Whether you are migrating existing workloads or creating something new in AWS, it can be tempting to bring your current security solutions with you. In this hands-on workshop, we help you identify which cloud-native solutions can mitigate the same risks while providing scalability, reliability, and cost optimization at a low operational burden. During this workshop, you will learn how to use cloud native controls like CloudTrail, Security Groups, GuardDuty and many more, to secure your cloud architecture.

  • Level: Intermediate
  • Duration: 1 hour
  • Prerequisites: AWS Account, Admin IAM User
  • CSF Functions: Prevent, Detect
  • CAF Components: Preventative, Detective for Logging and Monitoring and Infrastructure Security
  • AWS Services: Amazon CloudWatch, Amazon GuardDuty, AWS CloudTrail, AWS Config, Security Groups, Network ACLs


For this workshop, you will be securing an architecture that was a "refactored" migration from a traditional three tier on premise architecture.

The network has two internet facing VPCs - one VPC for the Web Application and one sandbox for the developers called the Proof of Concept VPC. Additionally, there is a Services VPC that allows administrators to manage the network.



Presentation Deck

Workshop Presentation Deck


This workshop has been tested in us-east-1, us-east-2, and us-west-1

First you'll want to Set up your environment for this lab by running CloudFormation.

Then you will perform multiple steps that will guide you through different security tasks. These steps will have you diving deep into two of the Core Epics of the Cloud Adoption Framework, namely "Logging and Monitoring" and "Infrastructure Security":

  1. Enable granular logging
  2. Improve granular control of communication
  3. Improve granular network-based controls
  4. Evaluate detailed logging capabilities
  5. Evaluate network-based protections
  6. Minimize admin access risk

If you complete all six steps with time to spare, there is Extra Credit available.

Finally, make sure to Clean up your environment to ensure you don't have any continuing charges.

Many of the steps in this lab are written in general steps. This is intentional - we want you to learn the AWS interface, so we will not always specify each necessary click to accomplish a task. We've written more of a guide than a tutorial. Please don’t hesitate to ask questions.