Introduction
In today’s cybersecurity landscape, traditional security models based on perimeter defenses are no longer sufficient. With the rapid shift to cloud environments, Zero Trust architecture (ZTA) has become essential. The Zero Trust model assumes that no one, whether inside or outside the network, should be trusted by default. Every request for access—whether from a user, device, or application—must be continuously authenticated, authorized, and validated before granting access.
For my portfolio website, EdwinMolina.me, hosted on AWS, I adopted a Zero Trust approach to ensure that every request is properly vetted and that access to critical resources is tightly controlled. This blog post will walk through how I implemented Zero Trust security using AWS services, AWS Organizations, and a multi-account architecture to enhance security, manage resources efficiently, and enforce strict policies.
What is Zero Trust?
Zero Trust is a security model that operates on the principle of "never trust, always verify." Key principles include:
- Verify explicitly: Every access request, regardless of origin, is verified based on multiple factors such as identity, device health, and behavior.
- Least privilege access: Users and devices are only granted the minimum level of access necessary to perform their tasks.
- Assume breach: Assume that a breach could happen at any time and design systems to limit the impact of potential security events.
Implementing Zero Trust on AWS
To implement Zero Trust on AWS, I focused on several key elements: strong identity and access management, network segmentation, encryption, continuous monitoring, and the strategic use of AWS services and multi-account structures. Here’s how I achieved this:
1. Enforcing Strong Identity Management with AWS IAM
AWS Identity and Access Management (IAM) is critical for implementing Zero Trust. I applied the Principle of Least Privilege by granting only the necessary permissions to each user, role, and service.
- Role-Based Access Control (RBAC): Assigned users to specific roles based on their responsibilities, ensuring minimal permissions.
- Multi-Factor Authentication (MFA): Required MFA for all users, especially those with administrative privileges.
2. Network Segmentation with Amazon VPC
Network segmentation is a fundamental Zero Trust principle. I used Amazon VPC (Virtual Private Cloud) to isolate critical workloads into separate subnets.
- Private and Public Subnets: Placed sensitive resources in private subnets and public-facing services in public subnets.
- Security Groups and Network ACLs: Controlled traffic flow between subnets.
- VPN and Direct Connect: Implemented encrypted connections for secure access from on-premises environments.
3. Centralized Management with AWS Organizations and Multi-Account Architecture
I implemented a multi-account AWS environment using AWS Organizations to enhance security and operational efficiency. Here’s the breakdown of the accounts I used:
| Account Type | Purpose |
|---|---|
| Master (Management) | Central hub for AWS Organizations, managing billing and access control. |
| Log Archive | Dedicated account for storing centralized logs (CloudTrail, VPC Flow Logs). |
| Audit | Security auditing, compliance, and monitoring. |
| Security | Centralizes security services like GuardDuty, Security Hub, and AWS WAF. |
| Shared Services | Hosts shared services like DNS (Route 53) and Directory Services. |
| Development/Production | Separate accounts for development, staging, and production environments. |
| Cost and Billing | Centralizes cost tracking and financial reporting. |
This structure ensures isolation, security, and efficient resource management.
4. Web Application Protection with AWS WAF and CloudFront
To safeguard my platform, I used AWS Web Application Firewall (WAF) and Amazon CloudFront to protect against common web threats.
- AWS WAF: Configured custom rules to block malicious requests, filter bad traffic, and prevent application-layer attacks.
- Amazon CloudFront: Used as a reverse proxy to protect origin servers and integrate with AWS WAF for edge defense.
5. Enforcing Encryption for Data Protection
All data, whether in transit or at rest, is encrypted to protect against unauthorized access.
- SSL/TLS Encryption: Implemented using AWS Certificate Manager (ACM) for secure communication.
- Encryption at Rest: Configured AWS services like S3, RDS, and EBS to encrypt data using AWS Key Management Service (KMS).
- End-to-End Encryption: Enforced encryption across the entire data lifecycle.
6. Auditing and Monitoring with AWS CloudTrail and GuardDuty
Continuous monitoring is a cornerstone of Zero Trust. I used the following AWS services for real-time monitoring and auditing:
- AWS CloudTrail: Logged every API call to detect unauthorized access or suspicious activity.
- Amazon GuardDuty: Continuously monitored for threats by analyzing CloudTrail logs, VPC Flow Logs, and DNS logs.
Conclusion
Securing modern cloud environments requires a proactive approach, and Zero Trust has been at the core of my security strategy for EdwinMolina.me. By leveraging AWS IAM, VPC segmentation, AWS WAF, GuardDuty, and AWS Organizations with a multi-account structure, I have successfully implemented a scalable, secure, and resilient cloud architecture.
Using AWS Organizations, I structured multiple accounts to enhance security, improve resource isolation, and enforce strict policies across development, production, security, and audit environments. This approach ensures better access control, centralized logging, and security governance, preventing unauthorized access and limiting the blast radius of potential threats.
This project demonstrates my ability to design and implement robust security controls, apply industry best practices such as Zero Trust and least privilege access, and leverage AWS security services to mitigate risks in real time. As I continue expanding my expertise, I look forward to bringing my security-first mindset to a team where I can contribute to protecting critical assets, detecting threats, and enhancing cloud security.