DEV Community

Cover image for Design Secure Workloads And Applications
AWS Community Builders profile image Ntombizakhona Mabaso
Ntombizakhona Mabaso Subscriber for AWS Community Builders

Posted on

Design Secure Workloads And Applications

#aws #certification #cloud #solutionsarchitect

Exam Guide: Solutions Architect - Associate
🛡️ Domain 1: Design Secure Architectures
📘 Task Statement 1.2

🎯 Secure workloads and apps usually means:

1 Secure network design: VPC layout, segmentation, filtering
2 Secure traffic flow: ingress/egress control, endpoints, TLS
3 Secure credentials: no hard-coded secrets, secrets must be managed + rotated
4 Threat protection & detection: WAF/Shield, GuardDuty, Macie
5 Secure external connectivity: VPN, Direct Connect, controlled inbound paths

This task shifts from “who can access AWS” (Task 1.1) to “how the workload is built and protected”.

Knowledge (what you must understand)

1 | Application Configuration And Credentials Security

Goal: keep secrets out of code, AMIs, user data, and plain-text configs.

  • Use AWS Secrets Manager for database passwords, API keys, and rotation.
  • Use SSM Parameter Store for configuration (and SecureString with KMS for sensitive values).

“Credentials are stored in code” → move to Secrets Manager
“Need automatic rotation”Secrets Manager

2 | AWS Service Endpoints

Goal: keep traffic to AWS services private, not over the public internet.

VPC endpoints

  • Gateway endpoints: S3, DynamoDB
  • Interface endpoints (AWS PrivateLink): many AWS services via ENIs

“No internet access, but must reach S3/Secrets Manager”VPC endpoints (plus route/security group controls).

3 | Control Ports, Protocols, And Network Traffic On AWS

Goal: only allow the traffic you intend, nothing more.

Core VPC Controls

1 Security groups (SGs): instance/ENI-level, stateful
2 Network ACLs (NACLs): subnet-level, stateless
3 Route tables: where traffic is allowed to go
4 Internet Gateway (IGW): enables public subnet internet routing
5 NAT Gateway: allows private subnets outbound internet (no inbound)

“Instances in private subnet need outbound updates”NAT Gateway (or VPC endpoints when applicable).

4 | Secure Application Access

Goal: expose only what must be public and authenticate and authorize properly.

Typical Secure Pattern

1 Public entry via CloudFront and/or ALB
2 Put application compute in private subnets
3 Put databases in private/isolated subnets
4 Use TLS everywhere (HTTPS)

Identity Choices

  • Amazon Cognito: end-user sign-up/sign-in for apps
  • IAM Identity Center: workforce/admin access to AWS accounts

5 | Security Services With Appropriate Use Cases

1 Amazon Cognito: authentication for application users (tokens, user pools)
2 Amazon GuardDuty: threat detection (suspicious API calls, network behavior, DNS)
3 Amazon Macie: discovers/protects sensitive data in S3 (PII patterns)

6 | Threat Vectors External To AWS

  • DDoS: use AWS Shield
  • SQL injection / XSS: use AWS WAF

“Protect from SQLi/XSS”AWS WAF

Skills

A | Design VPC Architectures With Security Components

Design With Layers And Controlled Paths

  • Public subnets: ALB and sometimes NAT Gateway
  • Private subnets: app tier (EC2/ECS/EKS), internal services, da

Security Components

  • SGs restrict who can talk to whom, which is a recommended primary control
  • NACLs provide coarse subnet guardrails, which should be used when explicitly required
  • Route tables prevent accidental connectivity

B | Determine Network Segmentation Strategies

Beginner rule:

  • Public subnet: route to an Internet Gateway
  • Private subnet: no route to an Internet Gateway

“Only the load balancer should be public” → ALB in public subnet, app in private subnet, DB private and isolated.

