Zero-Trust Network Architecture

The traditional castle-and-moat security model — trusting everything inside the VPC and blocking everything outside — fails catastrophically when an attacker gains initial access to any internal resource. Zero-trust architecture eliminates implicit trust by requiring authentication and authorization for every request, regardless of network location. In this challenge, you will design a zero-trust network architecture on AWS that secures a microservices application with multiple teams and varying sensitivity levels. The network layer uses VPC with private subnets only — no public subnets at all. All inbound traffic enters through AWS PrivateLink endpoints or API Gateway with mutual TLS (mTLS). Service-to-service communication uses AWS App Mesh (Envoy proxy) with mTLS between all services, where certificates are managed by AWS Certificate Manager Private CA with automatic rotation. Each service runs with a unique IAM role scoped to exactly the AWS resources it needs — no shared roles, no wildcard permissions. The authorization layer implements attribute-based access control (ABAC) using IAM policy conditions that check resource tags, request context, and service identity. Network micro-segmentation uses security groups as identity-based firewalls: each service has its own security group, and rules explicitly whitelist only the specific services that need to communicate, with flow logs capturing every denied connection for anomaly detection. Secrets never appear in environment variables or config files — all secrets live in Secrets Manager with automatic rotation, and services retrieve them at runtime via the Secrets Manager API with IAM-enforced access. The logging and monitoring layer uses VPC Flow Logs, CloudTrail, and GuardDuty to detect anomalous behavior patterns: unusual API calls, network scanning, or credential usage from unexpected locations. AWS Config rules continuously validate that all resources comply with zero-trust policies, automatically remediating drift. This challenge teaches zero-trust architecture principles, network micro-segmentation, and the AWS services that enable identity-based security at scale.