AWS Solutions Architect — Domain 1: Design Secure Architectures

Domain 1 Overview

What You Need to Know

Task 1.1 — Secure Access

IAM users, roles, groups, policies
AWS Organizations & SCPs
Federation & SSO
MFA & least-privilege
Cross-account access

Task 1.2 — Secure Workloads

Security groups & NACLs
VPC design patterns
WAF, Shield, Firewall Manager
Bastion hosts vs. SSM Session Manager
Inspector, GuardDuty, Macie

Task 1.3 — Data Security

Encryption at rest & in transit
KMS, ACM, CloudHSM
S3 encryption options
Secrets Manager vs. Parameter Store
S3 bucket policies & ACLs

Task 1.4 — Resilient Architectures

Multi-AZ vs. Multi-Region
RTO vs. RPO strategies
Backup & DR patterns
Fault tolerance vs. high availability
Route 53 routing policies

Task 1.1 — IAM

IAM Core Concepts

Users · Groups · Roles · Policies

IAM User A permanent identity for a person or application. Has long-term credentials (password + access keys). Avoid for applications — use roles instead.

IAM Group A collection of IAM users. Policies attached to a group apply to all members. Simplifies permission management at scale. Groups cannot assume roles.

IAM Role A temporary identity assumed by a trusted principal (user, service, account). Issues short-lived STS credentials. Preferred for EC2 instances, Lambda, and cross-account access.

IAM Policy JSON document defining Allow/Deny actions on resources. Identity-based policies attach to users/groups/roles. Resource-based policies attach directly to resources (e.g., S3 bucket policy).

Roles are evaluated at runtime — no permanent credentials stored. Prefer roles over users for EC2 and Lambda. A Deny in any policy always overrides an Allow.

Task 1.1 — IAM Policies

Policy Types & Evaluation Logic

Identity-based · Resource-based · Permission Boundaries · SCPs

Policy Type	Attached To	Controls	Exam Trigger
Identity-based	User / Group / Role	What the principal can do	"Grant an EC2 role S3 access"
Resource-based	S3, SQS, KMS, etc.	Who can access this resource	"Allow cross-account S3 access"
Permission Boundary	IAM User / Role	Maximum permissions ceiling	"Dev can create roles but not exceed admin"
SCP (Org Policy)	AWS Account / OU	Maximum permissions for entire account	"Prevent all accounts from disabling CloudTrail"
Session Policy	AssumeRole call	Scopes permissions for session only	"Limit what federated user can do"

Effective permissions = intersection of identity policy AND resource policy (if cross-account, both must allow). SCPs restrict but never grant permissions.

Task 1.1 — Organizations

AWS Organizations & SCPs

Multi-account governance at scale

Organization Structure

Management Account: Root account — creates Org, owns billing
Organizational Units (OUs): Logical groupings (e.g., Prod, Dev, Security)
Member Accounts: Isolated AWS accounts per team/environment
Root: Top of hierarchy — SCPs here apply everywhere

Key Features

Consolidated billing across all accounts
SCPs control what member accounts can do
AWS Control Tower automates landing zones
Enables cross-account IAM roles
Tag policies enforce tagging standards

SCP Rules to Know

SCPs do NOT apply to the management account
SCPs do NOT grant permissions — they restrict them
Deny at OU level blocks all accounts in that OU
FullAWSAccess is the default SCP (allow all)
SCPs affect even the root user in member accounts

Use SCPs to prevent member accounts from leaving the org, disabling GuardDuty, or using unapproved regions.

