AWS Security Reference Architecture (AWS SRA) – perimeter security

Global Services Security Team, Amazon Web Services (contributors)

December 2025 (document history)

Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a short survey

This guidance provides architectural patterns for building a secure perimeter on AWS. This is an extension of the AWS SRA – Core Architecture guide. It dives deep into AWS perimeter services and how they fit into the core security architecture defined by the AWS SRA.

In the context of this guidance, a perimeter is defined as the boundary where your applications connect to the internet. The security of the perimeter includes secure content delivery, application-layer protection, and distributed denial of service (DDoS) mitigation. AWS perimeter services include Amazon CloudFront, AWS WAF, AWS Shield, Amazon Route 53, and AWS Global Accelerator. These services are designed to provide secure, low-latency, high-performance access to AWS resources and content delivery. You can use these perimeter services with other security services such as Amazon GuardDuty and AWS Firewall Manager to help build a secure perimeter for your applications.

Multiple architecture patterns for perimeter security are available to support different organizational needs. This section focuses on two common patterns: deploying perimeter services in a central (Network) account, and deploying some of the perimeter services into individual workload (Application) accounts. The section covers the benefits of both architectures and their key considerations.

In this guide:

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

About the AWS SRA library