1.1 Project Overview

Overview of Project ☁️

Scenario

SecureCart is a fast-growing e-commerce platform that initially launched with a focus on speed rather than security. As a result, its infrastructure left key resources - EC2, S3, and RDS, exposed directly to the public internet. With over 10,000 customers, SecureCart now faces significant risks including unauthorized access, data breaches, and compliance issues. A secure cloud redesign is urgently needed.

Your Role

In this project, you’ll act as a cloud security-focused Solutions Architect. Your mission is to take a vulnerable cloud environment and transform it into a secure, production-ready architecture using AWS-native tools and best practices.

We’ll begin by deploying the insecure baseline, exposing common mistakes. Then, you’ll rebuild the entire setup step by step, following security-first design principles aligned with the AWS Well-Architected Framework.

What You'll Learn

You’ll gain hands-on experience in:

  • Designing secure network architectures using VPC
  • Isolating services with private/public subnets
  • Locking down access with security groups and IAM
  • Securing data using encryption at rest and in transit
  • Safely exposing apps using ALB and WAF


Steps to be performed 👩‍💻

We'll go through the following steps in the next few lessons.

  1. Deploy insecure public architecture to understand vulnerabilities
  2. Create custom VPC with public and private subnets
  3. Deploy EC2 in private subnet with ALB and Bastion Host
  4. Launch RDS database and S3 with private connectivity and restricted access
  5. Add AWS WAF to protect against web-based attacks


Services Used 🛠

  • Amazon VPC – Isolate application layers and control traffic using private/public subnets
  • Amazon EC2 – Host the application backend, migrated to private subnets
  • Amazon RDS – Secure relational database with encryption and private access
  • Amazon S3 – Object storage configured with private access only
  • AWS CloudFront – Secure content delivery with HTTPS enforcement
  • AWS IAM – Role-based access control with least-privilege enforcement
  • Application Load Balancer (ALB) – Public endpoint forwarding to private app
  • AWS WAF – Adds basic protection against common Layer 7 threats


Estimated Time & Cost ⚙️

  • This project is estimated to take about 3 to 4 hours
  • Cost: ~$1–3 (Free if within Free Tier and cleaned up)


➡️ Diagram

This is the architectural diagram for the project

➡️ Final Result

By the end of this project, you've transformed SecureCart from a vulnerable, internet-exposed app into a production-grade, secure cloud environment.

You didn’t just patch security issues, you designed a secure foundation from the ground up.

Here’s what you achieved:

  • Isolated backend resources (EC2 and RDS) in private subnets with no direct internet access
  • Exposed only the ALB to the public, minimizing attack surface while maintaining app availability
  • Restricted access with Security Groups and IAM, enforcing the principle of least privilege
  • Enabled encryption for data at rest (RDS, S3) and in transit (via HTTPS)
  • Added AWS WAF to filter out common web exploits like SQL injection and admin page exposure

Complete and Continue  
Discussion

0 comments