AWS Security: Prescriptive Guidance & Reference Architecture

Steven Jul 09, 2026

In the ever-evolving landscape of cloud security, Amazon Web Services (AWS) provides a robust set of services and best practices to help you build secure, high-performing, resilient, and efficient infrastructure. The AWS Prescriptive Guidance Security Reference Architecture (SRA) is a comprehensive blueprint that outlines security best practices, AWS services, and architectural patterns to help you meet your security and compliance needs.

the different types of security infos on this page are shown in red, white and blue
the different types of security infos on this page are shown in red, white and blue

The SRA is designed to be flexible and adaptable, allowing you to tailor it to your specific use case and compliance requirements. It provides a modular and extensible architecture that can be applied to various workloads, such as web applications, data processing, and IoT. By following the SRA, you can enhance your security posture, reduce your risk, and meet regulatory compliance requirements.

AWS Security Services What Are the 5 Core AWS Services
AWS Security Services What Are the 5 Core AWS Services

Understanding the AWS SRA Layers

The AWS SRA is structured around five layers, each responsible for a specific aspect of security. Understanding these layers is crucial for implementing the SRA effectively.

Core AWS Security Services – qualimente
Core AWS Security Services – qualimente

1. **Foundational Security**: This layer focuses on securing the underlying infrastructure, including AWS accounts, Identity and Access Management (IAM), and network security. It provides a solid foundation for building secure applications and services.

AWS Accounts and IAM

a diagram showing the different types of networked devices and how they are connected to each other
a diagram showing the different types of networked devices and how they are connected to each other

Implementing the principle of least privilege (PoLP) is essential for securing your AWS environment. The SRA recommends using AWS Organizations to centrally manage and govern multiple AWS accounts. It also outlines best practices for IAM, such as using IAM roles, avoiding long-term access keys, and regularly reviewing and updating IAM policies.

Example: Create an IAM role for EC2 instances with the minimum required permissions for the instances to function correctly.

Network Security

the cloud security framework for aws is shown in this screenshote, which shows how
the cloud security framework for aws is shown in this screenshote, which shows how

The SRA emphasizes the importance of network segmentation to isolate workloads and limit the attack surface. It recommends using AWS Virtual Private Cloud (VPC) and security groups to control inbound and outbound traffic. Additionally, it suggests using AWS Network Firewall and AWS Shield for advanced network security.

Example: Implement a network access control list (ACL) to allow only specific traffic between subnets.

Data Protection

GoDaddy
GoDaddy

The data protection layer focuses on securing data at rest and in transit. It provides guidelines for encrypting data, managing secrets, and protecting data in transit.

Data Encryption

a diagram showing the different types of architecture and their functions in each section, including
a diagram showing the different types of architecture and their functions in each section, including
#cloudsecurity #awssecurity #azuresecurity #gcpsecurity #cybersecurity | Artem Polynko
#cloudsecurity #awssecurity #azuresecurity #gcpsecurity #cybersecurity | Artem Polynko
the diagram shows how to use pipeline security
the diagram shows how to use pipeline security
AWS CloudTrail
AWS CloudTrail
Post from ByteByteGo
Post from ByteByteGo
🌟12 Essential Tips to Secure Your API
🌟12 Essential Tips to Secure Your API
Real AI Agent Security architecture - 2026 Enterprise blueprint
Real AI Agent Security architecture - 2026 Enterprise blueprint
aws prescriptive guidance security reference architecture
aws prescriptive guidance security reference architecture
ARCHITECTURE DECISIONS In the ever-evolving technology landscape… | Ali Khan
ARCHITECTURE DECISIONS In the ever-evolving technology landscape… | Ali Khan
AWS Certified Solutions Architect Associate: Design de arquiteturas seguras - Parte 1
AWS Certified Solutions Architect Associate: Design de arquiteturas seguras - Parte 1
a circular diagram showing the security and protection areas for people with special needs to protect themselves
a circular diagram showing the security and protection areas for people with special needs to protect themselves
🌐 AWS VPC Design Best Practices ☁️
Master subnetting, route tables, and security groups 🔐 to build secure and scalable networks. A well-designed VPC is the foundation of reliable cloud architecture 🚀. Build it right from day one.

