AWS security best practices

The AWS Well-Architected Framework, particularly its Security Pillar, outlines key principles for securing AWS environments. It serves as a comprehensive guide to establish strong security on AWS.

Start with this article for foundational knowledge and refer to the References section for further details of the framework.

Security responsibilities are divided under the Shared Responsibility Model in the AWS Well-Architected Framework. AWS is responsible for the security 'of the Cloud' including its infrastructure and AWS services' software. Customers are responsible for security 'in the Cloud' which involves their data, applications, and AWS service configurations.

This article and the Well-Architected Framework focus on security in the cloud. Best practices are grouped into seven areas, but this concise version omits descriptions of these categories for brevity.

We've distilled AWS security best practices into their core essentials, labeling to what area they belong to, with the official AWS code for easier referencing after updates.

Separate workloads using accounts

Security foundations - AWS account management and separation

Code: SEC01-BP01

To enhance cloud infrastructure security, implement a multi-account strategy for isolating environments like production, development, and test. This separation provides strong boundaries for security, billing, and access, reducing the impact scope of accidental access and centralizing governance. 

Utilize AWS Organizations and AWS Control Tower to manage account hierarchies and apply consistent security controls. 

Design an effective organizational unit (OU) structure, create a secure landing zone, establish guardrails, and control access to new AWS Regions. 

Also, consider using AWS CloudFormation StackSets for efficient resource deployment across accounts and regions. This approach mitigates high risks and streamlines compliance and auditing processes

Secure account root user and properties

Security foundations - AWS account management and separation

Code: SEC01-BP02

To secure the root user in an AWS account, it's crucial to deactivate programmatic access, establish strict controls, and limit its routine use, thereby reducing the risk of credential exposure and cloud environment compromise.

Secure the root user by setting up accurate contact information, removing access keys, using strong password and multi-factor authentication (MFA).

Organize AWS accounts into hierarchical structures using AWS Organizations and AWS Control Tower for added security. Implement preventative and detective controls, including alerts for root credential usage and regular password rotations.

Identify and validate control objectives

Security foundations - Operating your workloads securely

Code: SEC01-BP03

Determine and validate the control objectives and controls necessary for your workload based on compliance needs and threats identified in your threat model, ensuring ongoing effectiveness in risk mitigation.

For implementation, identify your compliance requirements and utilize AWS resources, such as AWS Compliance and AWS Artifact, to aid in compliance efforts.

Keep up-to-date with security threats

Security foundations - Operating your workloads securely

Code: SEC01-BP04

Maintain your workload's security by using AWS Managed Services (like RDS etc) for notifications of suspicious behavior in your accounts.

Stay current with AWS and industry security updates including Common Vulnerabilities and Exposures (CVE) List and AWS Security Bulletins.

Think about using the AWS Shield Advanced service, which offers  near real-time insights from workloads that are accessible over the internet.

Keep up-to-date with security recommendations

Security foundations - Operating your workloads securely

Code: SEC01-BP05

Keep your workload's security up-to-date by following AWS and industry security recommendations, as neglecting this carries a high risk. 

Regularly consult AWS Security Bulletins, subscribe to AWS updates like AWS security blog, and AWS service documentation. 

Stay informed with industry news relevant to your technology, such as the Common Vulnerabilities and Exposures (CVE) List.

Automate testing and validation of security controls in pipelines

Security foundations - Operating your workloads securely

Code: SEC01-BP06

Establish and continuously validate secure baselines and templates for security mechanisms in your build processes and pipelines using automation tools. This includes scanning for vulnerabilities in machine images and infrastructure-as-code templates. 

AWS CloudFormation Guard aids in ensuring CloudFormation template safety. Incorporating quality control early in the build process reduces security misconfigurations in production.

Design CI/CD pipelines to test for security issues, keeping security tooling updated to counter evolving threats. 

Use AWS Config for tracking workload configuration changes, aiding in compliance, change management, and investigations. This includes tracking planned, unplanned, and unexpected changes across various elements like infrastructure and code repositories. Not establishing this practice poses a medium risk. 

For implementation, automate configuration management with tools like AWS Systems Manager, AWS CloudFormation, and set up a CI/CD pipeline on AWS.

Identify threats and prioritize mitigations using a threat model

Security foundations - Operating your workloads securely

Code: SEC01-BP07

Perform threat modeling to identify, prioritize, and continually update potential threats and their mitigations for your workload, which is critical for adapting security controls. High risk is associated with not establishing this practice. To implement, first understand and align with your compliance requirements. 

Use frameworks like OWASP for threat identification and AWS resources for compliance support. Early threat modeling in the workload lifecycle is crucial, and it should evolve with workload changes. 

Utilize tools like the Threat Composer for efficient threat modeling, generating readable and actionable threat models, and for insights on quality and coverage improvements. This systematic approach is essential for maintaining a secure and compliant workload environment.

