Contents

Secure Architecture & Engineering – a look at shared core security principles at AWS and Azure

Read time: 5 mins
Last Updated on June 17, 2025
Published Oct. 25, 2023
By Marc van der Woerd
Save as .pdf

AWS and Azure both push a similar playbook when it comes to security. The big ideas? Build defenses in layers, lock down identities, protect data like it’s gold, and keep improving through automation and visibility. In short, it’s not a one‑time setup — it’s a living system that keeps adapting as threats evolve.

Here is a quick overview of principles being shared by both platforms:

Foundational Security Principles

Both AWS and Azure advocate for several core principles, often rooted in their respective Well-Architected Frameworks and reference architectures:

1. Defense-in-Depth / Security at All Layers

This principle mandates deploying multiple layers of security to ensure that if one defense mechanism is breached, others remain intact.

  • AWS: Recommends applying security at all layers, including the edge of the network, Virtual Private Cloud (VPC), load balancing, instance and compute services, operating system, application configuration, and code. Defense-in-depth is an important design consideration for selecting security controls, helping to inject controls at different layers of the AWS Organizations structure to minimize impact.

  • Azure: Defines Defense in Depth as deploying multiple layers of security. A layered security architecture is supported through tools like App service environments deployed into an Azure Virtual Network.

2. Strong Identity Foundation and Least Privilege

Controlling who has access to resources (Identity and Access Management or IAM) is a central element in securing environments.

  • AWS: Emphasizes implementing a strong identity foundation, which includes enforcing the principle of least privilege, centralizing identity management, and enforcing separation of duties. This also involves aiming to eliminate reliance on long-term static credentials.

  • Azure: Defines IAM as controlling who has access to what, acting as a gatekeeper. It stresses granting least privilege access to minimize potential exposure. Azure also recommends using identity as the primary access control, shifting the security focus from a network-centric approach to an identity-centric perimeter security approach.

3. Data Protection and Encryption

Data must be safeguarded regardless of its state.

  • AWS: Requires protecting data in transit and at rest. This involves classifying data into sensitivity levels and using mechanisms like encryption, tokenization, and access control where appropriate.

  • Azure: States that encryption safeguards data both at rest and in transit. Tools like Azure Disk Encryption (ADE) and Azure Storage Service Encryption (SSE) address encryption at rest, while Transport Layer Security (TLS) protects data in transit.

4. Continuous Monitoring and Traceability

Visibility into activities is critical for governance, auditing, and threat detection.

  • AWS: Recommends enabling traceability by monitoring, generating alerts, and auditing actions and changes in real time, integrating log collection with systems that automatically investigate and take action. Central logging of all actions performed across the organization is key, such as using an AWS CloudTrail organization trail.

  • Azure: Requires continuous monitoring to detect and respond to threats in real time. Automated monitoring and logging provide continuous insights, reinforcing the security ecosystem. Tools like Microsoft Sentinel collect and analyze logs to provide instantaneous insights.

Evolving Architectural Principles (Advanced/Strategic)

These principles represent modern security models, often incorporating continuous refinement, automation, and advanced trust frameworks.

1. Zero Trust Architecture (ZTA)

This model fundamentally alters how trust is granted within an environment.

  • Azure: Recommends adopting a Zero-Trust Architecture. ZTA assumes users are untrusted by default, requiring continuous authentication for each access attempt or privileged activity. Every request must be authenticated and validated.

  • AWS: The concept of Zero Trust Access is listed as part of the "Optimized" security maturity phase, indicating it is an advanced architectural goal.

2. Automation of Security Practices

Leveraging code and automation to ensure consistency and speed.

  • AWS: Stresses the need to automate security best practices. This includes defining and managing controls as code in version-controlled templates to improve the ability to scale securely and cost-effectively. AWS SRA code examples demonstrate automating implementation using Infrastructure as Code (IaC).

  • Azure: Encourages customers to embrace automation. Automating tasks decreases the chance of human error that can create risk. Operational excellence, one of the Azure Well-Architected Framework pillars, encourages the adoption of practices like automation to streamline workflows and reduce inconsistencies.

3. Preparation for Security Events and Resilience

Building systems that inherently handle threats and preparing explicit response plans.

  • AWS: Recommends actively preparing for security events by having incident management and investigation policies, running incident response simulations, and using automation tools to increase speed for detection, investigation, and recovery.

  • Azure: Advises customers to design for resilience, which requires approaches like defense-in-depth and least privilege to work together. A robust cloud security architecture is compared to an adaptive immune system—constantly analyzing, adjusting, and defending. This also involves updating incident response processes for the cloud.

4. Centralized Governance and Accountability

Implementing controls across the entire organization structure and establishing clear ownership.

  • AWS: Advocates for using AWS Organizations and an appropriate multi-account strategy as foundational elements for security architecture, providing boundaries for separation of duties and defense-in-depth. It promotes centralized monitoring, management, and governance across the organization, often achieved through features like delegated administration.

  • Azure: Recommends implementing policies, permissions, and tags across all subscriptions through careful implementation of the root management group to ensure consistency across the enterprise. It is important to designate clear ownership of assets and security responsibilities to ensure accountability.

Same same, but different.

Both AWS and Azure treat security like building a strong, well‑protected house. First, you lay the foundation with identity controls and least privilege. Then you put up solid walls with defense‑in‑depth. And finally, you make sure everything inside and outside is locked down with data encryption.

The newer principles — things like Zero Trust and heavy automation — are like smart home upgrades. They’re always watching, auditing every move, and instantly fixing or adapting when something suspicious pops up.

back to more articles

security   ACL   AWS   access control   Auditing   Automation of Security Practices   Azure   Centralized Governance and Accountability   Cloud Security Strategy   Continuous Monitoring and Traceability   Data Encryption   Data Protection   Data Protection and Encryption   Defense-in-Depth   DevSecOps   IAM   IaC   Identity & Access Management   Identity-Centric Perimeter Security   Incident Response Simulations   Infrastructure as Code   Least Privilege   SecDevOps   SecOps   Security at All Layers   Strong Identity Foundation   Untrusted by Default   ZTA   Zero Trust Architecture   at rest   in transit   Network Security   Preparation   secure engineering   security architecture   security events   traceability   2023  
ad sample
The 10 Most Popular Article Categories