My personal learning notes and architecture lessons

Day 3: AWS Solutions Architect Professional Prep —Hybrid Networking & Centralized Security Controls

/in /by

Today I studied how large companies that want to connect their traditional offices and data centers to Amazon’s cloud (AWS) can do so while making sure everything is highly secure and runs smoothly worldwide.

As I always do, I broke that down further into key questions I wanted to be able to answer by the end of the day:

1. How do we connect our offices to the cloud securely and reliably?

2. When our network grows huge, how do we connect everything without chaos?

3. How do we ensure global users get the absolute fastest performance?

4. How do we catch cyber threats and manage compliance from one place?

1. How do we connect our offices to the cloud securely and reliably?

For dedicated bandwidth, the best choice is AWS Direct Connect (DX), since it provides a dedicated fiber connection. It is fast and reliable, unlike using the public internet. Direct Connect goes beyond basic connectivity and offers specialized connections called Virtual Interfaces (VIFs):

1. Private VIFs: For accessing private cloud networks (VPCs).

2. Public VIFs: For accessing AWS public services like S3 or DynamoDB, without routing over the general internet.

3. Transit VIFs: The most scalable option, connects to your central router, the Transit Gateway (TGW)

For high availability, DX uses redundant connections, or it can be paired with a less expensive Site-to-Site VPN as a backup, utilizing BGP route preferences for automatic failover. VPN connections themselves provide automatic redundancy via two tunnels and prefer dynamic BGP routing for production environments. Site-to-Site VPN  is like an encrypted tunnel built over the public internet to reach AWS. It is often used as a reliable backup connection, ready to take over if the Private Highway (DX) fails. Using BGP (Dynamic Routing) is like having a smart map that automatically finds the best route if one path goes down.

2. When our network grows huge, how do we connect everything without chaos?

Transit Gateway (TGW) is the answer. VPC Peering connects two networks directly but it is limited because it does not support transitive routing—meaning if Network A is connected to B, and B is connected to C, A cannot talk to C. VPC  peering also maxes out at 125 connections per VPC.

TGWs can be likened to a central hub in the cloud that connects all VPCs and all DX and VPNs, so you do not have to build individual connections between every one of them

It uses multiple route tables for fine-grained traffic segmentation (e.g., separating production from development traffic to enforce security compliance boundaries), supports high-bandwidth Cross-Region Peering (up to 50 Gbps), and supports DX Gateway connections.

3. How do we ensure global users get the absolute fastest performance?

When managing global traffic, you must differentiate between Route 53 and Global Accelerator.

Route 53 is like a Smart GPS System that directs users to the closest, healthiest cloud location using smart rules, like sending everyone in Europe to the European servers. Latency-Based routing sends users to the location that responds the fastest. Geolocation routing sends users based on where they physically are (e.g., users in Germany go to the Frankfurt region). It operates at the DNS layer.

Global Accelerator(GA) operates at the network layer and may be compared to a fast pass lane. Instead of relying on R53, the GPS, to find the fastest public road, GA puts users onto the fast-pass lane of the AWS global network immediately, ensuring consistent performance. It is used for real-time applications like video or gaming (TCP/UDP).

4. How do we catch cyber threats and manage compliance from one place?

A centralized security strategy integrates multiple specialized tools for detection, assessment, and governance, managed ideally from a dedicated security account.

Amazon GuardDuty is a detection-only service that analyses all network and activity logs for suspicious behaviour, like unauthorized people trying to use a compromised server for cryptocurrency mining or communicating with known malicious sites. It is like a silent watchman; it doesn’t block anything.

Amazon Macie is like a Data Auditor that specializes in searching through your stored files (in S3) to find and alert you to sensitive information, such as credit card numbers or passports (PII), so you can protect them

Amazon Inspector v2 is like a building inspector. It performs continuous vulnerability assessments on computing resources (EC2 instances and containers). It checks for known software security holes (CVEs) and assesses how easily the resource can be reached from the network.

AWS Security Hub is the central dashboard that collects and aggregates all the security findings from GuardDuty, Macie, and Inspector, and then scores your environment against industry standards like PCI DSS.

AWS Config is the rulebook and historian. It tracks the inventory and history of your AWS resources and checks them against rules called Conformance Packs to ensure continuous compliance (e.g., verifying that all databases are encrypted)

Overall, some of the big takeaways on how to create a hybrid network and implement a security command center include:

1.Choose Direct Connect for dedicated bandwidth

2. Use TGW for high-scale network segmentation

3. Use Global Accelerator when latency is absolutely critical.

4. For security, use GuardDuty for detection, Security Hub for aggregation, Macie for sensitive data protection, and AWS Config for governance and compliance tracking via Conformance Packs.

See you tomorrow!

Day 2: AWS Solutions Architect Professional Prep — Governance and Compliance in Complex Organizations

/in /by

Creating a highly secure, well-managed community of accounts is an important part of building and scaling a successful digital infrastructure. To ensure compliance across dozens or even hundreds of separate “departments” or accounts requires establishing automated guardrails, non-stop inspections, and rock-solid centralized logging.