Evaluate and implement new security services and features regularly

Security foundations - Operating your workloads securely

Code: SEC01-BP08

Regularly assess and integrate new AWS security services and features, as well as those from AWS Partners, to enhance your workload's security.

For implementation, schedule reviews for compliance, new AWS features, and industry news. 

Establish processes for evaluating and onboarding new AWS services, ensuring they meet your workload's functionality and compliance needs. Test new features in a non-production environment and implement automated defense mechanisms, like remediation through AWS Config Rules, to maintain security

Use strong sign-in mechanisms

Identity and access management - Identity management

Code: SEC02-BP01

To mitigate the risks associated with sign-in credentials, especially when they are weak or compromised, it's essential to implement strong sign-in mechanisms. This includes enforcing multi-factor authentication (MFA) and robust password policies for AWS Identity and Access Management (IAM) users, the AWS account root user, AWS IAM Identity Center, and third-party identity providers. 

High risk is associated with not using strong sign-in methods, common missteps include not enforcing strong passwords, sharing credentials among users, and lacking controls for unusual sign-ins. 

Use a centralized identity provider with federation for secure sign-ins and enforce a comprehensive sign-in policy, including MFA, password complexity, and individual user credentials. 

In AWS IAM Identity Center and Amazon Cognito user pools, configure password policies and MFA settings. In IAM, set a password policy and create policies to enforce MFA sign-ins.

Use temporary credentials

Identity and access management - Identity management

Code: SEC02-BP02

To mitigate the risks of compromised credentials, it's essential to use temporary credentials over long-term ones for both human and machine identities in AWS. 

High risk is involved with long-term credentials, as they can be inadvertently exposed or misused, like being uploaded to public Git repositories or embedded in mobile apps. 

Implement temporary credentials for all AWS API and CLI requests, using federation or IAM roles, and minimize the use of IAM users.

For human identities, rely on a centralized identity provider with federation, and for machine identities, use roles for EC2, Lambda execution roles, or AWS IoT Core credential provider. 

In scenarios where temporary credentials aren't feasible, regularly audit and rotate long-term credentials and manage them securely with AWS Secrets Manager.

Store and use secrets securely

Identity and access management - Identity management

Code: SEC02-BP03

Automate secure management of application credentials to mitigate risks like exposure or theft. 

Focus on identifying necessary secrets, transitioning to short-term credentials, secure storage and rotation of long-term ones, auditing access, and monitoring to ensure secrets aren't embedded in source code. 

Avoid common pitfalls like not rotating credentials or storing them unencrypted in code. Using AWS Secrets Manager is recommended for managing and rotating credentials securely, with capabilities like encryption, auditing, and fine-grained access control. 

For implementation, identify and replace embedded credentials using tools like Amazon CodeGuru, integrate AWS Secrets Manager for third-party secret retrieval, and periodically review and monitor for unauthorized access or changes, minimizing human credential exposure. 

Rely on a centralized identity provider

Identity and access management - Identity management

Code: SEC02-BP04

For workforce identities like employees and contractors, use a centralized identity provider to manage access across multiple systems and applications. This enables centralized management of users, authentication policies, and authorization, allowing single sign-on and integration with HR systems for automatic updates. 

Avoid pitfalls like separate user accounts for each application and manual identity lifecycle management. A centralized identity provider ensures encrypted, audited access, and automated updates in line with personnel changes, reducing risks. 

For AWS access, federate workforce users using either direct federation to each AWS account or through AWS IAM Identity Center for multiple accounts. Similarly, for application users, employ Amazon Cognito for centralized identity management, integrating it with your custom applications for secure authentication and access control. 

This practice not only streamlines identity management but also enhances security and compliance.

Audit and rotate credentials periodically

Identity and access management - Identity management

Code: SEC02-BP05

Regularly audit and rotate credentials to minimize risks associated with long-term credential usage, especially in situations where temporary credentials are not viable. Implementing a policy of frequent credential rotation and auditing ensures compliance and reduces the likelihood of unauthorized access. 

Common mistakes include neglecting to audit credential use, relying unnecessarily on long-term credentials, and failing to rotate them. For implementation, use tools like AWS Config Rules and AWS Security Hub to monitor credential use and enforce multi-factor authentication. 

Rotate long-term IAM access keys periodically and review IAM permissions to adhere to the least privilege principle.

Automate IAM resource creation and updates with AWS CloudFormation or IAM Identity Center, and consider using IAM Roles Anywhere for machine identities to avoid long-term credential storage. 

Leverage user groups and attributes

Identity and access management - Identity management

Code: SEC02-BP06

As your user base expands, organize them into groups with similar security requirements for scalable management. Utilize user attributes like department or location for access control, updating these attributes as needed. Manage access by altering group memberships or attributes instead of individual user policies, simplifying changes in access needs.

AWS IAM Identity Center can be used to manage these user groups and attributes, supporting attributes either entered manually or synchronized using systems like SCIM.

Define access requirements

Identity and access management - Permissions management

Code: SEC03-BP01

Clearly define access requirements for each component of your workload, ensuring only the right administrators, end-users, or components have access.

