Defense in Depth

Architecture

Implement layered security with multiple security group tiers:

  • Edge tier allowing public internet traffic
  • Application tier allowing only edge tier traffic
  • Data tier allowing only application tier traffic
  • Management tier with restricted admin access

When to Use

  • High-security environments
  • Applications processing sensitive data
  • Compliance-driven architectures (PCI-DSS, HIPAA)
  • Enterprise applications with strict security requirements

Implementation Pattern

# Edge tier - Public facing
module "edge_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "edge-tier"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port   = 443
      to_port     = 443
      protocol    = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
      description = "HTTPS from internet"
    }
  ]

  egress_rules = [
    {
      from_port       = 8080
      to_port         = 8080
      protocol        = "tcp"
      security_groups = [module.app_sg.security_group_id]
      description     = "Forward to application tier"
    }
  ]
}

# Application tier - Internal only
module "app_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "application-tier"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port       = 8080
      to_port         = 8080
      protocol        = "tcp"
      security_groups = [module.edge_sg.security_group_id]
      description     = "Traffic from edge tier only"
    }
  ]

  egress_rules = [
    {
      from_port       = 5432
      to_port         = 5432
      protocol        = "tcp"
      security_groups = [module.data_sg.security_group_id]
      description     = "Database access"
    },
    {
      from_port       = 6379
      to_port         = 6379
      protocol        = "tcp"
      security_groups = [module.cache_sg.security_group_id]
      description     = "Cache access"
    }
  ]
}

# Data tier - Most restricted
module "data_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "data-tier"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port       = 5432
      to_port         = 5432
      protocol        = "tcp"
      security_groups = [module.app_sg.security_group_id]
      description     = "PostgreSQL from application tier only"
    }
  ]

  egress_rules = []
}

# Management tier - Admin access
module "mgmt_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "management-tier"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port       = 22
      to_port         = 22
      protocol        = "tcp"
      prefix_list_ids = [data.aws_ec2_managed_prefix_list.bastion.id]
      description     = "SSH from bastion only"
    }
  ]

  egress_rules = [
    {
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      cidr_blocks = [module.vpc.vpc_cidr_block]
      description = "Management traffic within VPC"
    }
  ]
}

Benefits

  • Attackers must compromise multiple layers to reach data
  • Each tier enforces principle of least privilege
  • Clear separation of concerns for security policies