These were my big questions on the topic:

1. How do organizations establish mandatory organizational boundaries and continuously monitor compliance across multiple accounts?

2. What are the key architectural components used to centralize auditing and aggregate security findings across an AWS organization?

3. What are the best practices for managing cross-account access and why are they preferred?

4. How do multi-account strategies address compliance documentation, data residency, and the shared security responsibilities?

  1. How do organizations establish mandatory organizational boundaries and continuously monitor compliance across multiple accounts?

Organizations use Service Control Policies to set mandatory boundaries and AWS Config to continuously monitor compliance.

SCPs act as the digital company rule book that contains the rules that apply universally. They determine the maximum permissions anyone in an organization can possess. They stop non-compliant actions before they can happen.

Eg. An SCP can enforce that all storage buckets (S3) must use encryption,  prevent public snapshots of database services (RDS) , or restrict the types of virtual servers that can be launched.

A key idea is that they never grant permissions; they only restrict them.

AWS Config is a continuous compliance monitor. Since manual checks are impossible at scale, AWS Config provides automated, tireless, non-stop inspection. It evaluates every resource against desired compliance rules. For example, an inspection rule (encrypted-volumes) can check if every hard drive connected to a server is encrypted or  a rule (s3-bucket-public-write-prohibited) can check if public write access is blocked on storage buckets.

AWS Config tracks changes by taking point-in-time snapshots called Configuration Items or CIs to track exactly how resources change over time.

The Config Aggregator allows a central compliance team to view the compliance status of every single account across the entire organization in one place.

2. What are the key architectural components used to centralize auditing and aggregate security findings across an AWS organization?

CloudTrail is the main tool for centralized auditing and Security Hub is the main tool for managing security reporting.

If an incident occurs or when auditors come calling, there is a need for definitive proof of every action taken. Cloudtrail records every API call that occurs. It logs who performed the action, what specific action was called, when, where, and whether the action succeeded or failed. Cloudtrail might be referred to as the security camera and detailed visitor log for an organization’s digital environment.

The best practice is to set up an Organization CloudTrail Trail to ensure that all “recordings” are sent to a logging account – a single, separate, tamper-proof account that cannot be altered for audit purposes.

Security Hub helps to gather security insights across an organization. It takes security findings from more than 20 different services, normalizes them into a standard format called AWS Security Finding Format (ASFF), and presents them in a single view to the Master Account which gives managers a clear overall security score for the entire organization. We might call it the  Executive Security Briefing Dashboard.

3. What are the best practices for managing cross-account access and why are they preferred?

The use of temporary credentials is preferred over long-term secrets- borrow permission, don’t hold permanent keys.

Best practice 1: IAM Roles Over IAM Users.

Roles provide temporary credentials or short-lived tokens that expire quickly (between 15 minutes and 12 hours) so security risk is reduced as there are no permanent access keys to manage or rotate. Using roles also provides a clear Audit Trail of who assumed which role and when. For highly sensitive operations, Multi-Factor Authentication (MFA) can be required to assume the role

Best practice 2: Resource-Based Policies

These policies are used when one service needs permission to access a specific resource in another account. They are commonly used for granting cross-account access to S3 storage buckets, Lambda functions, or KMS encryption keys.

4. How do multi-account strategies address compliance documentation, data residency, and the shared security responsibilities?

Data residency or data sovereignty is the concept that global regulations often mandate where data must physically reside. Common regulatory drivers include rules like GDPR (EU data must stay in the EU) and the Chinese Cybersecurity Law. These may require one to choose storage bucket regions based solely on these sovereignty requirements. This is termed S3 Regional Strategy. Compliance rules may also require in-country copies, or Cross-Region Replication (CRR).

AWS Artifact is the source for compliance documentation. It provides reports covering key frameworks such as SOC reports, PCI DSS, ISO Certifications, and HIPAA guidance. They prove that AWS is compliant with its responsibilities and are needed for audits.

AWS’s Role (Security OF the Cloud): AWS is responsible for the foundation, including physical security of data centers, network infrastructure, and updating the host operating systems.

Customer’s Role (Security IN the Cloud): The customer is responsible for everything they manage, which includes patching their own guest operating systems, application security, managing user access (IAM), and ensuring data is encrypted

The Shared Responsibility Model is basically a Landlord/Tenant Model or partnership in which compliance is shared between AWS and the customer. The Landlord AWS is responsible for the security OF the cloud and The Tenant, or the Customer is Responsible for the security IN the cloud.

Security OF the cloud includes: physical data center security, network infrastructure, and patching the host server operating systems. Security IN the cloud includes locking the digital doors, patching your own application software, managing who has access (IAM), and making sure data is encrypted.

Overall, some of the big takeaways on how to build a compliant, secure, and scalable structure ready for any regulatory challenge are:

1.Utilize SCPs as guardrails that restrict permissions.

2. Use the Config Aggregator for centralized compliance monitoring

3. Use the CloudTrail Organization Trail for centralized auditing.

4. Always prioritize IAM roles when designing cross-account access.

See you tomorrow!