Task 1.1 — Federation

Identity Federation & AWS IAM Identity Center

Letting external identities access AWS

SAML 2.0 Federation

Corporate directory (Active Directory) → AWS
Uses STS AssumeRoleWithSAML
Up to 12-hour session tokens
Good for existing enterprise IdPs

Web Identity Federation

Social IdPs: Cognito, Google, Facebook
STS AssumeRoleWithWebIdentity
Cognito preferred for mobile apps
Cognito Identity Pools → temporary AWS creds

IAM Identity Center (SSO)

Single sign-on across all AWS accounts
Integrates with AD, Okta, Azure AD
Manages permission sets per account
Recommended for multi-account orgs

IAM Identity Center (formerly SSO) is the modern recommended approach for multi-account human access. Use Cognito for end-user app authentication. Never create IAM users for each employee in an enterprise.

Task 1.2 — VPC Security

Security Groups vs. NACLs

Two layers of network access control

Feature	Security Group	Network ACL
Scope	Instance (ENI) level	Subnet level
Statefulness	Stateful — return traffic auto-allowed	Stateless — must explicitly allow inbound + outbound
Allow / Deny	Allow rules only	Allow AND Deny rules
Rule evaluation	All rules evaluated together	Rules evaluated in numbered order (lowest first)
Default behavior	Deny all inbound, allow all outbound	Allow all (default NACL)
Best use	Fine-grained instance protection	Subnet-level IP block lists (Deny bad IPs)

NACLs are stateless — if you allow inbound port 443, you MUST also allow outbound ephemeral ports (1024–65535). Security groups handle return traffic automatically.

Task 1.2 — VPC Design

Secure VPC Architecture Patterns

Public / Private / Isolated subnet tiers

Subnet Types

Public: Route to IGW; holds ALB, NAT GW, Bastion
Private: Route via NAT GW; holds EC2, ECS, Lambda
Isolated: No internet route; databases only

Key Components

Internet Gateway (IGW) — public internet
NAT Gateway — private → outbound only
VPC Endpoints — private AWS API access
VPC Peering / Transit Gateway — VPC-to-VPC
PrivateLink — cross-VPC service exposure

Exam Scenarios

"EC2 needs internet but not a public IP" → NAT Gateway in public subnet
"Lambda accesses RDS privately" → VPC-attached Lambda in private subnet, same VPC as RDS
"EC2 accesses S3 without internet" → VPC Gateway Endpoint for S3
"Centrally route traffic across 50 VPCs" → Transit Gateway (not VPC Peering — it doesn't scale)
"Share services across accounts privately" → PrivateLink / VPC Endpoint Services

Task 1.2 — Edge Protection

WAF · Shield · CloudFront · Firewall Manager

Protecting applications at the edge

AWS WAF Web Application Firewall. Filters HTTP/S traffic with rules (IP sets, rate limiting, SQL injection, XSS). Attaches to CloudFront, ALB, API Gateway, AppSync.

AWS Shield Standard Automatic DDoS protection for all AWS customers at no cost. Protects against Layer 3/4 attacks (volumetric, protocol).

AWS Shield Advanced Enhanced DDoS protection with 24/7 DDoS Response Team (DRT), real-time metrics, Layer 7 attack detection, and cost protection. ~$3,000/month.

AWS Firewall Manager Centrally manage WAF rules, Shield Advanced, and Security Groups across all accounts in an AWS Organization. Ensures consistent security posture.

WAF + CloudFront = the primary pattern for blocking Layer 7 attacks (SQL injection, XSS). Shield Advanced is for organizations needing DDoS financial protection and expert support.

Task 1.2 — Threat Detection

Security Monitoring Services

GuardDuty · Inspector · Macie · Security Hub

Amazon GuardDuty

Intelligent threat detection using ML
Analyzes CloudTrail, VPC Flow Logs, DNS logs
Detects: compromised instances, crypto mining, unusual API calls, port scanning
Agentless — no software to install
Finding types: Recon, Trojan, UnauthorizedAccess

Amazon Inspector

Automated vulnerability assessment
Scans EC2 instances and container images (ECR)
Checks OS vulnerabilities (CVEs), network exposure
Requires SSM Agent on EC2 instances
Continuous scanning (not just on-demand)

