AWS Well‐Architected Security Pillar¶
Info
Shows how you can implement a strong security posture in the cloud, defining and implementing security best practices to protect systems and information, while also generating business value for your organization.
Design Principles¶
| Principle | Description |
|---|---|
| Implement a Strong Identity Foundation | Use the least privilege principle by creating segregation of duties (SoD), using the proper IAM roles and permissions, defining the appropriate authorization for each resource that will interact with the AWS Cloud, and limiting and centralizing privileged accesses and eliminating long‐term credentials when possible |
| Enable Traceability | Enable audit logs by centralizing log collection, ingestion, protection, and enrichment, and by creating alerts that should be monitored by one or several teams that will respond to each kind of alert, based on required runbooks and playbooks |
| Apply Security at All Layers | Defense‐in‐depth is a must; you cannot use just one layer of protection but must implement network security, OS security, load balancer security, application security, and so on. You must implement security best practices in all AWS Cloud services and components that will be a part of your application |
| Automate Security Best Practices | Automation is a key function in cloud security. The best way to deploy an agile and secure environment is to leverage automation, implement security as code, and transform your paper security policies into real and coded security controls. As you create infrastructure as code and insert embedded security controls to achieve automated security, you can scale your cloud environments while maintaining the same level of protection |
| Protect Data in Transit and at Rest | You must understand your data in order to protect sensitive information in both data exchange and storage, using encryption, tokenization, and masking resources to achieve it. You should also create and enforce access control policies to limit access to sensitive data wherever it is |
| Keep People Away from Data | You must create mechanisms and tools to reduce or eliminate manual and human access to production data, thus reducing operation risks related to human mistakes when handling sensitive data |
| Prepare for Security Events | You must define an incident response management practice, running incident simulations, creating tools, using automation, and running playbooks to improve the security incident capabilities |
Best Practices Areas¶
- Identity and access management
- Detective controls
- Infrastructure protection
- Data protection
- Incident response