DeepDefence
Blog - Zero trust security model
AWS data perimeter

  • What is zero trust

  • Trust nobody. Even if the component is within the same network. Every user, system/component has to identity itself for a successful communication (such as accessing data or invoking an API) with other components in the system.

  • Why is it required

  • Zero trust approach greatly reduces attack surface area as they remove unneeded pathways to your data.

  • How to setup zero trust in AWS

    • 1. Identity and Access Management (IAM)
    • Use IAM roles instead of long-lived credentials (no access keys in code).
    • Enable IAM Access Analyzer to identify unused permissions.
    • Enforce MFA for all.
    • Use attribute-based access control (ABAC) for granular permissions.
    • 2. Use SSO, IAM Identity Center
    • Integrate with AWS IAM Identity Center (Successor to AWS SSO) for centralized authentication.
    • Use SAML or OIDC federation for employee identity providers.
    • Require MFA across all privileged access.
    • Use attribute-based access control (ABAC) for granular permissions.
    • 3. Network Segmentation (No Implicit Trust)
    • Use VPCs, Subnets, and Security Groups to isolate workloads.
    • Deploy Private-Link or VPC endpoints to access AWS services privately
    • Minimize or eliminate public access to workloads.
    • Use Network Access Control Lists (NACLs) and security groups to enforce segmentation.
    • 4. Continuous Monitoring & Logging
    • Enable CloudTrail for full audit logging.
    • Use Amazon GuardDuty for threat detection.
    • Monitor logs using AWS CloudWatch Logs and AWS Security Hub.
    • Set up alerts for unusual activity using AWS Config and CloudWatch Alarms.
    • 5. Device and Workload Verification
    • Implement Amazon Inspector to scan for vulnerabilities.
    • Use Systems Manager for secure management of EC2 instances.
    • Tag workloads and enforce policies using service control policies (SCPs) in AWS Organizations.
    • 6. Device and Workload Verification
    • Encrypt data at rest using KMS and in transit using TLS.
    • Use Macie for discovering and protecting PII data in S3.
    • Enable bucket policies and S3 Block Public Access.

If you need help with Zero trust approach and setup for your software solution, DeepDefence can help you. Drop us a message now!! We offer a free security assessment to new customers.

Back to Blogs