Document history

The following table describes significant changes to this guide. If you want to be notified about future updates, you can subscribe to an RSS feed.

Change	Description	Date
Content restructure and updates	Added guidance for Security Hub and AWS Nitro Enclaves. Restructured the AWS SRA to focus on the core architecture and moved the deep dive sections to separate guides for identity management, perimeter security, cyber forensics, generative AI, and IoT. Updated existing guidance to include additional details for AWS CloudTrail, AWS Config, Amazon Detective, AWS Firewall Manager, Amazon GuardDuty, IAM Access Analyzer, Amazon Security Lake, AWS Shield Advanced, and AWS Audit Manager.	December 22, 2025
Major updates	Added information about new IAM centralized root user access management, resource control policies (RCPs), and declarative policies. Updated Security Hub CSPM references to new Security Hub CSPM. Included new service features for Amazon GuardDuty and Security Hub CSPM. Added AWS Security Incident Response service guidance. Updated IAM deep dive guidance to include VPC Lattice for machine-to-machine identity management. Added a new deep dive guidance: SRA for IoT.	August 29, 2025
Additions and clarifications	In the Security Tooling account section, updated the AWS KMS guidance. In the Customer identity management section, expanded the information about authorizing API Gateway. Updated the Generative AI section to add a design consideration for OU and account design. In the AWS SRA code repository section, added information about the new Patch Management solution.	September 12, 2024
Major updates	Added two sections for deep dive architectural guidance: Generative AI using Amazon Bedrock and Identity management. Updated the AWS Identity and Access Management Access Analyzer, Amazon Detective, Amazon Inspector, AWS Artifact, AWS Config, Amazon Security Lake, AWS Security Hub CSPM, and Amazon CloudFront sections with new service features. Updated the AWS SRA code repository section to include the new Terraform deployment option and the addition of AWS Shield Advanced and AMI Bakery solutions.	June 7, 2024
Major updates	Updated the Network account and Application account sections to add architectural guidance for Amazon Verified Permissions, AWS Verified Access, and Amazon VPC Lattice. Added deep dive architectural guidance based on security functionality. Added new guidance around how AWS services use AI/ML to provide better security outcomes. Added guidance on how plan your security architecture in a phased manner.	November 4, 2023
Security Lake addition	Updated the Security Tooling account and Log Archive account sections to add design guidance related to Amazon Security Lake.	September 22, 2023
Minor updates	Updated existing guidance to reflect new AWS services features and best practices. Updated architectural guidance for AWS CloudTrail, AWS IAM Identity Center, and edge security.	May 10, 2023
Survey	Added a short survey to gain a better understanding of how you use the AWS SRA in your organization.	December 14, 2022
Source files for reference architecture diagrams	In the AWS Security Reference Architecture section, added a download file that provides the architecture diagrams for this guide in editable PowerPoint format.	November 17, 2022
Updates to Security foundations section	In the Security foundations section, updated the information about Well-Architected Framework pillars and security design principles.	September 27, 2022
Major additions and updates	Added information about how to use the AWS SRA and key implementation guidelines. Added architectural guidance for additional AWS services such as AWS Artifact, Amazon Inspector, AWS RAM, Amazon Route 53, AWS Control Tower, AWS Audit Manager, Directory Service, Amazon Cognito, and Network Access Analyzer. Updated existing guidance to reflect new AWS service features and best practices.	July 25, 2022
—	Initial publication	June 23, 2021

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Appendix: AWS security, identity, and compliance services

Glossary