Part 3: Security (Mandatory Architectural Considerations)

Welcome back to Part 3 of this 7-part intensive series designed for candidates preparing for the AWS Solutions Architect – Professional examination. Successful performance on this exam necessitates a precise and deep understanding of AWS services.

This instalment focuses on the Security domain. We will move beyond general concepts, addressing the specific services, architectural constraints, and operational intricacies frequently tested in scenarios designed to assess expert-level knowledge.

We begin with a critical examination scenario: ensuring secure key management with minimal performance overhead.

Data Protection

AWS CloudHSM — Hardware Security Module Requirements

CloudHSM is the appropriate solution when the examination prompt emphasises:

• Stringent regulatory compliance requirements.
• Customer-managed cryptographic keys (CMKs).
• The necessity to offload computationally intensive cryptographic operations.

Key Use Cases:

• Offloading SSL/TLS processing from application servers.
• Storing private keys within certified hardware modules (ensuring non-software accessibility).
• Requiring absolute control over the key lifecycle management.

Architectural Flow (Commonly Tested):

1. Client initiates a secure connection.
2. Application server requests cryptographic operations.
3. Server queries the CloudHSM cluster for key operations.
4. The HSM performs the cryptographic computation.
5. The secure session is established.

This is actually a trick point on the Pro exam. AWS manages the hardware (monitoring, power, rack), but because CloudHSM is a “Single Tenant” device that AWS cannot log into, the customer is responsible for patching the HSM firmware/software and managing the users within the HSM. Unlike KMS, CloudHSM is not “fully managed” in the traditional sense. The customer retains full responsibility for key generation, usage, and policy definition. This represents the enterprise-grade standard for key management.

AWS Secrets Manager — Automated Credential Rotation

This service offers straightforward, automated credential management.

If the scenario involves:

• Relational Database Service (RDS) credentials.
• Requirement for automated, scheduled rotation.
• Infrastructure as Code (IaC) implementation via CloudFormation.

The critical insight is:

👉 You do NOT need to write a custom AWS Lambda function, but a Lambda function is still the execution mechanism for the standard rotation of RDS credentials.

Secrets Manager provides native, pre-built rotation functionality.

Typical Configuration Element:

AWS::SecretsManager::RotationSchedule

The use of a custom Lambda in the examination context usually indicates an incorrect or overly complex solution path.

Regional Constraints AWS frequently employs regional restrictions related to certificate management to test candidate knowledge.

AWS Certificate Manager (ACM)

ACM streamlines the management of SSL/TLS certificates by providing:

• Automated renewals.
• Elimination of manual certificate uploads.
• Proactive expiry management.

Certificates are seamlessly attached to supported services:

• Application Load Balancers (ALBs).
• CloudFront distributions.

The Regional Constraint (High Exam Relevance)

It is essential to strictly adhere to the following rule:

• ACM certificates are region-specific.
• A single certificate cannot be utilized across multiple AWS regions for services like ALBs.

Implication:

• Deploying an Elastic Load Balancer (ELB) in multiple regions requires requesting a separate ACM certificate in each respective region.

The CloudFront Exception:

CloudFront operates under a distinct global distribution model:

• The certificate must be requested in the US East (N. Virginia) region (us-east-1).
• Upon creation in us-east-1, the certificate is then globally distributed by CloudFront automatically to all edge locations.

Failure to recognize this specific regional requirement will lead to selecting an incorrect answer.

Identity and Directory Services (Integration and Trade-offs)

This section requires a comprehension of identity flows and the inherent limitations of various directory service options.

KMS, Encryption Context & Cross-Account Sharing

Encryption is a foundational skill for the SA Pro, but the exam often tests the how of key management and sharing, not just the what.

AWS Key Management Service (KMS) — The Heart of Encryption

KMS is your central point for managing cryptographic keys.

Key Type	Description	Use Case
AWS Managed Key	Created, used, and managed by an AWS service on your behalf (e.g., S3, RDS).	Default encryption for service-specific resources. You cannot control the key policy.
Customer Managed Key (CMK)	You create, own, and manage the key, including its key policy, rotation, and lifecycle.	Encrypting sensitive data where policy control is mandatory (e.g., cross-account sharing, granting specific IAM principals access).
CloudHSM Key Store	CMK backed by keys stored in your CloudHSM cluster.	Highest compliance requirement, non-repudiation, keys never leave the HSM.

Encryption Context (The Crucial Detail)

Encryption Context is a set of non-secret key-value pairs (metadata) that AWS KMS uses to ensure data integrity and prevent key misuse.