Avoid common errors like hardcoding secrets or granting excessive custom permissions. High risk arises if this isn't established. Use federated access or a centralized identity provider for regular AWS account access, integrating it with your employee access lifecycle. 

For non-human identities, use IAM roles based on the least privilege principle and utilize AWS services like Secrets Manager and Systems Manager Parameter Store for secure secret management. 

Prefer short-term over long-term credentials and rotate them regularly. For programmatic access, use temporary credentials where possible and monitor the usage of long-term credentials to ensure timely rotation and removal.

Grant least privilege access

Identity and access management - Permissions management

Code: SEC03-BP02

Grant access to workload components based on specific needs, using groups and identity attributes for scalable permission management. 

Avoid common errors like embedding secrets in applications or granting overly permissive or unrotated credentials. High risk is involved if least privilege access is not practiced. Utilize AWS IAM for creating least privilege policies, basing them on user roles and functions, and review AWS CloudTrail logs for tailoring permissions.

Regularly remove unnecessary permissions and limit user access to production environments. Use permissions boundaries, resource tags, and service control policies (SCPs) in AWS Organizations for fine-grained control. Implement user lifecycle policies to manage permissions throughout a user’s tenure, and conduct regular reviews to prevent permission creep. 

Establish a job role matrix for visualizing and segregating permissions in your organization.

Establish emergency access process

Identity and access management - Permissions management

Code: SEC03-BP03

Develop a process for emergency access to your workloads in case of issues with your centralized identity provider. This involves designing procedures for various failure modes, like centralized identity provider failure or configuration issues, ensuring administrators can access cloud resources through alternative methods for emergency resolution.

Key elements include:

• Defining and documenting potential failure modes and emergency situations

• Documenting steps to confirm an emergency and emergency access procedures for each scenario

• Keeping processes well-documented and ensuring they are only used during actual emergencies

• Regularly testing and updating these processes to maintain efficiency and accuracy

Avoid pitfalls such as untested emergency processes or reliance on the same systems for both normal and emergency access. The benefits of a well-planned emergency access process include faster resolution times and heightened monitoring for misuse. 

For implementation, consider pre-creating necessary resources, including emergency AWS accounts with pre-configured IAM roles, and integrating these processes with incident management plans. 

Monitor and audit emergency access to detect unauthorized use and ensure the process is initiated only by authorized personnel.

Reduce permissions continuously

Identity and access management - Permissions management

Code: SEC03-BP04

Streamline your team's access by regularly removing unnecessary permissions and continuously reviewing to maintain least privilege access for both human and machine identities. 

Aim for policies that adhere to the least privilege principle, adjusting them as roles and responsibilities evolve to minimize risks associated with exposed or unauthorized credential access. Avoid common errors like default administrator permissions or overly permissive policies without full admin rights. 

Use AWS tools like IAM Access Analyzer for identifying unused users, roles, and permissions, and for generating fine-grained policies based on actual service interactions. Implement a usage policy for IAM users and roles based on last accessed data, and consider logging data events in AWS CloudTrail to understand specific access needs to resources like Amazon S3 objects or DynamoDB table items. 

Define permission guardrails for your organization

Identity and access management - Permissions management

Code: SEC03-BP05

Implement common controls to restrict access across your organization, like limiting access to certain AWS Regions or safeguarding key resources, such as IAM roles for security teams. 

Avoid missteps like running workloads in the Organizational administrator account or mixing production and non-production workloads in the same account. 

Use AWS Organizations to manage accounts, implementing service control policies (SCPs) to enforce organization-wide controls on service actions and resources. 

Allow exceptions for specific roles if needed. Refrain from using the management account for running workloads; use it instead for governance and deploying security guardrails.

Utilize a multi-account strategy for flexibility in applying guardrails, and clearly define the purpose of each account or organizational unit (OU), tailoring controls to match their specific functions. Services like AWS Control Tower can help manage these controls centrally.

Manage access based on lifecycle

Identity and access management - Permissions management

Code: SEC03-BP06

Integrate access controls with user and application lifecycles and your centralized federation provider, using AWS Resource Access Manager for secure resource sharing across accounts, ensuring access aligns with organizational changes.

Revoke a user's permissions upon their departure from the organization or when they transition to different roles

Analyze public and cross-account access

Identity and access management - Permissions management

Code: SEC03-BP07

Regularly monitor your AWS resources to control public and cross-account access, ensuring they are shared only with authorized entities. Utilize tools like AWS Identity and Access Management Access Analyzer and AWS Config for continuous review and management of resource policies, particularly for public access.

Implement a rigorous process for approving public and cross-account resource sharing, and deploy AWS Organizations and services like AWS Control Tower and AWS Security Hub to enforce security policies and identify exposed resources. These measures are crucial to minimize risks and maintain control over resource access in your AWS environment

Share resources securely within your organization

Identity and access management - Permissions management

Code: SEC03-BP08

As your workload number grows, securely share resources across development, testing, and production environments to reduce operational overhead and ensure consistency. 

