security

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Security Architecture Diagram Generator

安全架构图生成器

Quick Start: Define trust boundaries → Place identity/encryption/firewall icons → Connect with access flows → Group into security zones → Wrap in

```plantuml

fence.

⚠️ IMPORTANT: Always use
```plantuml
or
```puml
code fence. NEVER use
```text
— it will NOT render as a diagram.

快速入门： 定义信任边界 → 放置身份/加密/防火墙图标 → 连接访问流 → 分组为安全区域 → 用

```plantuml

代码围栏包裹。

⚠️ 重要提示： 请始终使用
```plantuml
或
```puml
代码围栏。切勿使用
```text
— 它不会被渲染为图表。

Critical Rules

核心规则

Every diagram starts with
```
@startuml
```
and ends with
```
@enduml
```
Use
```
left to right direction
```
for access flows (User → AuthN → AuthZ → Resource)
Use
```
mxgraph.aws4.*
```
stencil syntax for security service icons
Default colors are applied automatically — you do NOT need to specify
```
fillColor
```
or
```
strokeColor
```
Use
```
rectangle "Trust Boundary" { ... }
```
for security zones
Directed flows use
```
-->
```
, audit/async flows use
```
..>
```
(dashed)

Full stencil reference: See stencils/README.md for 9500+ available icons.

所有图表以
```
@startuml
```
开头，以
```
@enduml
```
结尾
访问流使用
```
left to right direction
```
（从左到右方向）（用户 → 身份验证 → 授权 → 资源）
安全服务图标使用
```
mxgraph.aws4.*
```
模板语法
默认颜色会自动应用 — 你无需指定
```
fillColor
```
或
```
strokeColor
```
安全区域使用
```
rectangle "Trust Boundary" { ... }
```
定义
定向流使用
```
-->
```
, 审计/异步流使用
```
..>
```
（虚线）

完整模板参考： 查看stencils/README.md获取9500+可用图标。

Mxgraph Stencil Syntax

Mxgraph模板语法

mxgraph.aws4.<icon> "Label" as <alias>

mxgraph.aws4.<icon> "Label" as <alias>

Identity & Access Stencils

身份与访问模板

Category	Stencils	Purpose
IAM	`identity_and_access_management` , `identity_access_management_iam_roles_anywhere`	Identity policies & roles
SSO/Directory	`cognito` , `ad_connector` , `directory_service` , `cloud_directory`	User authentication & federation
STS	`sts` , `sts_alternate`	Temporary security credentials
Organizations	`organizations` , `organizations_account` , `organizations_organizational_unit`	Multi-account governance

类别	模板	用途
IAM	`identity_and_access_management` , `identity_access_management_iam_roles_anywhere`	身份策略与角色
SSO/目录服务	`cognito` , `ad_connector` , `directory_service` , `cloud_directory`	用户身份验证与联邦
STS	`sts` , `sts_alternate`	临时安全凭证
Organizations	`organizations` , `organizations_account` , `organizations_organizational_unit`	多账号治理

Encryption & Secrets Stencils

加密与密钥模板

Category	Stencils	Purpose
KMS	`key_management_service` , `key_management_service_external_key_store`	Key management & encryption
Secrets	`secrets_manager`	Secrets rotation & storage
Certificates	`certificate_manager` , `private_certificate_authority`	TLS certificate lifecycle
HSM	`cloudhsm`	Hardware security module
Encryption	`encrypted_data`	Encrypted data at rest

类别	模板	用途
KMS	`key_management_service` , `key_management_service_external_key_store`	密钥管理与加密
密钥管理	`secrets_manager`	密钥轮换与存储
证书	`certificate_manager` , `private_certificate_authority`	TLS证书生命周期管理
HSM	`cloudhsm`	硬件安全模块
加密	`encrypted_data`	静态加密数据

Network Security Stencils

网络安全模板

Category	Stencils	Purpose
Firewall	`network_firewall` , `network_firewall_endpoints` , `firewall_manager`	Network traffic filtering
WAF	`generic_firewall`	Web application firewall
Shield	`shield` , `shield_shield_advanced` , `shield2`	DDoS protection
Security Group	`security_group` , `group_security_group`	Instance-level firewall

类别	模板	用途
防火墙	`network_firewall` , `network_firewall_endpoints` , `firewall_manager`	网络流量过滤
WAF	`generic_firewall`	Web应用防火墙
Shield	`shield` , `shield_shield_advanced` , `shield2`	DDoS防护
安全组	`security_group` , `group_security_group`	实例级防火墙