#machinelearning #itprofessionals #skillsdevelopment #techinnovation #professionalgrowth #careerchange #learner #computerscience #traininganddevelopment #educationtechnology #digitization #techlife #techforgood #learnsomethingnew #computerengineering#CloudElite
🌐 AWS VPC Design Best Practices ☁️ Master subnetting, route tables, and security groups 🔐 to build secure and scalable networks. A well-designed VPC is the foundation of reliable cloud architecture 🚀. Build it right from day one. #machinelearning #itprofessionals #skillsdevelopment #techinnovation #professionalgrowth #careerchange #learner #computerscience #traininganddevelopment #educationtechnology #digitization #techlife #techforgood #learnsomethingnew #computerengineering#CloudElite
aws_security_incident_response.pdf
aws_security_incident_response.pdf
the api security measures are shown in this graphic, which shows how to use it
the api security measures are shown in this graphic, which shows how to use it
#serverless #aws #customerdataplatform #architecture #dataengineering #cloud #cloudarchitecture #devops #backend #frontend #fullstack #microservices #eventdriven #systemdesign #softwarearchitecture… | Ignacio C.
#serverless #aws #customerdataplatform #architecture #dataengineering #cloud #cloudarchitecture #devops #backend #frontend #fullstack #microservices #eventdriven #systemdesign #softwarearchitecture… | Ignacio C.
que es WAF y modsecurity
que es WAF y modsecurity
the security - as - service info sheet is shown
the security - as - service info sheet is shown
the modern security architecture is displayed in this screenshote screen shot from microsoft's windows
the modern security architecture is displayed in this screenshote screen shot from microsoft's windows
owasp top 10 web application vulnerabilities
owasp top 10 web application vulnerabilities
Client Challenge
Client Challenge

The SRA recommends using AWS Key Management Service (KMS) to create and control cryptographic keys. It also suggests encrypting data at rest using AWS services like Amazon EBS, Amazon S3, and Amazon RDS. Additionally, it outlines best practices for encrypting data in transit, such as using Transport Layer Security (TLS) and AWS Certificate Manager (ACM).

Example: Enable encryption at rest for Amazon S3 buckets using AWS KMS.

Secret Management

The SRA emphasizes the importance of managing secrets securely. It recommends using AWS Secrets Manager to store and retrieve secrets such as database credentials, API keys, and passwords. It also suggests using AWS Systems Manager Parameter Store for managing configuration data and secrets.

Example: Use AWS Secrets Manager to store and retrieve database credentials for your application.

Threat Detection and Response

The threat detection and response layer focuses on detecting and responding to security threats in real-time. It provides guidelines for using AWS services like Amazon GuardDuty, Amazon Inspector, and Amazon Macie to detect and respond to threats.

Threat Detection

The SRA recommends using a combination of AWS services to detect threats in your environment. It suggests using Amazon GuardDuty for intelligent threat detection, Amazon Inspector for automated security assessments, and Amazon Macie for data privacy and data loss prevention.

Example: Enable Amazon GuardDuty to continuously monitor your AWS environment for potential threats.

Incident Response

The SRA outlines best practices for incident response, including preparing for incidents, detecting and analyzing incidents, containing and eradicating threats, recovering affected systems, and performing post-incident analysis. It recommends using AWS services like AWS CloudTrail, AWS Config, and AWS CloudWatch to aid in incident response.

Example: Set up AWS CloudTrail to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

Embracing the AWS Prescriptive Guidance Security Reference Architecture is a significant step towards enhancing your security posture. By following the best practices outlined in the SRA, you can build a secure, resilient, and compliant AWS environment. Staying up-to-date with the latest AWS security features and best practices will ensure that your environment remains secure in the face of evolving threats.