Amazon Macie

Discovers and protects sensitive data in S3
Uses ML to identify PII, financial data, credentials
Alerts on misconfigured S3 buckets (public access)
Generates findings for data compliance (GDPR, HIPAA)

AWS Security Hub

Centralizes findings from GuardDuty, Inspector, Macie
Provides security score and compliance checks
Integrates with AWS Config and third-party tools
Single pane of glass for security posture

Task 1.2 — Secure Access

Bastion Hosts vs. AWS Systems Manager Session Manager

Securely accessing EC2 instances in private subnets

Bastion Host (Legacy)

EC2 instance in public subnet acting as SSH jump server
Requires open inbound port 22 (SSH) or 3389 (RDP)
Must manage host OS, patching, and key rotation
Single point of failure if not made highly available
Logs SSH sessions separately — not native to CloudTrail

SSM Session Manager (Preferred)

No open ports required — no Security Group changes
No SSH keys to manage or rotate
Sessions logged to CloudTrail + S3/CloudWatch
Works for instances in private subnets with no internet
Requires SSM Agent + IAM role on the instance
Port forwarding and tunneling supported

Exam answer is almost always SSM Session Manager when the question mentions "no open ports," "eliminate bastion hosts," or "audit all session activity." Bastion hosts are operationally expensive and pose security risks.

Task 1.3 — Encryption

AWS Encryption Services

KMS · CloudHSM · ACM

AWS KMS Managed key service. Creates and controls Customer Master Keys (CMKs). Integrates natively with S3, EBS, RDS, DynamoDB, Lambda, and more. AWS-managed or customer-managed keys. FIPS 140-2 Level 2 validated.

AWS CloudHSM Dedicated Hardware Security Module in your VPC. You have exclusive control of keys — AWS cannot access them. FIPS 140-2 Level 3. Required for strict regulatory compliance. More expensive; you manage the HSM cluster.

AWS Certificate Manager (ACM) Provision, manage, and deploy SSL/TLS certificates. Free public certificates. Auto-renews. Integrates with ALB, CloudFront, API Gateway. Private CA option available. Protects data in transit.

KMS = managed, shared hardware, multi-tenant. CloudHSM = dedicated hardware, single-tenant, you own the keys. Choose CloudHSM when compliance requires exclusive key custody (FIPS Level 3).

Task 1.3 — S3 Security

S3 Encryption Options

Choosing the right server-side encryption mode

Type	Key Management	Use When	Compliance
SSE-S3	AWS manages all keys (AES-256)	Default — low overhead, no key management	Basic
SSE-KMS	KMS Customer Managed Key	Audit key usage, fine-grained access, CloudTrail logs	Moderate–High
SSE-C	You supply the key per request	You own and rotate keys outside AWS	High — Full key control
CSE (Client-side)	Encrypted before upload	Data never unencrypted inside AWS	Highest

S3 Access Controls

Bucket Policy: JSON policy on the bucket (resource-based)
S3 Block Public Access: Account/bucket override for public ACLs
ACLs: Legacy — prefer bucket policies
S3 Access Points: Granular per-application access policies

S3 Security Best Practices

Enable Block Public Access at account level
Enforce HTTPS-only via bucket policy (aws:SecureTransport)
Enable S3 Object Lock for WORM compliance
Use S3 Versioning to protect against accidental deletes

S3 encryption and access controls are heavily tested. Know which encryption mode to recommend for each scenario. SSE-KMS is preferred when you need audit trails of who accessed what data, because KMS API calls appear in CloudTrail. SSE-C puts key management entirely on the customer — if you lose the key, the data is unrecoverable. Bucket policies vs ACLs: AWS recommends bucket policies. ACLs are a legacy mechanism; Block Public Access settings should always be enabled unless you have a specific reason for public objects. S3 Object Lock in COMPLIANCE mode prevents even root users from deleting objects before the retention period — used for financial and healthcare compliance. The aws:SecureTransport condition key in a bucket policy is the exam-preferred way to enforce HTTPS-only access.

