What is AWS security architecture best practices?

AWS security architecture following defense-in-depth principles: 1. Account-level security: AWS Organizations with SCPs; separate accounts for dev/staging/prod; management account for billing only; AWS Control Tower for multi-account governance; AWS Security Hub (aggregate security findings from GuardDuty, Inspector, Macie, Config). 2. Identity: IAM Identity Center (AWS SSO) for centralized human access; no IAM users where possible — use roles; MFA on root and privileged accounts; access key rotation; CloudTrail audit; Access Analyzer (identify public/external access). 3. Infrastructure: VPC with private subnets; security groups (least privilege); NACLs (explicit deny); no public EC2 — use SSM Session Manager; NAT Gateway for outbound; WAF (OWASP rules) in front of ALB/CloudFront; AWS Shield Standard (always on) + Shield Advanced (DDoS specialized response); Network Firewall (stateful, DNS filtering, IDS/IPS). 4. Data: encryption at rest (KMS for EBS, S3 SSE-KMS, RDS); encryption in transit (TLS everywhere, ACM certificates); S3 Block Public Access (account-level); Macie (ML-based sensitive data discovery); Secrets Manager for credentials. 5. Detection: GuardDuty (threat detection — ML on CloudTrail, VPC Flow Logs, DNS logs — finds crypto mining, compromised instances, credential theft); Security Hub (standards — CIS Benchmark, AWS Foundational Best Practices); Inspector (vulnerability scanning for EC2 and ECR images); CloudWatch Alarms + EventBridge for security events; VPC Flow Logs. 6. Incident Response: automated remediation via Lambda + EventBridge (isolate compromised instance: remove from ASG, revoke security group, snapshot for forensics); Runbooks in Systems Manager; SOAR with third-party tools.