Comprehensive Zero Trust security architecture for AWS Control Tower Landing Zone.
This implementation follows the NIST 800-207 Zero Trust Architecture framework, providing defense-in-depth security controls that assume no implicit trust and continuously verify every access request.
MFA Enforcement : Multi-factor authentication required for all usersContinuous Authentication : Every request is authenticated and authorizedSession Management : Secure, audited access via AWS Systems ManagerNo SSH/RDP : Direct access protocols disabled
VPC Flow Logs : Complete network traffic monitoringGuardDuty : Continuous threat detectionCloudTrail : Comprehensive audit loggingSecurity Hub : Centralized security findings
IAM Access Analyzer : Continuous access verificationLog File Validation : Cryptographic verification of logsConfig Rules : Continuous compliance monitoringReal-time Alerts : Immediate notification of security events
No Wildcard Permissions : Explicit permissions onlyTemporary Credentials : Short-lived access tokensRole-based Access : IAM roles instead of usersJust-in-Time Access : Access granted only when needed
Private Subnets : No direct internet accessVPC Endpoints : Private connectivity to AWS servicesSecurity Groups : Default deny with explicit allow rulesNetwork ACLs : Defense in depth at subnet level
┌─────────────────────────────────────────────────────────────┐
│ Zero Trust VPC │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Private Subnets (Multi-AZ) │ │
│ │ • No Internet Gateway │ │
│ │ • VPC Endpoints for AWS services │ │
│ │ • Network ACLs for defense in depth │ │
│ │ • VPC Flow Logs enabled │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ VPC Endpoints (Private Connectivity) │ │
│ │ Interface: EC2, SSM, KMS, Secrets, ECR, ECS, Logs │ │
│ │ Gateway: S3, DynamoDB │ │
│ └──────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Identity & Access Management │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ AWS IAM Identity Center (SSO) │ │
│ │ • Centralized identity management │ │
│ │ • MFA enforcement │ │
│ │ • Temporary credentials │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ IAM Access Analyzer │ │
│ │ • Continuous access monitoring │ │
│ │ • External access detection │ │
│ │ • Policy validation │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ AWS Verified Access │ │
│ │ • Zero Trust network access │ │
│ │ • Context-aware authorization │ │
│ │ • No VPN required │ │
│ └──────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Application Protection │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ AWS WAF │ │
│ │ • Rate limiting │ │
│ │ • Geo-blocking │ │
│ │ • Managed rule sets │ │
│ │ • Custom security rules │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ AWS PrivateLink │ │
│ │ • Service-to-service communication │ │
│ │ • No internet exposure │ │
│ │ • Private connectivity │ │
│ └──────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Data Protection │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Encryption at Rest │ │
│ │ • AWS KMS for key management │ │
│ │ • Automatic key rotation │ │
│ │ • Encrypted EBS, S3, RDS, ElastiCache │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Encryption in Transit │ │
│ │ • TLS 1.2+ for all communications │ │
│ │ • Certificate management │ │
│ │ • Perfect forward secrecy │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ AWS Secrets Manager │ │
│ │ • Secure credential storage │ │
│ │ • Automatic rotation │ │
│ │ • Audit logging │ │
│ └──────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
module "zero_trust" {
source = "./modules/zero-trust"
name_prefix = var . project_name
region = var . home_region
vpc_cidr = "10.100.0.0/16"
availability_zones = [ "ap-southeast-2a" , "ap-southeast-2b" , "ap-southeast-2c" ]
kms_key_id = module . security . kms_key_id
sns_topic_arn = aws_sns_topic . security . arn
session_logs_bucket = module . logging . log_bucket_name
enable_verified_access = true
enable_privatelink = true
enable_waf = true
tags = local . common_tags
}
Enable IAM Identity Center in management account
Configure identity source (Active Directory, Okta, etc.)
