I stumbled upon AWS well-architected. This Security Pillar shows how you can implement a strong cloud security posture by defining and implementing security best practices to protect systems and information while driving business value for your organization.
The security pillar has seven design principles:
- Implement a strong identification foundation
- Enable Traceability
- Apply Security at all layers
- Automate Security best practices
- Protect data in transit and at rest
- Keep people away from data
- Prepare for security events
1. Implement a strong identification foundation
If you want to maintain safety data, this is a critical point. Follow the principle of least privilege and enforce separation of duties with the necessary authorization for each interaction with your AWS resources or users. Centralize Identity Management and eliminate static credentials.
2. Enable Traceability
Your ability to find security issues increases when you have a tracking system with the ability to identify logs by centralizing their collection. With a real-time system, you gain the ability to trigger alerts or audit actions relevant to each scenario or environment. Plus, integrate log collection and metrics with systems to automatically investigate and take action.
3. Apply Security at all layers
You cannot use just one layer of protection instead you should plan and implement multi-security controls. Every layer, workload level, and application should be secure. Just because it’s an internal system doesn’t mean it’s secure.
4. Automate Security best practices
Automation lessens the likelihood of human error and improves your ability to securely scale more rapidly and cost-effectively. Automated security sweeps can be set to run at regular intervals, and will automatically alert the correct team member when there is a problem.
5. Protect data in transit and at rest
Your data should always be secure, even when it’s within your systems. Use a classification system that all team members understand, to determine what level of security your data needs.
Based on its classification, data should be secured using encryption, tokenization, or access control. If you’ve automated your security best practices, your security system can sort the data itself.
6. Keep people away from data
In addition to the principle of least privilege, you should also use tools that help to lower the need for human access to data. Human error can cause security breaches or loss of data.
7. Prepare for security events
Prepare your systems and teams for future security incidents. Create incident management and investigation policies that are in line with your organization’s best practices.
The only really effective way to be prepared for a complicated situation is to keep training all team members on your response policy through exercises so that they are prepared for when the real thing happens.
The five best practice
After we have explored a little bit of it, these seven design principles should be applied to the five best practice areas for cloud security.
- Identify and Access Management
- Detective Controls
- Infrastructure Protection
- Data Protection
- Incident Response
AWS Well-Architected Tool
Since November 2018, you can run automated assessments in your AWS environments using this tool with no associated costs, and is available to all AWS users.
