| name | aws-security-architecture |
| description | AWS Control Tower, Well-Architected Framework, VPC security, GuardDuty, CloudTrail, high availability, and resilience per Hack23 Secure Development Policy |
| license | MIT |
AWS Security Architecture Skill
Context
This skill applies when:
- Designing AWS cloud architecture
- Implementing AWS Control Tower objectives
- Following AWS Well-Architected Framework
- Configuring VPC endpoints and private connectivity
- Setting up AWS GuardDuty, Security Hub, CloudTrail
- Implementing high availability and disaster recovery
- Conducting chaos engineering with AWS FIS
This skill enforces Hack23 Secure Development Policy AWS sections for AWS-native security services.
Rules
1. AWS Control Tower Objectives (Policy Section 🎯)
- CO.1: Establish identity and access management (IAM)
- CO.2: Establish network security (VPC, security groups)
- CO.3: Establish data protection (encryption, backups)
- CO.4: Establish detective controls (CloudTrail, GuardDuty)
- CO.5-15: Operational excellence, cost optimization, performance
2. AWS Well-Architected Framework (Policy Section 🏛️)
- Security Pillar: Identity, detective controls, infrastructure protection, data protection, incident response
- Reliability Pillar: Foundations, workload architecture, change management, failure management
- Operational Excellence: Organization, prepare, operate, evolve
- Performance Efficiency: Selection, review, monitoring, tradeoffs
- Cost Optimization: Practice Cloud Financial Management, expenditure awareness
- Sustainability: Region selection, user behavior patterns, software patterns, data patterns, hardware patterns
3. Network Security (Policy Section 🌐)
- Zero Trust Architecture: Never trust, always verify
- VPC Endpoints: Private connectivity for AWS services
- Security Groups: Least privilege network access
- NACLs: Network layer protection
- VPC Flow Logs: Network traffic monitoring
4. Security Monitoring (Policy Section 🔍)
- AWS GuardDuty: Threat detection and continuous monitoring
- AWS Security Hub: Centralized security findings
- AWS CloudTrail: API activity logging and auditing
- AWS Config: Configuration change tracking
- Amazon CloudWatch: Metrics and log aggregation
Examples
✅ Good Pattern: AWS Control Tower Objectives Implementation
const lambdaExecutionPolicy = {
Version: '2012-10-17',
Statement: [
{
Sid: 'LoggingPermissions',
Effect: 'Allow',
Action: [
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents'
],
Resource: 'arn:aws:logs:*:*:log-group:/aws/lambda/european-parliament-mcp-*'
},
{
Sid: 'SecretsManagerAccess',
Effect: 'Allow',
Action: [
'secretsmanager:GetSecretValue'
],
Resource: 'arn:aws:secretsmanager:*:*:secret:ep-api-credentials-*'
},
{
Sid: 'DynamoDBReadWrite',
Effect: 'Allow',
Action: [
'dynamodb:GetItem',
'dynamodb:PutItem',
'dynamodb:Query',
'dynamodb:UpdateItem'
],
Resource: 'arn:aws:dynamodb:*:*:table/ep-cache'
}
]
};
const apiSecurityGroup = {
ingress: [
{
description: 'HTTPS from ALB',
from_port: 443,
to_port: 443,
protocol: 'tcp',
security_groups: ['sg-alb-12345']
}
],
egress: [
{
description: 'HTTPS to European Parliament API',
from_port: 443,
to_port: 443,
protocol: 'tcp',
cidr_blocks: ['0.0.0.0/0']
}
]
};
const s3BucketEncryption = {
bucket: 'ep-mcp-data',
rule: {
apply_server_side_encryption_by_default: {
sse_algorithm: 'aws:kms',
kms_master_key_id: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
}
}
};
const dynamoDBEncryption = {
table_name: 'ep-cache',
server_side_encryption: {
enabled: true,
kms_key_id: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
}
};
const cloudTrailConfig = {
name: 'ep-mcp-trail',
s3_bucket_name: 'ep-mcp-cloudtrail-logs',
enable_logging: true,
include_global_service_events: true,
is_multi_region_trail: true,
enable_log_file_validation: true,
event_selectors: [
{
read_write_type: 'All',
include_management_events: true
}
]
};
const guardDutyConfig = {
enable: true,
finding_publishing_frequency: 'FIFTEEN_MINUTES',
datasources: {
s3_logs: { enable: true },
kubernetes: { audit_logs: { enable: true } },
malware_protection: { scan_ec2_instance_with_findings: { ebs_volumes: { enable: true } } }
