Security Architecture Diagram Generator
Quick Start:
Define trust boundaries → Place identity/encryption/firewall icons → Connect with access flows → Group into security zones → Wrap in
plantuml
fence.
⚠️
IMPORTANT:
Always useplantuml
or
puml
code fence. NEVER usetext
— it will NOT render as a diagram.
Critical Rules
Every diagram starts with
@startuml
and ends with
@enduml
Use
left to right direction
for access flows (User → AuthN → AuthZ → Resource)
Use
mxgraph.aws4.*
stencil syntax for security service icons
Default colors are applied automatically — you do NOT need to specify
fillColor
or
strokeColor
Use
rectangle "Trust Boundary" { ... }
for security zones
Directed flows use
-->
, audit/async flows use
..>
(dashed)
Full stencil reference:
See
stencils/README.md
for 9500+ available icons.
Mxgraph Stencil Syntax
mxgraph.aws4. "Label" as
Identity & Access Stencils
Category
Stencils
Purpose
IAM
identity_and_access_management
,
identity_access_management_iam_roles_anywhere
Identity policies & roles
SSO/Directory
cognito
,
ad_connector
,
directory_service
,
cloud_directory
User authentication & federation
STS
sts
,
sts_alternate
Temporary security credentials
Organizations
organizations
,
organizations_account
,
organizations_organizational_unit
Multi-account governance
Encryption & Secrets Stencils
Category
Stencils
Purpose
KMS
key_management_service
,
key_management_service_external_key_store
Key management & encryption
Secrets
secrets_manager
Secrets rotation & storage
Certificates
certificate_manager
,
private_certificate_authority
TLS certificate lifecycle
HSM
cloudhsm
Hardware security module
Encryption
encrypted_data
Encrypted data at rest
Network Security Stencils
Category
Stencils
Purpose
Firewall
network_firewall
,
network_firewall_endpoints
,
firewall_manager
Network traffic filtering
WAF
generic_firewall
Web application firewall
Shield
shield
,
shield_shield_advanced
,
shield2
DDoS protection
Security Group
security_group
,
group_security_group
Instance-level firewall
Threat Detection & Compliance Stencils
Category
Stencils
Purpose
Detection
guardduty
,
detective
,
inspector
Threat detection & investigation
Data Protection
macie
Sensitive data discovery
Compliance
security_hub
,
security_hub_finding
,
audit_manager
,
config
Compliance posture & audit
Logging
cloudtrail
,
cloudtrail_cloudtrail_lake
,
security_lake
Audit trail & log aggregation
Governance
control_tower
,
organizations
Multi-account governance
Incident
security_incident_response
Incident management
Connection Types
Syntax
Meaning
Use Case
A --> B
Solid arrow
Auth flow / access request
A ..> B
Dashed arrow
Audit event / async detection
A -- B
Solid line
Trust relationship
A --> B : "label"
Labeled connection
Describe protocol or credential
Quick Example
@startuml
left to right direction
mxgraph.aws4.users
"Users"
as
users
mxgraph.aws4.cognito
"Cognito"
as
auth
mxgraph.aws4.identity_and_access_management
"IAM"
as
iam
rectangle
"Protected Resources"
{
mxgraph.aws4.s3
"Data (S3)"
as
s3
mxgraph.aws4.encrypted_data
"Encrypted"
as
enc
}
users
-->
auth
:
"login"
auth
-->
iam
:
"token"
iam
-->
s3
s3
-->
enc
@enduml
Security Architecture Types
Type
Purpose
Key Stencils
Example
IAM & AuthN
Identity and authentication
cognito
,
identity_and_access_management
,
sts
iam-authn.md
Encryption Pipeline
Data encryption at rest/in-transit
key_management_service
,
certificate_manager
,
secrets_manager
encryption-pipeline.md
Network Security
Perimeter defense & firewalls
network_firewall
,
shield
,
security_group
network-security.md
Threat Detection
Automated threat response
guardduty
,
detective
,
security_hub
threat-detection.md
Compliance Audit
Governance & audit trail
config
,
audit_manager
,
cloudtrail
,
security_lake
compliance-audit.md
Zero Trust
Zero-trust access model
cognito
,
identity_and_access_management
,
network_firewall
zero-trust.md
Data Protection
Sensitive data classification
macie
,
encrypted_data
,
key_management_service
data-protection.md
Multi-account Gov
Organization-wide security
organizations
,
control_tower
,
security_hub
multi-account-governance.md