Establish access controls and continuous monitoring to govern shared resources, using AWS services like Security Hub, GuardDuty, and AWS Backup for centralized management.

Implement service control policies (SCPs) for internal sharing, and use identity-based and network controls for external sharing, ensuring shared resources are accessible only to trusted entities. 

Utilize AWS Resource Access Manager for efficient resource sharing, and integrate AWS Organizations for centralized account management and data perimeter establishment, maintaining a secure and scalable environment.

Share resources securely with a third party

Identity and access management - Permissions management

Code: SEC03-BP09

Securely sharing resources with third parties in your cloud environment requires careful permission management, focusing on least privilege access and temporary credentials. 

Establish just-in-time access with unique identifiers (like UUIDs) for external IDs in IAM trust policies, ensuring third-party access is auditable and not overly permissive.

Avoid long-term IAM credentials; instead, use IAM cross-account roles and IAM Roles Anywhere for external access. 

Regularly monitor and update these permissions, and have a process for immediate revocation if necessary. 

Emphasize automated, auditable setup mechanisms and be prepared for changes in third-party services or your own account structure, keeping the access scope and risk of unintended access minimized.

Configure service and application logging

Detection

Code: SEC04-BP01

Maintain security event logs from services and applications for auditing, investigations, and operational use, adhering to governance, risk, and compliance standards. Ensure reliable, timely retrieval of these logs, centralizing them for effectiveness. 

Avoid common pitfalls like premature deletion, unrestricted access, and manual log management. Benefits include facilitating root cause analyses and meeting compliance needs. 

For effective implementation, select relevant log sources, use AWS CloudTrail for API call tracking, enable VPC Flow Logs for network traffic, and consider Amazon Security Lake for centralized log storage. 

Manage log storage and retention smartly, using Amazon S3 or CloudWatch, and align log retention with security and compliance requirements.

Utilize querying tools like CloudWatch Logs Insights or Amazon Athena for log analysis.

Set up alerts using AWS services like Config, GuardDuty, and Security Hub to monitor for security events and compliance.

Analyze logs, findings, and metrics centrall

Detection

Code: SEC04-BP02

Security operations teams must go beyond just collecting logs and manually analyzing data; integrating security events into automated workflow systems like ticketing or SIEM systems is essential for timely event management.

Amazon GuardDuty and AWS Security Hub enhance this process by aggregating, deduplicating, and analyzing log data, which can then be routed effectively for appropriate action and remediation, especially in complex architectures where subtle, unauthorized changes might occur.

Automate response to events

Detection

Code: SEC04-BP03

Automating the investigation and remediation of events in AWS minimizes human error and effort, enhancing your capability to handle incidents at scale. 

Tools like Amazon EventBridge and GuardDuty facilitate this by integrating event detection into automated workflows, while AWS Config Rules and Conformance Packs manage compliance and change detection. Regularly tuning these tools through reviews ensures continuous improvement. 

Implementing GuardDuty for threat detection and developing automated investigation processes can significantly save time and reduce risks."

Implement actionable security events

Detection

Code: SEC04-BP04

Develop and implement a system where alerts, complete with actionable information, are sent to your team, accompanied by a specific runbook or playbook for each type of incident detected by mechanisms like Amazon GuardDuty.

Create network layers

Infrastructure protection - Protecting networks

Code: SEC05-BP01

To enhance network security, group components with similar sensitivity into distinct network layers, reducing the risk of unauthorized access. For instance, databases without internet requirements should be placed in subnets isolated from the internet, with access restricted to only necessary resources, like a business logic or web server. 

A layered network approach, which includes securing the network edge and internal paths, limits the potential impact of unauthorized access and makes it harder for intruders to access additional resources. 

Implementing tools like AWS Transit Gateway, Reachability Analyzer, and AWS Firewall Manager further strengthens network security by managing traffic flow and identifying unintended network access, while services like AWS WAF and Amazon CloudFront provide added protection for web applications and APIs.

Control traffic at all layers

Infrastructure protection - Protecting networks

Code: SEC05-BP02

When designing your network topology, assess each component's connectivity needs, such as internet access or VPC connections.

Use a Virtual Private Cloud (VPC) to define a private network in an AWS Region, employing multiple layers of traffic control like security groups, Network ACLs, and route tables. 

Utilize subnets within Availability Zones for detailed traffic management and leverage security groups for firewall-like protection outside the operating system layer. For services requiring internet access for API calls, use VPC endpoints and AWS PrivateLink to ensure secure, internet-free connectivity. 

To manage outbound internet traffic securely, use AWS managed NAT gateways or web proxies. Implementing these measures along with edge services like Amazon CloudFront and AWS WAF provides robust protection against external threats.

