Cloud Security Architecture Blueprint

Cloud Security Architecture: A Six-Layer Model

Cloud security isn't a single product — it's an architecture. This blueprint defines six security layers that, when combined, provide comprehensive protection for SMB cloud workloads. Each layer addresses different threat vectors and compliance requirements.

The Six Layers

1. Identity and Access Management — Who can do what
2. Network Security — Where traffic can flow
3. Data Protection — Encryption at rest and in transit
4. Application Security — Secure code and runtime protection
5. Detection and Response — Monitoring and incident handling
6. Governance and Compliance — Policies, auditing, and reporting

Layer 1: Identity and Access Management

• SSO with MFA — AWS SSO with mandatory MFA for all human users
• Least privilege IAM — Use permission boundaries and SCPs to limit blast radius
• No long-lived credentials — Use IAM roles and OIDC federation instead of access keys
• Service accounts — Dedicated IAM roles per service with minimal permissions

Layer 2: Network Security

• VPC isolation — Separate VPCs per environment with no cross-environment routing by default
• Security Groups — Least-privilege inbound rules, reference by Security Group ID not CIDR
• Private subnets — All application and data workloads in private subnets
• VPC endpoints — Access AWS services without internet exposure

Layer 3: Data Protection

• Encryption at rest — KMS-managed keys for EBS, S3, RDS, and all storage services
• Encryption in transit — TLS 1.2+ for all external connections, mTLS for internal services
• Key rotation — Automatic annual rotation for KMS keys
• Data classification — Tag resources by data sensitivity (public, internal, confidential, restricted)

Layer 4: Application Security

• Container scanning — Trivy in CI/CD pipelines, ECR scan on push
• WAF — AWS WAF on CloudFront and ALB with managed rules
• Secrets management — AWS Secrets Manager with automatic rotation
• Dependency scanning — Dependabot or Snyk for vulnerability detection in libraries

Layer 5: Detection and Response

• CloudTrail — Enabled in all regions with S3 storage and CloudWatch alerts
• GuardDuty — Threat detection for account compromise, crypto mining, and network anomalies
• VPC Flow Logs — Traffic analysis and anomaly detection
• Incident response plan — Documented procedures with regular tabletop exercises

Layer 6: Governance and Compliance

• AWS Config — Continuous compliance monitoring with conformance packs
• Service Control Policies — Prevent dangerous actions at the organization level
• Tagging enforcement — Require cost allocation and security tags on all resources
• Regular audits — Quarterly security reviews and penetration testing

Implementation Priority for SMBs

Eazy SaaS Tip: We implement this six-layer model for every client engagement, starting with IAM and detection. The first two phases (4 weeks) typically address 80% of security gaps. We then iterate on application security and compliance in subsequent phases.