AWScloud~30 mins

Why defense in depth matters in AWS - See It in Action

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Why defense in depth matters

📖 Scenario: You are working as a cloud engineer for a small company. Your manager wants you to set up a simple AWS environment that shows how multiple layers of security protect the company's data and services. This is called defense in depth. Think of it like locking your house with a door lock, window locks, and an alarm system. Each layer adds more safety.

🎯 Goal: Build a basic AWS setup with multiple security layers: a Virtual Private Cloud (VPC), a security group, and an IAM role. This will demonstrate how defense in depth works by protecting resources at different levels.

📋 What You'll Learn

Create a VPC with a specific CIDR block

Create a security group that allows only SSH access from a trusted IP

Create an IAM role with a policy that allows read-only access to S3

💡 Why This Matters

🌍 Real World

Companies use defense in depth to protect their cloud environments by adding multiple security layers. This reduces the chance of unauthorized access or data leaks.

💼 Career

Cloud engineers and security specialists must understand how to configure layered security in AWS to build safe and compliant infrastructures.

Progress0 / 4 steps

Create a VPC

Create a variable called vpc_cidr and set it to the string "10.0.0.0/16". Then create a VPC resource named my_vpc using the vpc_cidr as its CIDR block.

AWS

# Your code here

Need a hint?

Start by defining the CIDR block as a string variable. Then use it in the VPC resource properties.

Create a Security Group

Create a variable called trusted_ip and set it to the string "203.0.113.0/24". Then create a security group resource named ssh_sg that belongs to my_vpc and allows inbound SSH (port 22) access only from trusted_ip.

AWS

vpc_cidr = "10.0.0.0/16"

my_vpc = {
    "Type": "AWS::EC2::VPC",
    "Properties": {
        "CidrBlock": vpc_cidr
    }
}

# Your code here

Need a hint?

Define the trusted IP as a string variable. Then create the security group with inbound rules referencing that IP.

Create an IAM Role

Create a variable called read_only_policy that contains the AWS managed policy ARN for Amazon S3 read-only access: "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess". Then create an IAM role resource named s3_read_role that attaches this policy.

AWS

vpc_cidr = "10.0.0.0/16"

my_vpc = {
    "Type": "AWS::EC2::VPC",
    "Properties": {
        "CidrBlock": vpc_cidr
    }
}

trusted_ip = "203.0.113.0/24"

ssh_sg = {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
        "VpcId": {"Ref": "MyVPC"},
        "GroupDescription": "Allow SSH from trusted IP",
        "SecurityGroupIngress": [
            {
                "IpProtocol": "tcp",
                "FromPort": 22,
                "ToPort": 22,
                "CidrIp": trusted_ip
            }
        ]
    }
}

# Your code here

Need a hint?

Use the AWS managed policy ARN for S3 read-only access. Attach it to the IAM role's managed policies.

Combine all resources into a CloudFormation template

Create a dictionary called cloudformation_template with a key Resources that includes my_vpc, ssh_sg, and s3_read_role as its entries.

AWS

vpc_cidr = "10.0.0.0/16"

my_vpc = {
    "Type": "AWS::EC2::VPC",
    "Properties": {
        "CidrBlock": vpc_cidr
    }
}

trusted_ip = "203.0.113.0/24"

ssh_sg = {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
        "VpcId": {"Ref": "MyVPC"},
        "GroupDescription": "Allow SSH from trusted IP",
        "SecurityGroupIngress": [
            {
                "IpProtocol": "tcp",
                "FromPort": 22,
                "ToPort": 22,
                "CidrIp": trusted_ip
            }
        ]
    }
}

read_only_policy = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"

s3_read_role = {
    "Type": "AWS::IAM::Role",
    "Properties": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {"Service": "ec2.amazonaws.com"},
                    "Action": "sts:AssumeRole"
                }
            ]
        },
        "ManagedPolicyArns": [read_only_policy]
    }
}

# Your code here

Need a hint?

Put all your resources inside a dictionary under the key "Resources" with clear names.