* * *

#### Design Overview

To provide for a comprehensive network and application security, \[Customer\] will deploy at a minimum the following tools and services:

1.  Security Groups will be used as virtual firewalls to control network access to AWS resources.
2.  Network Access List will be used to explicitly block malicious traffic.
3.  AWS GuardDuty will be used as an out of band network layer threat detection mechanism.
4.  AWS WAF will be used as an in-line application protection layer.
5.  AWS Shield Advanced will provide for additional DoS/DDoS protection.

  

**Diagram 1: Logical multi-layer protection architecture**

[Untitled Diagram](/.attachments/DK-Security/Untitled Diagram.drawio)
[Untitled Diagram](/.attachments/DK-Security/Untitled Diagram.drawio)

 **Attachments:**