Create permission sets with least privilege
Assign users to accounts and permission sets
Enable MFA for all users
Deploy workloads in private subnets
Configure VPC endpoints for AWS services
Remove internet gateways from workload VPCs
Implement security groups with default deny
Enable VPC Flow Logs
Configure CloudWatch alarms
Set up EventBridge rules
Enable GuardDuty
Enable Security Hub
Configure SNS notifications
Apply OPA Zero Trust policies
Enable AWS Config rules
Implement SCPs for guardrails
Regular policy reviews
Control
Implementation
Status
MFA Enforcement
IAM policy denies actions without MFA
✅ Implemented
No Long-term Credentials
IAM roles with temporary credentials
✅ Implemented
Access Analyzer
Continuous monitoring of resource access
✅ Implemented
Session Manager
Secure access without SSH/RDP
✅ Implemented
Verified Access
Zero Trust network access
✅ Implemented
Control
Implementation
Status
Private Subnets
No internet gateway
✅ Implemented
VPC Endpoints
Private AWS service access
✅ Implemented
VPC Flow Logs
Complete traffic logging
✅ Implemented
Network ACLs
Defense in depth
✅ Implemented
Security Groups
Default deny
✅ Implemented
Control
Implementation
Status
WAF Protection
Rate limiting, geo-blocking
✅ Implemented
PrivateLink
Service-to-service communication
✅ Implemented
TLS Everywhere
Encryption in transit
✅ Implemented
API Gateway
Centralized API management
🔄 Optional
App Mesh
Service mesh for microservices
🔄 Optional
Control
Implementation
Status
KMS Encryption
All data at rest encrypted
✅ Implemented
Key Rotation
Automatic key rotation
✅ Implemented
Secrets Manager
Secure credential storage
✅ Implemented
S3 Encryption
Mandatory bucket encryption
✅ Implemented
RDS Encryption
Database encryption
✅ Implemented
Control
Implementation
Status
CloudTrail
API call logging
✅ Implemented
GuardDuty
Threat detection
✅ Implemented
Security Hub
Centralized findings
✅ Implemented
Config
Compliance monitoring
✅ Implemented
CloudWatch
Metrics and alarms
✅ Implemented
Tenet
Implementation
Evidence
Data sources and computing services are considered resources
All AWS resources treated as untrusted
VPC endpoints, private subnets
All communication is secured regardless of network location
TLS everywhere, VPC endpoints
Encryption in transit
Access to individual enterprise resources is granted on a per-session basis
Temporary credentials, session manager
IAM roles, SSM
Access to resources is determined by dynamic policy
IAM policies, security groups
Policy-based access
The enterprise monitors and measures the integrity and security posture of all owned and associated assets
GuardDuty, Security Hub, Config
Continuous monitoring
All resource authentication and authorization are dynamic and strictly enforced before access is allowed
MFA, Access Analyzer
Identity verification
The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications
CloudTrail, VPC Flow Logs
Comprehensive logging
AC-2 : Account Management (IAM Identity Center)AC-3 : Access Enforcement (Security groups, NACLs)AC-6 : Least Privilege (IAM policies)AU-2 : Audit Events (CloudTrail, VPC Flow Logs)AU-6 : Audit Review (GuardDuty, Security Hub)IA-2 : Identification and Authentication (MFA)SC-7 : Boundary Protection (VPC, security groups)SC-8 : Transmission Confidentiality (TLS)SC-13 : Cryptographic Protection (KMS)SI-4 : Information System Monitoring (CloudWatch)
Monitor Security Dashboard
Review GuardDuty findings
Check Security Hub compliance score
Review CloudWatch alarms
Access Reviews
Review Access Analyzer findings
Validate temporary access grants
Audit session manager activity
Incident Response
Investigate security alerts
Review CloudTrail logs
Document findings
Policy Reviews
Review IAM policies
Validate security group rules
Check VPC endpoint usage
Compliance Checks
Run Config compliance reports
Review OPA policy violations
Update remediation plans
Access Certification
Review user access
Validate role assignments
Remove unused permissions
Security Assessments
Run vulnerability scans
Review architecture changes
Update threat models
Issue : Cannot access AWS services from private subnet