Security Architecture Diagram Generator

Quick Start: Define trust boundaries → Place identity/encryption/firewall icons → Connect with access flows → Group into security zones → Wrap in

```plantuml

fence.

⚠️ IMPORTANT: Always use
```plantuml
or
```puml
code fence. NEVER use
```text
— it will NOT render as a diagram.

Critical Rules

Every diagram starts with
```
@startuml
```
and ends with
```
@enduml
```
Use
```
left to right direction
```
for access flows (User → AuthN → AuthZ → Resource)
Use
```
mxgraph.aws4.*
```
stencil syntax for security service icons
Default colors are applied automatically — you do NOT need to specify
```
fillColor
```
or
```
strokeColor
```
Use
```
rectangle "Trust Boundary" { ... }
```
for security zones
Directed flows use
```
-->
```
, audit/async flows use
```
..>
```
(dashed)

Full stencil reference: See stencils/README.md for 9500+ available icons.

Mxgraph Stencil Syntax

mxgraph.aws4.<icon> "Label" as <alias>

Identity & Access Stencils

Category	Stencils	Purpose
IAM	`identity_and_access_management` , `identity_access_management_iam_roles_anywhere`	Identity policies & roles
SSO/Directory	`cognito` , `ad_connector` , `directory_service` , `cloud_directory`	User authentication & federation
STS	`sts` , `sts_alternate`	Temporary security credentials
Organizations	`organizations` , `organizations_account` , `organizations_organizational_unit`	Multi-account governance

Encryption & Secrets Stencils

Category	Stencils	Purpose
KMS	`key_management_service` , `key_management_service_external_key_store`	Key management & encryption
Secrets	`secrets_manager`	Secrets rotation & storage
Certificates	`certificate_manager` , `private_certificate_authority`	TLS certificate lifecycle
HSM	`cloudhsm`	Hardware security module
Encryption	`encrypted_data`	Encrypted data at rest

Network Security Stencils

Category	Stencils	Purpose
Firewall	`network_firewall` , `network_firewall_endpoints` , `firewall_manager`	Network traffic filtering
WAF	`generic_firewall`	Web application firewall
Shield	`shield` , `shield_shield_advanced` , `shield2`	DDoS protection
Security Group	`security_group` , `group_security_group`	Instance-level firewall

Threat Detection & Compliance Stencils

Category	Stencils	Purpose
Detection	`guardduty` , `detective` , `inspector`	Threat detection & investigation
Data Protection	`macie`	Sensitive data discovery
Compliance	`security_hub` , `security_hub_finding` , `audit_manager` , `config`	Compliance posture & audit
Logging	`cloudtrail` , `cloudtrail_cloudtrail_lake` , `security_lake`	Audit trail & log aggregation
Governance	`control_tower` , `organizations`	Multi-account governance
Incident	`security_incident_response`	Incident management

Connection Types

Syntax	Meaning	Use Case
`A --> B`	Solid arrow	Auth flow / access request
`A ..> B`	Dashed arrow	Audit event / async detection
`A -- B`	Solid line	Trust relationship
`A --> B : "label"`	Labeled connection	Describe protocol or credential

Quick Example

plantuml

@startuml
left to right direction
mxgraph.aws4.users "Users" as users
mxgraph.aws4.cognito "Cognito" as auth
mxgraph.aws4.identity_and_access_management "IAM" as iam

rectangle "Protected Resources" {
  mxgraph.aws4.s3 "Data (S3)" as s3
  mxgraph.aws4.encrypted_data "Encrypted" as enc
}

users --> auth : "login"
auth --> iam : "token"
iam --> s3
s3 --> enc
@enduml

Security Architecture Types

Type	Purpose	Key Stencils	Example
IAM & AuthN	Identity and authentication	`cognito` , `identity_and_access_management` , `sts`	iam-authn.md
Encryption Pipeline	Data encryption at rest/in-transit	`key_management_service` , `certificate_manager` , `secrets_manager`	encryption-pipeline.md
Network Security	Perimeter defense & firewalls	`network_firewall` , `shield` , `security_group`	network-security.md
Threat Detection	Automated threat response	`guardduty` , `detective` , `security_hub`	threat-detection.md
Compliance Audit	Governance & audit trail	`config` , `audit_manager` , `cloudtrail` , `security_lake`	compliance-audit.md
Zero Trust	Zero-trust access model	`cognito` , `identity_and_access_management` , `network_firewall`	zero-trust.md
Data Protection	Sensitive data classification	`macie` , `encrypted_data` , `key_management_service`	data-protection.md
Multi-account Gov	Organization-wide security	`organizations` , `control_tower` , `security_hub`	multi-account-governance.md

security

NPX Install

Tags

SKILL.md Content