Automate network protection

Infrastructure protection - Protecting networks

Code: SEC05-BP03

Implement automated protection mechanisms in your network, utilizing threat intelligence and anomaly detection for a self-defending system. Use tools like AWS WAF Security Automations to automatically block malicious traffic, and deploy AWS CloudFormation for setting up AWS WAF rules against common web-based attacks. 

Additionally, consider AWS Partner solutions that integrate with and complement AWS services, enhancing your overall security architecture across cloud and on-premises environments.

Implement inspection and protection

Infrastructure protection - Protecting networks

Code: SEC05-BP04

Inspect and filter network traffic at every layer using tools like VPC Network Access Analyzer for identifying unintended access, and AWS WAF for protecting HTTP-based transactions. 

Centralize management of firewall rules with AWS Firewall Manager, and enhance workload protection using AWS Network Firewall, GuardDuty for threat detection, VPC Flow Logs for traffic analysis, and VPC traffic mirroring for detailed inspection and monitoring of network activity.

Perform vulnerability management

Infrastructure protection - Protecting compute

Code: SEC06-BP01

Regularly scan and patch for vulnerabilities in your AWS environment, including EC2 instances, ECS containers, and EKS workloads, and maintain a vulnerability management program for security. 

Utilize AWS services like Amazon Inspector for continuous scans, Systems Manager for patch management, and Security Hub for centralized security alerts. Automate resource creation and updates with AWS CloudFormation, and ensure code security with tools like Amazon CodeGuru and open-source options for static analysis. 

Prioritize patching and address software issues proactively, especially during the development and deployment stages.

Reduce attack surface

Infrastructure protection - Protecting compute

Code: SEC06-BP02

Minimize the risk of unintended access by hardening operating systems and reducing unused components and libraries across your AWS environment. 

Utilize tools like EC2 Image Builder for building and maintaining secure AMIs, automated patching, and enforcing security policies. 

Apply third-party static code analysis tools and Amazon CodeGuru for identifying security issues and vulnerabilities in your code, including outdated libraries. 

Regularly use Amazon Inspector for configuration assessments and CVE checks, and incorporate methods like fuzzing to test application-level security. 

Ensure containerized resources and AWS Lambda functions adhere to security best practices to reduce attack surface

Implement managed services

Infrastructure protection - Protecting compute

Code: SEC06-BP03

Utilize managed AWS services like Amazon RDS, AWS Lambda, and Amazon ECS to minimize security maintenance tasks and focus more on application-level security. These services automate administrative tasks such as database setup, patching, and backups (in the case of Amazon RDS), and server management (in AWS Lambda and Amazon ECS), reducing the burden of infrastructure security under the shared responsibility model.

Automate compute protection

Infrastructure protection - Protecting compute

Code: SEC06-BP04

Automate protective mechanisms for your compute resources, such as vulnerability management, attack surface reduction, and resource management, to enhance security and minimize human error.

Use tools like AWS Systems Manager for configuration management and automated patching of Amazon EC2 instances, and implement intrusion detection and prevention systems. 

Leverage AWS Partner solutions to integrate and complement existing AWS services for a holistic security approach across both cloud and on-premises environments.

Enable people to perform actions at a distance

Infrastructure protection - Protecting compute

Code: SEC06-BP05

Minimize human error and manual management risks by deploying and managing Amazon EC2 instances through automated workflows and infrastructure-as-code, rather than interactive access or bastion hosts. 

Utilize tools like AWS Systems Manager for automated maintenance and deployment tasks, and AWS CloudFormation for infrastructure automation, instead of direct console access. 

This approach reduces the reliance on direct SSH or RDP access to instances, enhancing overall security.

Validate software integrity

Infrastructure protection - Protecting compute

Code: SEC06-BP06

To ensure software integrity and source trustworthiness, implement validation mechanisms like code signing. This process confirms the author of the code and ensures it remains unaltered since its creation. 

AWS Signer assists in managing the code-signing lifecycle, including handling certifications and keys. Additionally, verifying downloaded software checksums against provider-provided checksums can further confirm the software's integrity. 

The practice of code signing, supported by checksum verification, significantly enhances software security and trust.

Identify the data within your workload

Data protection - Data classification

Code: SEC07-BP01

To effectively manage data security, it’s crucial to understand the nature, storage, and ownership of your workload’s data, as well as its compliance obligations.

Implement data classification to manage sensitive data locations and access, reducing risks and ensuring proper handling. 

Utilize AWS services like Amazon Macie for automated data discovery and classification, and incorporate tagging for resource management. 

Regularly review and adapt your data management strategies to align with evolving data types, legal requirements, and business processes.

Identify the data within your workload

Data protection - Data classification

Code: SEC07-BP02

Implement protection measures for data based on its classification level.

Utilize the folowwijg AWS tools to enforce data classification and encryption policies:

• resource tags

• separate AWS accounts

• IAM policies

• AWS Organizations SCPs

• AWS Key Management Service (KMS)

• AWS CloudHSM.

For highly sensitive data, apply stringent controls and restrict access through tag-based access control and carefully managed AWS KMS keys.