}
};
Evidence: CIA AWS Architecture
✅ Good Pattern: VPC Endpoints for Private Connectivity
const dynamoDBEndpoint = {
vpc_id: 'vpc-12345678',
service_name: 'com.amazonaws.us-east-1.dynamodb',
vpc_endpoint_type: 'Gateway',
route_table_ids: ['rtb-12345678', 'rtb-87654321']
};
const secretsManagerEndpoint = {
vpc_id: 'vpc-12345678',
service_name: 'com.amazonaws.us-east-1.secretsmanager',
vpc_endpoint_type: 'Interface',
subnet_ids: ['subnet-12345678', 'subnet-87654321'],
security_group_ids: ['sg-12345678'],
private_dns_enabled: true
};
const s3Endpoint = {
vpc_id: 'vpc-12345678',
service_name: 'com.amazonaws.us-east-1.s3',
vpc_endpoint_type: 'Gateway',
route_table_ids: ['rtb-12345678', 'rtb-87654321'],
policy: JSON.stringify({
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Principal: '*',
Action: ['s3:GetObject', 's3:PutObject'],
Resource: 'arn:aws:s3:::ep-mcp-data/*'
}
]
})
};
Policy Reference: Secure Development Policy Section 🔌
✅ Good Pattern: High Availability Architecture
graph TB
subgraph "Region: us-east-1"
subgraph "AZ-1a"
ALB1[Application Load Balancer]
Lambda1a[Lambda Function]
DDB1a[DynamoDB<br/>Auto-Replicated]
end
subgraph "AZ-1b"
Lambda1b[Lambda Function]
DDB1b[DynamoDB<br/>Auto-Replicated]
end
subgraph "AZ-1c"
Lambda1c[Lambda Function]
DDB1c[DynamoDB<br/>Auto-Replicated]
end
end
User[Users] --> R53[Route 53<br/>Health Checks]
R53 --> ALB1
ALB1 --> Lambda1a
ALB1 --> Lambda1b
ALB1 --> Lambda1c
Lambda1a --> DDB1a
Lambda1b --> DDB1b
Lambda1c --> DDB1c
style ALB1 fill:#ff9900
style Lambda1a fill:#ff9900
style Lambda1b fill:#ff9900
style Lambda1c fill:#ff9900
style DDB1a fill:#527fff
style DDB1b fill:#527fff
style DDB1c fill:#527fff
RTO/RPO:
- RTO (Recovery Time Objective): 5 minutes
- RPO (Recovery Point Objective): 0 (real-time replication)
Evidence: Black Trigram HA Architecture
✅ Good Pattern: AWS Resilience Hub Assessment
const resilienceAssessment = {
applicationName: 'european-parliament-mcp-server',
resiliencyPolicy: {
tier: 'MissionCritical',
rto: 300,
rpo: 0,
},
assessmentSchedule: 'Daily',
recommendations: [
'Enable multi-AZ deployment',
'Configure DynamoDB global tables for cross-region',
'Implement automated failover with Route 53',
'Add chaos engineering tests with AWS FIS'
]
};
const fisExperiment = {
description: 'Test Lambda function resilience to AZ failure',
actions: {
'stop-az-instances': {
actionId: 'aws:ec2:stop-instances',
parameters: {
availabilityZoneIdentifier: 'us-east-1a',
duration: 'PT5M'
},
targets: {
instances: 'lambda-execution-environment'
}
}
},
stopConditions: [
{
source: 'aws:cloudwatch:alarm',
value: 'arn:aws:cloudwatch:us-east-1:123456789012:alarm:HighErrorRate'
}
],
roleArn: 'arn:aws:iam::123456789012:role/FISExperimentRole'
};
Policy Reference: Secure Development Policy Section ⚡
✅ Good Pattern: Data Protection & Backup Strategy
const backupPlan = {
plan_name: 'ep-mcp-backup-plan',
rules: [
{
rule_name: 'daily-backup',
target_vault_name: 'ep-mcp-backup-vault',
schedule: 'cron(0 2 * * ? *)',
lifecycle: {
delete_after: 90,
move_to_cold_storage_after: 30
},
recovery_point_tags: {
Environment: 'production',
Application: 'european-parliament-mcp-server'
}
}
],
selections: [
{
name: 'dynamodb-backup-selection',
resources: ['arn:aws:dynamodb:*:*:table/ep-cache']
},
{
name: 's3-backup-selection',
resources: ['arn:aws:s3:::ep-mcp-data']
}
]
};
const dynamoDBBackup = {
table_name: 'ep-cache',
point_in_time_recovery: {
enabled: true
}
};
Anti-Patterns
❌ Bad: Public S3 Bucket
const badS3Bucket = {
bucket: 'ep-data',
acl: 'public-read'
};
❌ Bad: Overly Permissive IAM Policy
const badIAMPolicy = {
Effect: 'Allow',
Action: '*',
Resource: '*'
};
Evidence Portfolio
Reference Implementations
-
Citizen Intelligence Agency (CIA)
-
Black Trigram Game
-
CIA Compliance Manager
Policy Documents
ISMS Compliance
This skill enforces:
- SD-AWS-001: AWS Control Tower objectives
- SD-AWS-002: Well-Architected Framework alignment
- SD-AWS-003: VPC security and private connectivity
- SD-AWS-004: Security monitoring with GuardDuty/Security Hub
- SD-AWS-005: High availability and resilience
Policy Reference: Hack23 Secure Development Policy AWS Sections