C | Integrate AWS Services To Secure Applications

Common Combos:

1 AWS WAF + ALB/CloudFront:

  • SQLi
  • XSS
  • bot mitigation

2 AWS Shield:

  • DDoS protection
  • Shield Advanced for stronger needs

3 AWS Secrets Manager: store secrets + rotation
4 IAM Identity Center: workforce and Amazon Cognito: end users
5 GuardDuty: detect threats
6 Macie: S3 sensitive data discovery

D | Secure External Network Connections To And From AWS

  • Site-to-Site VPN: encrypted tunnel over the internet which is fast to deploy
  • AWS Direct Connect: private dedicated link which has more consistent performance Resilient design: Direct Connect + VPN backup

“Need private connectivity to on-prem” → VPN and/or Direct Connect

Cheat Sheet

Scenario Direction
Keep AWS API/service traffic private VPC endpoints (Gateway/Interface)
Database must not be internet reachable DB in private/isolated subnet + SG only from app tier
Only ALB should be public ALB public, app private; NAT/endpoints as needed
Protect from SQL injection / XSS AWS WAF (managed rules)
DDoS protection required AWS Shield (+ CloudFront/WAF commonly)
Secrets in code/config Secrets Manager (rotation if needed)
Detect suspicious activity GuardDuty
Find PII in S3 Macie
Private connectivity to on-prem VPN and/or Direct Connect

Recap Checklist ✅

If you can explain these ideas in simple terms, you are well prepared for Task Statement 1.2:

1. [ ] Secrets and credentials are not stored in code (use Secrets Manager or SSM Parameter Store SecureString)

2. [ ] The workload uses private subnets for app/data tiers, and only required components are public

3. [ ] Inbound traffic is controlled with security groups (and NACLs if needed), using minimal ports/protocols

4. [ ] Outbound internet access from private subnets is intentional (via NAT Gateway) or avoided using VPC endpoints

5. [ ] AWS service access stays private where possible (use Gateway/Interface VPC endpoints / PrivateLink)

6. [ ] Public web apps are protected against common attacks using AWS WAF (and CloudFront when appropriate)

7. [ ] DDoS risk is addressed using AWS Shield (and scaling/edge protections as needed)

8. [ ] Suspicious activity detection is enabled with Amazon GuardDuty

9. [ ] Sensitive data in S3 can be discovered/monitored with Amazon Macie when required

10. [ ] External connectivity (to/from on-prem) uses VPN and/or Direct Connect with secure routing and redundancy

AWS White Papers and Official Documentation

These are the primary AWS documents behind Task Statement 1.2.

You do not need to memorize them, use them to understand why secure workload design works the way it does.

Networking and VPC Security

Amazon VPC User Guide

  • Explains how VPCs, subnets, route tables, and gateways work
  • Core for questions about public vs private subnets, routing, and segmentation

Security Groups

  • Your primary tool for controlling inbound/outbound traffic to instances and ENIs
  • Frequently tested: stateful behavior, least-ports-open design

Network ACLs (NACLs)

  • Subnet-level firewall rules (stateless)
  • Shows up when the exam wants an extra “layer” of subnet control

NAT Gateways

  • Enables outbound internet access from private subnets (without allowing inbound)
  • Common exam scenario: patching instances in private subnets

VPC Endpoints / AWS PrivateLink

  • Keeps traffic to AWS services private (no public internet path)
  • Key for “no internet access but still must reach S3/Secrets Manager” scenarios

Application Protection and Threat Mitigation

AWS WAF

  • Protects web apps from common attacks (SQLi, XSS) using managed rules and custom rules
  • Often paired with ALB or CloudFront in exam architectures

AWS Shield (DDoS overview)

  • Explains DDoS protection options (Shield Standard vs Shield Advanced)
  • Typical exam clue: “must protect against DDoS” → Shield + edge design

Amazon GuardDuty

  • Threat detection service that analyzes logs/telemetry to flag suspicious behavior
  • Useful when the question is about detection and alerting (not just prevention)

Amazon Macie

  • Finds and alerts on sensitive data (PII) stored in S3
  • Exam clue: “identify PII in S3 automatically” → Macie

Identity for Applications and Secrets

Amazon Cognito

  • Authentication/authorization for application end users (sign-up/sign-in, tokens)
  • Exam clue: “millions of app users need login” → Cognito

AWS Secrets Manager

  • Stores secrets securely and supports automated rotation
  • Exam clue: “rotate DB credentials automatically” → Secrets Manager

SSM Parameter Store

  • Stores application configuration parameters; can encrypt with KMS (SecureString)
  • Often chosen for configuration values and simpler secret needs

External Connectivity (On-Prem ↔ AWS)

AWS Site-to-Site VPN

  • Encrypted connectivity over the internet between on-prem and AWS
  • Exam clue: “quick secure connection to on-prem” → Site-to-Site VPN

AWS Direct Connect

  • Dedicated private network connection for consistent performance
  • Exam clue: “consistent throughput / lower latency / private circuit” → Direct Connect
  • Common best practice: pair with VPN for backup/failover

🚀

Top comments (0)