Ensure proper tag permissions management to maintain robust authorization control. Familiarize yourself with AWS documentation on security controls and compliance resources to effectively safeguard your data.

Automate identification and classification

Data protection - Data classification

Code: SEC07-BP03

Automate data identification and classification to ensure appropriate controls and reduce human error.

Utilize tools like Amazon Macie, which leverages machine learning to automatically discover, classify, and protect sensitive data in AWS, recognizing elements like PII and intellectual property. This provides visibility through dashboards and alerts on data access and movement. 

Additionally, use Amazon S3 Inventory to audit and report on the replication and encryption status of objects.

Define data lifecycle management

Data protection - Data classification

Code: SEC07-BP04

Develop a lifecycle strategy for data based on its sensitivity and legal or organizational requirements, considering factors like retention duration, destruction processes, and access management. 

Strive for a balance between usability and security across different access levels, employing a defense-in-depth approach to limit direct human interaction with data. 

For instance, utilize strong user authentication for applications and delegate necessary permissions to these applications rather than individual users. 

Ensure trusted network paths and controlled access to decryption keys, and use tools like dashboards and automated reports for indirect data access, rather than direct exposure.

Implement secure key management

Data protection - Protecting data at rest

Code: SEC08-BP01

Implement secure key management for your workload using AWS Key Management Service (AWS KMS) for durable, secure storage of keys. This involves creating a scalable, automated key management system that enforces least privilege access, monitors key usage, and automates key rotation without human access to key material. 

Ensure tight control over key access through key policies and IAM policies, and monitor key usage, especially key destruction events, via AWS CloudTrail. 

Choose between AWS managed or customer managed keys based on your requirements, considering envelope encryption for direct use of AWS KMS in applications. 

Regularly review AWS KMS integrations with your services and enable IAM Access Analyzer and Security Hub for policy oversight and notifications.

Enforce encryption at rest

Data protection - Protecting data at rest

Code: SEC08-BP02

Enforce encryption for all data at rest to protect sensitive information and maintain data confidentiality, using AWS Key Management Service (AWS KMS) for integration and management. Set default encryption in services like Amazon S3 and Amazon EBS, and tailor AWS KMS keys to data classifications to avoid overly permissive access. 

Utilize customer managed keys (CMKs) for sensitive data requiring detailed access management, and employ AWS Config Rules for automatic encryption checks. 

For client-side encryption, consider AWS CloudHSM for managing cryptographic keys and the AWS Encryption SDK for envelope encryption. 

Regularly review and configure encryption settings across all AWS services used in your workload.

Automate data at rest protection

Data protection - Protecting data at rest

Code: SEC08-BP03

Automate the enforcement and verification of data at rest encryption across your AWS environment using tools like AWS Config Rules and AWS Security Hub to ensure all storage resources, including EBS volumes and Amazon S3 buckets, are encrypted. 

Utilize AWS KMS for seamless integration with AWS services, setting default encryption on resources like Amazon S3 buckets and Amazon EC2, to mitigate the risk of unauthorized data access and maintain constant compliance.

Enforce access control

Data protection - Protecting data at rest

Code: SEC08-BP04

Implement strict access control for data at rest by applying isolation, versioning, and the principle of least privilege, and avoid public data access. 

Regularly audit and adjust permissions, using tools like AWS CloudTrail and Amazon S3 access logs, to ensure only authorized users have access. 

Utilize Amazon S3 Glacier Vault Lock and Object Lock for immutable data storage, segregate data by classification levels across AWS accounts managed by AWS Organizations, and review AWS Key Management Service (AWS KMS) policies and S3 bucket permissions. 

Additionally, leverage Amazon S3 versioning and object lock, audit shared resources with AWS Resource Access Manager, and regularly review Amazon EBS and AMI sharing permissions to maintain data integrity and confidentiality.

Use mechanisms to keep people away from data

Data protection - Protecting data at rest

Code: SEC08-BP05

Limit direct user access to sensitive data and systems by using management workflows and tools, like AWS Systems Manager Automation, for tasks such as managing Amazon EC2 instances. Store automation documents securely, ensuring peer review and thorough testing. 

Provide business users with dashboards, like Amazon QuickSight, for data interaction instead of direct database access. For environments not utilizing CI/CD pipelines, establish controlled break-glass access mechanisms. 

Automate configuration management using tools like AWS Systems Manager and AWS CloudFormation, and avoid reliance on bastion hosts or direct EC2 instance access.

Implement secure key and certificate management

Data protection - Protecting data in transit

Code: SEC09-BP01

Implement secure key and certificate management using Transport Layer Security (TLS) certificates to secure network communications and authenticate identities. 

Utilize AWS Certificate Manager and AWS Private Certificate Authority for automated certificate provisioning, deployment, renewal, and management, ensuring private key material remains undisclosed. This approach simplifies certificate management, enhances encryption of data in transit, and improves security and auditability.

Avoid manual certificate processes, inattentive CA hierarchy design, and the use of self-signed certificates for public resources. 