Task 1.3 — Secrets

Secrets Manager vs. Parameter Store

Managing application credentials and configuration securely

Feature	Secrets Manager	Systems Manager Parameter Store
Primary use	Database credentials, API keys, OAuth tokens	Configuration values, feature flags, non-secret params
Automatic rotation	✅ Built-in rotation with Lambda	❌ Manual (can build rotation)
Cost	~$0.40/secret/month	Free (Standard); $0.05/10k API calls (Advanced)
Secret size	Up to 65KB	Up to 8KB (Standard) / 8KB (Advanced)
KMS encryption	Always encrypted with KMS	SecureString tier uses KMS; String is plaintext
Cross-account	✅ Resource-based policy	Limited (use with care)

"Database password that must rotate automatically every 30 days" → Secrets Manager. "Application config values with some sensitive fields" → Parameter Store SecureString (cost-effective). Never hardcode credentials in code or EC2 user data.

Task 1.4 — Resilience

High Availability vs. Fault Tolerance

RTO · RPO · Multi-AZ · Multi-Region

Key Definitions

RTO — Recovery Time Objective: How long can you be down? (time to recover)
RPO — Recovery Point Objective: How much data can you lose? (time since last backup)
HA — System recovers quickly but may have brief downtime (failover)
FT — System continues operating without interruption (no downtime)
Multi-AZ — Protects against AZ failure (same region)
Multi-Region — Protects against region failure (global)

DR Strategy Spectrum

Backup & Restore — Lowest cost, highest RTO (hours). S3 backups, AMIs.
Pilot Light — Core systems running (DB replicated). Scale up on disaster.
Warm Standby — Scaled-down version always running. Faster failover.
Multi-Site Active/Active — Full capacity in both regions. Near-zero RTO/RPO. Highest cost.

Lower RTO/RPO = higher cost. Match the DR strategy to the business requirement. "Minutes RTO" = Warm Standby or Active/Active. "Zero RPO" = synchronous replication (Multi-AZ RDS).

DR strategy selection is a classic exam question type. The trade-off is always cost vs. recovery speed. Backup and Restore: cheapest. You store backups in S3. On disaster, you restore from backup. RTO could be hours. Good for non-critical workloads. Pilot Light: keep a minimal version of the core system running (like a replicated database) but app servers are stopped. On disaster, start the app servers and scale up. RTO in tens of minutes. Warm Standby: a smaller version of the full production environment runs continuously. On disaster, scale it up to full production capacity. RTO in minutes. Multi-Site Active/Active: full production runs in two regions simultaneously. Route 53 routes traffic to both. On disaster, just redirect all traffic. Near-zero RTO and RPO. Expensive. RDS Multi-AZ uses synchronous replication — zero RPO within a region. RDS Read Replicas use asynchronous replication — small RPO, but enable cross-region DR.

Task 1.4 — Route 53

Route 53 Routing Policies

Directing traffic for availability and performance

Policy	How It Works	Use Case
Simple	Single record, returns all values randomly	Single resource, no health checks
Weighted	Distribute % of traffic across endpoints	A/B testing, blue/green deployments, gradual migrations
Latency	Routes to lowest-latency AWS region	Global apps — minimize user-perceived latency
Failover	Primary → Secondary on health check failure	Active-passive DR; automatic failover
Geolocation	Routes based on user's geographic location	GDPR compliance, content localization
Geoproximity	Routes by location with bias adjustment	Shift traffic weight between regions
Multivalue Answer	Returns up to 8 healthy records randomly	Client-side load balancing with health checks

Failover requires health checks. Weighted with 0 weight = remove from rotation without deleting the record. Latency-based ≠ Geolocation — latency routes to lowest-latency AWS region, not nearest geography.