• When encrypting: KMS uses the context to bind the ciphertext to specific metadata.
• When decrypting: The same Encryption Context must be provided, or decryption fails.

👉 Key Exam Point: Encryption Context is essential for auditing and is typically used to enforce specific conditions (e.g., aws:kms:encryption-context:aws:s3:arn = bucket_arn) via the KMS Key Policy. This is how you enforce that a key only decrypts objects from a specific S3 bucket.Cross-Account KMS Sharing

This is a favourite exam scenario: How does Account A let Account B use its KMS key to decrypt data?

The process requires a two-part trust relationship:

1. KMS Key Policy (Account A): The policy on the key in Account A must explicitly allow the root user or a specific IAM role/user from Account B to use the key actions (kms:Decrypt, kms:GenerateDataKey, etc.).
2. IAM Policy (Account B): The IAM role/user in Account B must have an IAM policy that allows them to call the KMS actions (kms:Decrypt, etc.) and specifies the ARN of the key in Account A.

Requirement	Account A (Key Owner)	Account B (Key User)
Trust Mechanism	KMS Key Policy (Grants access)	IAM Policy (Asserts right to use)

If either step is missing, the sharing fails.

Active Directory integration

AWS offers three primary deployment models for Active Directory integration:

Option	Functionality	Key Limitation for Exam
AD Connector	A directory gateway (proxy) that forwards authentication requests directly to the on-premises AD. No caching or synchronization.	👉 Dependent on network connectivity to the corporate environment.
Simple AD	Managed, standalone AD based on Samba. Low cost, basic functionality.	Crucial Limitations: No Multi-Factor Authentication (MFA), no trust relationships, no PowerShell support, no schema extensions, no IAM Identity Center integration, and not supported by RDS for SQL Server/Oracle.
AWS Managed Microsoft AD	Fully managed, genuine Microsoft AD running on AWS. Supports full features.	This is the correct enterprise solution for hybrid environments requiring trust, full service integration, and complex features.

👉 Exam Strategy: If the question requires any advanced AD feature (MFA, trust, enterprise application integration), eliminate Simple AD immediately.

Migration Toolkit for Hybrid AD: Active Directory Migration Toolkit (ADMT) and Password Export Service (PES) are the standard tools for hybrid integration and migration.

Governance Traps

Service Control Policies (SCPs)

SCPs are policy-based governance controls applied across an AWS Organization.

credit: Tutorials Dojo

Critical Constraint:

👉 SCPs are only functional and active when the Organization feature set is configured for All Features. They do not function if the organization is configured solely for Consolidated Billing mode.

Practical Use Cases:

SCPs are deployed to establish mandatory guardrails:

• Enforcing standardized resource tagging policies.
• Blocking specific actions unless predefined conditions are met.

Examples: Deny CloudFormation stack creation if mandatory tags are absent, or deny S3 Access Point creation unless the origin is inside a defined VPC.

SCPs should be viewed as “guardrails that define maximum permissions,” not mechanisms that grant permissions.

Service-Linked Roles

These are highly specialized IAM roles that AWS services assume to perform actions on your behalf.

• They are non-negotiable roles managed by AWS.
• Only the associated AWS service can assume the role.
• The trust policy and permissions of a Service-Linked Role cannot be modified by the customer.

Example: AWSResourceAccessManagerServiceRolePolicy. If a question suggests editing this trust policy, that path is incorrect.

Authentication, Authorisation and Access

Standard Federation Flow

A clear understanding of the authentication and authorization chain is necessary:

1. The user initiates access via an identity broker or Identity Provider (IdP).
2. Authentication occurs against the corporate directory.
3. The broker calls the AWS Security Token Service (STS).
4. STS issues temporary, time-bound credentials.
5. The user accesses AWS resources.

The SAML process follows a similar chain: 

Authenticate → SAML assertion → IAM Identity Center → STS → Console/API access.Active Directory Deployment Options (Comparative Analysis)

S3 Access Point Policies

S3 Access Points are a modern way to manage access to buckets at scale, often simplifying policy management for specific applications or users.

• Access Point Policies: Are resource policies and supplement (but do not override) the underlying S3 Bucket Policy.
• Key Distinction: Access Points are tied to a specific network origin (e.g., vpc-12345 for VPC-only access) and can only be used with specific resource types (e.g., only allowing s3:GetObject).

👉 Exam Tip: If the goal is to restrict access to a bucket only from within a specific VPC, while providing a simpler ARN for application developers, S3 Access Points with a VPC-Only network origin are the definitive answer. The policy on the Access Point ensures the traffic flow is restricted at the network layer.