AWS services like IoT Core also support specialized PKI certificate management for IoT devices. F

For private CA hierarchies, create separate AWS accounts for each CA level, with root CAs issuing certificates to intermediate CAs, which in turn issue to end users or devices. 

Enable CloudTrail logs for tracking access and establish an S3 bucket for storing Certificate Revocation Lists (CRLs).

Enforce encryption in transit

Data protection - Protecting data in transit

Code: SEC09-BP02

Enforce encryption in transit for all data, complying with organizational policies and regulatory standards, using secure TLS protocols and cipher suites to ensure data confidentiality across untrusted networks. 

Encrypt all network traffic, both to the internet and within your AWS environment, using tools like HTTPS endpoints in AWS services, IPsec VPNs, and AWS Direct Connect.

Avoid outdated SSL/TLS versions and cipher suites, unencrypted HTTP traffic, and self-signed certificates. Implement regular monitoring and updating of X.509 certificates. 

Utilize AWS services like security groups, Amazon CloudFront, ,Application Load Balancers and AWS Certificate Manager to manage and enforce secure protocols, ensuring encryption aligns with the latest standards and best practices.

Automate detection of unintended data access

Data protection - Protecting data in transit

Code: SEC09-BP03

Utilize tools like Amazon GuardDuty, Amazon VPC Flow Logs, and Amazon S3 Access Analyzer to automate the detection of suspicious activities and unauthorized data movements. GuardDuty can identify unusual S3 read activities, while VPC Flow Logs, integrated with Amazon EventBridge, monitor network traffic for unauthorized connections. 

Amazon Macie, a managed data security service, employs machine learning to protect sensitive data in AWS, helping to prevent data exfiltration and ensuring data is only accessible to authorized entities. Implementing these tools is essential for maintaining data security and privacy in AWS environments.

Authenticate network communications

Data protection - Protecting data in transit

Code: SEC09-BP04

For secure network communications, use authenticated protocols like TLS or IPsec to ensure the identity of all transmissions. This includes both east-west traffic (among services within a workload) and north-south traffic (between the workload and external consumers). 

Implement services like Amazon VPC Lattice and Amazon API Gateway for SigV4-based authentication in east-west traffic. Utilize AWS Private Certificate Authority for issuing X.509 certificates for mutual TLS authentication. 

Additionally, consider OAuth 2.0 and OpenID Connect for service-to-service traffic, with AWS services like API Gateway supporting JWT authorizers.

Continuously monitor network traffic for unauthorized access or anomalies using tools like VPC flow logs and VPC Lattice access logs. This multi-layered approach enhances the security of data in transit, validating the identity of communicating parties and guarding against unauthorized access.

Identify key personnel and external resources

Incident response - Preparation

Code: SEC10-BP01

Establish a robust incident response strategy by identifying key internal and external personnel, resources, and legal entities essential for handling incidents. This includes coordination with legal counsel, leadership, business stakeholders, AWS Support Services, and others. Ensure your team and specialized security teams are well-versed with the services used and have practical training.

Consider involving external AWS security partners for additional expertise and perspectives on potential risks and threats. Maintaining an updated contact list of internal personnel and external partners is crucial for efficient response and recovery.

Develop incident management plans

Incident response - Preparation

Code: SEC10-BP02

Create a comprehensive incident response plan to serve as the foundation for your organization's incident response strategy and program. This plan should include clear processes for responding to security events, regularly updated and tested. 

Key elements of the plan include:

• defining roles and responsibilities

• establishing a communication plan with backup methods

• outlining incident response phases and actions

• setting severity and prioritization definitions

Tailor the plan to fit your organization's unique needs and ensure that it aligns with your business outcomes and compliance requirements. 

Regularly involve key personnel, including internal teams and external partners, in training and practice sessions to enhance preparedness for actual incidents.

Prepare forensic capabilities

Incident response - Preparation

Code: SEC10-BP03

Develop forensic capabilities in your AWS environment to effectively investigate security events. This involves setting up your AWS account structure for forensics, with a security and a forensics organizational unit (OU). 

The security OU should include accounts for log archival and centralized security tools. 

The forensics OU can have a single account for multiple regions or separate accounts for each operational region.

Ensure backups and snapshots of key systems and databases are set up for recovery and forensic analysis.

Automate forensic processes to quickly and accurately gather evidence during security incidents, reducing manual errors and time delays. Utilize AWS resources and modify them as needed to fit your specific environment and requirements.

Develop and test security incident response playbooks

Incident response - Preparation

Code: SEC10-BP04

Developing and testing incident response playbooks is essential for effective security management. These playbooks provide structured, step-by-step guidance for responding to various security incidents, reducing the likelihood of human error. 

Playbooks should cover anticipated incidents like DoS attacks, ransomware, and credential compromises, as well as responses to specific security alerts like GuardDuty findings. 