Route 53 routing policies appear in both Domain 1 (resilience) and Domain 2 (performance) questions. The most commonly tested distinction: Failover vs. Latency-based. Failover is for active-passive DR: Route 53 checks health of the primary endpoint and only routes to secondary when primary fails. Latency-based is for performance optimization — it doesn't care about failures, only which AWS region will respond fastest. Geolocation vs. Geoproximity: Geolocation routes based on where the user is located (country/continent). Geoproximity lets you bias traffic toward regions by adjusting a bias value — useful for gradually shifting traffic from one region to another. Weighted routing at 0 and 100 effectively mimics failover manually, but without automatic health-check-based switching.

Task 1.4 — AWS Services

Resilience Patterns by Service

Multi-AZ & Multi-Region configurations

EC2 & Auto Scaling

Spread instances across ≥2 AZs
ALB distributes across AZs
ASG replaces unhealthy instances automatically
Placement Groups: Spread = HA; Cluster = performance

RDS

Multi-AZ: Synchronous standby, automatic failover ~1-2 min
Read Replicas: Async, for read scaling or cross-region DR
RDS Proxy: Reduces connection overhead during failover
Aurora: 6-way replication across 3 AZs by default

S3

11 nines durability — data stored across ≥3 AZs
Versioning: Protect against accidental deletes
Cross-Region Replication (CRR): Multi-region DR
S3 Replication Time Control: 15-min RPO SLA

DynamoDB

Multi-AZ by default (3 AZs)
Global Tables: Multi-Region Active/Active
PITR (Point-in-time recovery): Up to 35 days
On-demand backups: Manual snapshots

ElastiCache

Redis: Multi-AZ with automatic failover
Redis Global Datastore: Multi-Region replication
Cluster Mode: Shard data across nodes

Common Patterns

"Always available" = Multi-AZ
"Survive region failure" = Multi-Region
"Lowest RPO for RDS" = Multi-AZ (sync replication)
"Read scaling + cross-region DR" = Read Replica

Each AWS service has a specific multi-AZ and multi-region story. Know them for the exam. RDS Multi-AZ uses synchronous replication — the standby is always up-to-date. Automatic failover takes 1-2 minutes. The endpoint doesn't change — Route 53 CNAME flips automatically. RDS Read Replicas use asynchronous replication — slight data lag. They can be in different regions and can be promoted to standalone DB if the primary fails (requires manual promotion — not automatic failover). Aurora is different from standard RDS: it stores 6 copies of data across 3 AZs in a shared storage layer. Aurora Global Database can replicate to a secondary region in under 1 second with sub-second RPO. DynamoDB Global Tables provide multi-region active/active replication — last-writer-wins conflict resolution. Latency under 1 second for replication. S3 Cross-Region Replication requires versioning enabled on both source and destination buckets.

Quick Review

Exam Checklist — Domain 1

Can you answer these?

Task 1.1 — Secure Access

Difference between IAM users, groups, roles, policies
When to use permission boundaries vs. SCPs
How cross-account role assumption works
IAM Identity Center vs. SAML federation vs. Cognito
Why roles are preferred over access keys for services

Task 1.2 — Secure Workloads

Security groups (stateful) vs. NACLs (stateless)
When to use WAF vs. Shield vs. Shield Advanced
GuardDuty vs. Inspector vs. Macie use cases
SSM Session Manager vs. Bastion host trade-offs
VPC Endpoint types (Gateway vs. Interface)

Task 1.3 — Data Security

KMS vs. CloudHSM (shared vs. dedicated, Level 2 vs. Level 3)
S3 encryption: SSE-S3 vs. SSE-KMS vs. SSE-C vs. CSE
Secrets Manager (auto-rotation) vs. Parameter Store (config)
Enforce HTTPS on S3 with aws:SecureTransport
S3 Object Lock: compliance WORM storage

