Scenario and architecture overview

A serverless data lake that uses Amazon Simple Storage Service (Amazon S3) for storage and AWS Lambda for extract, transform, and load (ETL) operations

A containerised web service that runs on Amazon Elastic Container Service (Amazon ECS) and uses a database in Amazon Relational Database Service (Amazon RDS)

A commercial off-the-shelf (COTS) software running on Amazon EC2

Identity federation links AWS IAM Identity Center to their Microsoft Entra ID (formerly Azure Active Directory) instance. The federation enforces MFA, automatic expiry of user accounts, and the use of short-lived credentials through AWS Identity and Access Management (IAM) roles.

A centralised AMI pipeline is used to patch OSs and core applications with EC2 Image Builder.

Amazon Inspector is enabled to identify vulnerabilities, and all security findings are sent to Amazon GuardDuty for centralised management.

Established mechanisms are used to update application control rules, respond to cyber security events, and review compliance gaps.

AWS CloudTrail is used for logging and monitoring.

Security events, such as login of the root user, initiate alerts.

SCPs and VPC endpoint policies establish data perimeters for your AWS environments.

SCPs prevent application teams from disabling security and logging services, such as CloudTrail and AWS Config.

AWS Config findings are aggregated from across the whole AWS organization into a single AWS account for security.

The AWS Config ACSC Essential 8 conformance pack is enabled across all AWS accounts in your organization.