Day 1: AWS Solutions Architect Professional Prep — Multi-Account Strategy & Governance

/in /by

Today marks the start of my journey toward earning the AWS Solutions Architect Professional certification.

Each day, I’ll share study notes and real-world insights from my preparation — explained in simple, practical terms.

My goal isn’t just to pass the exam but to deepen my understanding of cloud architecture so I can design smarter, more secure, and cost-efficient systems on AWS.

Topic 1: Multi-Account Strategy & Governance

Today’s first topic is Multi-Account strategy and governance. These were my big questions on the topic:

  • Why do organizations use multiple AWS accounts?
  • What are the core capabilities of AWS Organizations?
  • How do Service Control Policies differ from IAM policies?
  • How does Control Tower help organizations scale?
  • How can tagging improve cost visibility and control?

Why do Organizations Use Multiple AWS Accounts?

Having one account is like putting everything in one big room. Creating multiple accounts is like setting up a bunch of separate, locked rooms for specific purposes instead of putting everything important into one big room.

There are 3 primary factors that may move an organization to adopt a multi-account strategy: security, billing, and compliance.

Security: Creating separate accounts ensures blast radius containment. For example, a financial services company might keep their trading systems in a separate account from their customer-facing web applications to ensure that a vulnerability in the web app cannot access trading data.

Billing : Each account acts as its own cash register. This prevents one team from using up all the supplies (resource quotas) so the other teams don’t run out.

Compliance: Sometimes, laws require an organization to keep certain things completely separate. For example, there might be laws regarding Data Sovereignty (keeping customer data in specific countries) or Separation of Duties (auditors requiring different roles to handle different workloads). To demonstrate compliance, a healthcare company might keep patient data regulated by laws like HIPAA in one completely dedicated account, separate from their general company email systems.

What are the core capabilities of AWS Organizations?

AWS Organizations acts as the central nervous system for managing all the separate accounts. The accounts are like folders within your directory. Its core capabilities include:

Organizational Units (OUs): Think of OUs as folders within your directory. Similar accounts are grouped  into these folders (e.g., we might have a “Security” folder, or a “North America” folder). Any rule that is set on a folder (OU) automatically applies to every account inside it.

Consolidated Billing: This provides a single bill for all accounts, and benefits like volume discounts, Reserved Instance sharing, and Savings Plans are shared across the organization

Account Management: It allows accounts to be programmatically created, and centrally managed, including being closed or suspended

How do Service Control Policies differ from IAM policies?

SCPs are the most powerful security tool in Organizations. They are essential “guardrails”.

If SCPs are like Speed Limits, then IAM Policies are like a Driver’s License.

Service Control Policies set the maximum speed limit on the “highway”, as it were, by defining the maximum boundary of what is allowed in an account or OU. They can be applied at the Organization, OU, or Account level. By design, they DENY actions and never GRANT permissions. SCPs can enforce governance by preventing account closure or restricting regions for data residency by denying access to all regions except approved ones.

On the other hand, IAM Policies GRANT permissions to users, groups, or roles. However, these permissions cannot exceed what SCPs allow. They operate within the SCP boundary. We might compare them to a “driver’s license”. They grant you the ability to drive (perform actions). However, the license is useless if the action you want to take (speeding) is already forbidden by the “speed limit” (the SCP)

How does AWS Control Tower help organisations scale smart?

Using Control Tower is like buying a pre-built model home instead of custom building one from scratch

Control Tower can set up foundational OUs and configure key accounts, including a centralized logging account and an audit account. The foundational multi-account environment it sets up based on AWS best practices is called a Landing Zone.

It includes the Account Factory, which is a self-service machine that lets teams quickly request a new account that is instantly built with all the standard organizational rules and settings already baked in.

It uses preventive guardrails (SCPs) or detective guardrails (Config rules that detect non-compliance).

In a multi-account environment, there are dedicated accounts to oversee everything else.

Centralized Logging Account: All CloudTrail logs from every account are sent here for immutability and compliance. Even if a source account is compromised, the logs remain intact in this dedicated, secure location

Centralized Security Account: This account gives the security team centralized visibility and better threat correlation across accounts. It houses master services like Security Hub (for findings) and GuardDuty Master (for threat detection). The goal of the centralized security account is one place to see all warnings and threats across the entire organization.

How can tagging improve cost visibility and control?

To track costs, a robust financial management strategy relies on Cost Allocation Tags.

Every resource (like a server or storage bucket) must be labeled with mandatory tags such as its CostCenter (which department pays), Environment (Prod/Dev), and Owner (who is responsible)

Organizations can use Tag Policies via AWS Organizations to enforce consistent tagging and define allowed values.

Cost Allocation Reports break down costs by any combination of these tags, enabling detailed chargeback to business units and accurate tracking of cost trends.

End of Day 1 Topic 1!

I’ll be sharing daily study notes here on Tech Zone with Nana and weekly reflections on my main page — follow along!