.

Threat-Informed Architecture with STRIDE

Spoofing is reduced with IAM roles, ACM-backed TLS, and private endpoint patterns. Tampering risks are reduced through WAF protections, controlled API ingress, and tightly scoped roles. Repudiation is addressed through CloudWatch logging, API access logs, and ECS task logs. Information disclosure is reduced through private subnets, blocked public access on S3, and internal-only service access via VPC endpoints. Denial of service risk is reduced through managed WAF protections, internal load balancing, and multi-AZ deployment. Elevation of privilege is constrained using least-privilege IAM execution roles and static analysis tools such as cdk-nag and tfsec.

The strongest cloud platforms are not just functional. They are intentionally designed to be harder to misuse, easier to monitor, and simpler to explain. That is what secure by design should look like in practice.
Back to all articlesCloud Landing Zone Accelerators