Threat Detection & Compliance Stencils

威胁检测与合规模板

Category	Stencils	Purpose
Detection	`guardduty` , `detective` , `inspector`	Threat detection & investigation
Data Protection	`macie`	Sensitive data discovery
Compliance	`security_hub` , `security_hub_finding` , `audit_manager` , `config`	Compliance posture & audit
Logging	`cloudtrail` , `cloudtrail_cloudtrail_lake` , `security_lake`	Audit trail & log aggregation
Governance	`control_tower` , `organizations`	Multi-account governance
Incident	`security_incident_response`	Incident management

类别	模板	用途
检测	`guardduty` , `detective` , `inspector`	威胁检测与调查
数据保护	`macie`	敏感数据发现
合规	`security_hub` , `security_hub_finding` , `audit_manager` , `config`	合规态势与审计
日志	`cloudtrail` , `cloudtrail_cloudtrail_lake` , `security_lake`	审计追踪与日志聚合
治理	`control_tower` , `organizations`	多账号治理
事件	`security_incident_response`	事件管理

Connection Types

连接类型

Syntax	Meaning	Use Case
`A --> B`	Solid arrow	Auth flow / access request
`A ..> B`	Dashed arrow	Audit event / async detection
`A -- B`	Solid line	Trust relationship
`A --> B : "label"`	Labeled connection	Describe protocol or credential

语法	含义	使用场景
`A --> B`	实线箭头	认证流 / 访问请求
`A ..> B`	虚线箭头	审计事件 / 异步检测
`A -- B`	实线	信任关系
`A --> B : "label"`	带标签连接	描述协议或凭证

Quick Example

快速示例

plantuml

@startuml
left to right direction
mxgraph.aws4.users "Users" as users
mxgraph.aws4.cognito "Cognito" as auth
mxgraph.aws4.identity_and_access_management "IAM" as iam

rectangle "Protected Resources" {
  mxgraph.aws4.s3 "Data (S3)" as s3
  mxgraph.aws4.encrypted_data "Encrypted" as enc
}

users --> auth : "login"
auth --> iam : "token"
iam --> s3
s3 --> enc
@enduml

plantuml

@startuml
left to right direction
mxgraph.aws4.users "Users" as users
mxgraph.aws4.cognito "Cognito" as auth
mxgraph.aws4.identity_and_access_management "IAM" as iam

rectangle "Protected Resources" {
  mxgraph.aws4.s3 "Data (S3)" as s3
  mxgraph.aws4.encrypted_data "Encrypted" as enc
}

users --> auth : "login"
auth --> iam : "token"
iam --> s3
s3 --> enc
@enduml

Security Architecture Types

安全架构类型

Type	Purpose	Key Stencils	Example
IAM & AuthN	Identity and authentication	`cognito` , `identity_and_access_management` , `sts`	iam-authn.md
Encryption Pipeline	Data encryption at rest/in-transit	`key_management_service` , `certificate_manager` , `secrets_manager`	encryption-pipeline.md
Network Security	Perimeter defense & firewalls	`network_firewall` , `shield` , `security_group`	network-security.md
Threat Detection	Automated threat response	`guardduty` , `detective` , `security_hub`	threat-detection.md
Compliance Audit	Governance & audit trail	`config` , `audit_manager` , `cloudtrail` , `security_lake`	compliance-audit.md
Zero Trust	Zero-trust access model	`cognito` , `identity_and_access_management` , `network_firewall`	zero-trust.md
Data Protection	Sensitive data classification	`macie` , `encrypted_data` , `key_management_service`	data-protection.md
Multi-account Gov	Organization-wide security	`organizations` , `control_tower` , `security_hub`	multi-account-governance.md

类型	用途	核心模板	示例
IAM与身份认证	身份与身份验证	`cognito` , `identity_and_access_management` , `sts`	iam-authn.md
加密管道	静态/传输中数据加密	`key_management_service` , `certificate_manager` , `secrets_manager`	encryption-pipeline.md
网络安全	边界防御与防火墙	`network_firewall` , `shield` , `security_group`	network-security.md
威胁检测	自动化威胁响应	`guardduty` , `detective` , `security_hub`	threat-detection.md
合规审计	治理与审计追踪	`config` , `audit_manager` , `cloudtrail` , `security_lake`	compliance-audit.md
零信任	零信任访问模型	`cognito` , `identity_and_access_management` , `network_firewall`	zero-trust.md
数据保护	敏感数据分类	`macie` , `encrypted_data` , `key_management_service`	data-protection.md
多账号治理	组织级安全	`organizations` , `control_tower` , `security_hub`	multi-account-governance.md