Duolingo English Test leverages an isolated AWS account architecture with CloudFront, AWS WAF, and multi-AZ deployment across us-east-1a and us-east-1b to deliver secure, scalable test delivery. Test takers connect through CloudFront and AWS WAF bot/cheat detection rules, routing to ECS/EKS test delivery engines in public subnets, while Fargate proctoring streams, SageMaker anomaly detection, and DynamoDB session state operate in private subnets with cross-AZ replication. S3 secure test storage, KMS encryption, CloudWatch monitoring, and CloudTrail audit logs enforce defense-in-depth security and compliance. This architecture demonstrates how to isolate a high-stakes testing workload using AWS Organizations IAM, network segmentation, and managed services to prevent cheating while maintaining availability. Fork and customize this diagram on Diagrams.so to adapt the pattern for your own secure assessment or certification platform.