Actually, Access Point ARNs are often more complex. The real value is decentralising the policy so you don’t hit the 20KB limit on a single Bucket Policy

Authorisation: IAM Policy Evaluation & Boundaries

The most common mistake on the SA Pro exam is misunderstanding the policy evaluation logic.IAM Policy Evaluation Logic

Remember the ultimate rule: Explicit Deny always overrides Allow.

Policy Effect	Description
Explicit Deny	Stops the action regardless of any Allow.
Explicit Allow	Permits the action, provided no Explicit Deny is in place.
Implicit Deny	Default state if no matching Allow or Deny is found (e.g., if the user has no relevant policy attached).

Evaluation Order (Most Restrictive to Least)

1. Service Control Policies (SCPs): If an SCP Denies an action, the principal is Denied (even if IAM policies allow it).
2. Permissions Boundary: If the Boundary Denies an action, the principal is Denied (even if IAM policies allow it).
3. Resource-Based Policies (e.g., S3 Bucket Policy): If the RBP Denies the action, the principal is Denied.
4. IAM Identity Policies: These are only checked if the above haven’t explicitly denied the action.

👉 Mnemonic: SCPs > Boundary > Resource > Identity. The action must be allowed at every step to succeed.IAM Permissions Boundaries

A Permissions Boundary is an advanced feature used to set the maximum permissions that an identity-based policy can grant to an IAM entity (user or role).

• Role: Setting a Boundary on a Role.
• Action: The Boundary acts as an Allow list. If an action is not Allowed by the Boundary, the role cannot perform it, regardless of what the attached IAM policy says.
• Use Case: Delegate IAM creation to developers while ensuring new roles/users they create can never exceed a specific security baseline (e.g., never allowing ec2:TerminateInstances).

What Boundaries Cannot Do:

• They do not grant permissions. They only restrict the permissions that a user’s identity policy can grant.
• They do not affect policies written on resources (e.g., S3 Bucket Policies).

If the exam asks how an administrator can delegate IAM creation while ensuring the created principals adhere to a maximum set of permissions, the answer is Permissions Boundaries.

Network Security: WAF and Network Firewall

AWS WAF — Application Layer Precision

WAF functions as a highly granular application-layer filtering tool.

Capabilities:

• Geo-blocking (Geo match).
• Allow/deny lists based on IP sets.
• Complex rule set logic (AND/OR).

Logging Destinations:

WAF logs can be exported to CloudWatch Logs, S3, or Kinesis Data Firehose.

👉 Operational Detail: WAF logs are delivered to Kinesis Data Firehose via an HTTPS endpoint.

AWS Network Firewall — Stateful Inspection and Rule Ordering

This service is a managed stateful firewall, and its rule evaluation is strictly sequential.

Key Gotcha: Strict Order of Evaluation

• Rules are evaluated based on defined priority (lowest number first).
• The order is critical: an overarching DENY rule placed above a specific ALLOW rule will inadvertently block all intended traffic.

Governance Constraints:

• AWS Organizations member accounts are restricted from modifying firewall policies defined centrally.
• It is important to note that Firewall Manager cannot enforce an explicit deny action, a detail that is frequently tested.

Bonus Scenarios for Expert Recall

These details often determine success in complex scenario questions:

• ECR Lifecycle Policies: Rules used to automatically expire or clean up old/untagged Docker images, evaluated based on priority. credit: Tutorials Dojo
• Cross-Account Access: Secure access between accounts within an Organization should leverage the aws:PrincipalOrgID condition key.
• RDS Cross-Region Read Replicas: Primarily used for disaster recovery and regional latency reduction. Replication is asynchronous and requires independent, region-specific configuration.
• Route 53 Latency Routing: Routes users to the AWS region that provides the lowest network latency, which is distinct from geographic routing which is based on location only.

Final Conclusion

Success on the security portions of this exam hinges on understanding the architectural context. Candidates will be presented with complex scenarios featuring conflicting requirements and plausible but flawed answers.

Your objective is to identify the single, disqualifying detail in the incorrect options.

Mandatory Security Takeaways:

• CloudFront certificates must be created in us-east-1.
• Simple AD has severe functional limitations and is often the incorrect solution.
• AWS Secrets Manager provides native RDS rotation, eliminating the need for custom Lambda.
• AWS Network Firewall rules require strict sequential ordering.
• SCPs are inoperative when the Organization is in Consolidated Billing mode only.

Mastering these specific constraints ensures a significant advantage.

Catch up on the series:

1. Last-Minute Revision for the Solutions Architect – Professional exam – Introduction
2. AWS Organisations
3. Policies and Encryptions
4. Data Storage
5. Networking
6. Serverless
7. Final