Task 1.4 — Resilience

RTO vs. RPO definitions and DR strategy spectrum
RDS Multi-AZ (sync/HA) vs. Read Replicas (async/scaling)
Route 53 Failover vs. Latency vs. Geolocation policies
DynamoDB Global Tables for Multi-Region Active/Active
S3 Cross-Region Replication requires versioning enabled

This checklist covers the highest-probability exam topics in Domain 1. If you're unsure about any of these points, go back to the relevant slide and review it. Domain 1 questions are often scenario-based: they describe a business situation and ask you to pick the correct AWS service or architectural pattern. The key is understanding WHY each service is used, not just what it does. Focus on distinctions between similar services: KMS vs CloudHSM, GuardDuty vs Inspector, Session Manager vs Bastion, Security Groups vs NACLs. These comparisons appear frequently. Practice mapping exam trigger phrases to answers: "no open inbound ports" → SSM Session Manager; "block a specific IP" → NACL; "automatic password rotation" → Secrets Manager; "exclusive key control" → CloudHSM; "near-zero RTO globally" → Multi-Region Active/Active with Route 53.

Quick Reference

Service → Task Quick Map

Identity & Access

IAM → users, roles, policies
Organizations → multi-account SCPs
IAM Identity Center → enterprise SSO
Cognito → app user auth + temp AWS creds
STS → temporary security credentials

Network Security

Security Groups → instance firewall (stateful)
NACLs → subnet firewall (stateless)
WAF → Layer 7 filtering
Shield → DDoS protection
Firewall Manager → centralized rule mgmt

Threat Detection

GuardDuty → runtime threat detection
Inspector → vulnerability scanning
Macie → S3 PII discovery
Security Hub → centralized findings
CloudTrail → API audit log

Encryption & Secrets

KMS → managed encryption keys
CloudHSM → dedicated HSM / Level 3
ACM → SSL/TLS certificates
Secrets Manager → rotating credentials
Parameter Store → config + SecureString

Resilience

Route 53 → DNS routing + failover
ALB + ASG → AZ-level HA
RDS Multi-AZ → sync DB replication
Aurora Global DB → cross-region DB
DynamoDB Global Tables → multi-region

Access & Monitoring

SSM Session Manager → no-port EC2 access
VPC Endpoints → private AWS API access
AWS Config → resource config compliance
CloudWatch → metrics, logs, alarms
S3 Object Lock → WORM compliance

Design Secure
Architectures

What You Need to Know

Secure Access to AWS Resources

IAM Core Concepts

Policy Types & Evaluation Logic

AWS Organizations & SCPs

Identity Federation & AWS IAM Identity Center

Secure Workloads & Applications

Security Groups vs. NACLs

Secure VPC Architecture Patterns

WAF · Shield · CloudFront · Firewall Manager

Security Monitoring Services

Bastion Hosts vs. AWS Systems Manager Session Manager

Appropriate Data Security Controls

AWS Encryption Services

S3 Encryption Options

Secrets Manager vs. Parameter Store

Design Resilient Architectures

High Availability vs. Fault Tolerance

Route 53 Routing Policies

Resilience Patterns by Service

Exam Checklist — Domain 1

Service → Task Quick Map

You're ready for Domain 1

Design SecureArchitectures

What You Need to Know

Secure Access to AWS Resources

IAM Core Concepts

Policy Types & Evaluation Logic

AWS Organizations & SCPs

Identity Federation & AWS IAM Identity Center

Secure Workloads & Applications

Security Groups vs. NACLs

Secure VPC Architecture Patterns

WAF · Shield · CloudFront · Firewall Manager

Security Monitoring Services

Bastion Hosts vs. AWS Systems Manager Session Manager

Appropriate Data Security Controls

AWS Encryption Services

S3 Encryption Options

Secrets Manager vs. Parameter Store

Design Resilient Architectures

High Availability vs. Fault Tolerance

Route 53 Routing Policies

Resilience Patterns by Service

Exam Checklist — Domain 1

Service → Task Quick Map

You're ready for Domain 1

Design Secure
Architectures