Each playbook should include an overview, prerequisites, communication and escalation protocols, detailed response steps for each incident response phase (detection, analysis, containment, eradication, recovery), and expected outcomes. 

This structured approach ensures a swift and organized response to potential security incidents.

Pre-provision access

Incident response - Preparation

Code: SEC10-BP05

Ensure incident responders have pre-provisioned AWS access for efficient investigation and recovery, avoiding root account use and ad-hoc IAM permission changes. 

Use temporary credentials and just-in-time privilege elevation for secure, operational control. Set up dedicated accounts with minimal necessary privileges and strong password policies, enforced by multi-factor authentication. 

Regularly audit and revoke additional access post-incident. Utilize AWS Systems Manager Session Manager for secure, audited administrative access, and manage incident response IAM accounts consistently, ensuring their integration with organizational processes.

Pre-deploy tools

Incident response - Preparation

Code: SEC10-BP06

Ensure security teams have pre-deployed tools for efficient incident response, minimizing investigation and recovery time. 

Automate identity management, network security, data protection, and monitoring with AWS APIs and tools, reducing manual interventions and alert fatigue. Integrate systems like Amazon GuardDuty, AWS CloudTrail Insights, and CloudWatch for anomaly detection. 

Develop a tagging strategy for AWS resources to provide context and enable automation. 

Use AWS services for logging, analysis, alert generation, and response support. Regularly review and update tools and strategies to align with evolving security needs and incident response tactics.

Run simulations

Incident response - Preparation

Code: SEC10-BP01

Regularly running simulations (game days) is crucial for assessing and enhancing incident response capabilities in a changing threat landscape. Simulations, mimicking real-world cyber threats, help organizations test and refine their response strategies. Key benefits include verifying readiness, improving tools and workflows, and refining communication and escalation methods. 

There are three main types of simulations: tabletop exercises focusing on roles and communication, purple team exercises enhancing collaboration between defenders and simulated attackers, and red team exercises for a realistic defense test. 

Regular simulation cycles, varying in complexity, are recommended to continuously improve incident response capabilities and identify areas for improvement.

Establish a framework for learning from incidents

Incident response - Post-incident activity

Code: SEC10-BP08

Implementing a lessons learned framework and root cause analysis is crucial for enhancing incident response capabilities and preventing future incidents. This approach allows you to learn from each incident, avoiding repetition of the same mistakes and misconfigurations, thereby improving security and reducing time lost to preventable issues. 

The framework should focus on system and process improvements rather than individual blame. Key aspects include determining when and how lessons learned sessions are held, involving the right people, identifying improvement areas, and ensuring effective implementation and tracking of improvements. Ask targeted questions about the incident, what worked and didn't, and potential improvements in people, processes, and technology. 

This approach is not exhaustive but serves as a starting point to continuously improve security posture and should be a standard part of the incident response process.

Train for application security

Application security

Code: SEC11-BP01
 

Train your builders in secure development practices, starting with threat modeling, to enhance software quality and security. This approach minimizes security issues detected only at the review stage, enabling faster software or feature deployment.

Secure development encompasses both the software creation and the supporting tools of the SDLC. Key outcomes include early awareness of security requirements in the development cycle, quicker identification and fixing of security issues, and improved software quality.

Providing comprehensive training, clear guidelines for security reviews, and self-service information helps builders make informed security decisions. 

Use courses on threat modeling, AWS Training and Certification, and practical exercises like game days or bug bashes to reinforce learning. Regularly update and adapt training based on feedback to continually improve the security skills of your development teams.

Automate testing throughout the development and release lifecycle

Application security

Code: SEC11-BP02

Automate security testing throughout your development and release lifecycle to consistently identify potential software issues early. Automated testing, including regression and security unit tests, allows for prompt detection and correction of issues like authentication flaws. 

Test automation should cover both functional and non-functional aspects, utilizing methodologies like static application security testing (SAST) for source code analysis and dynamic analysis security testing (DAST) for running applications. Integrate these tests into your CI/CD pipelines, complemented by tools like Amazon CodeWhisperer and CodeGuru Reviewer. 

Regular application reviews with the security team and feedback integration into the release readiness review are crucial. Ensure automated test findings are tracked and remediation guidance is provided to improve code quality. Analyze findings regularly for further automation opportunities, training, or campaigns.

Perform regular penetration testing

Application security

Code: SEC11-BP03

Regularly conduct penetration testing on your software to uncover potential issues not detected by automated tests or manual reviews. Penetration tests aim to reveal vulnerabilities, such as unprotected data exposure or unintended permission grants. 

Schedule these tests as part of your software development lifecycle (SDLC), ensuring findings are addressed before release. Use the results to enhance automation and provide feedback to developers, improving overall software security. 

Avoid common pitfalls like testing only for known security issues or ignoring third-party dependencies. Proper penetration testing boosts confidence in software security, enhances software quality through identified patterns, and creates a feedback loop for earlier detection and improvement in the development cycle. 

Implement a structured approach to penetration testing, integrate it at an optimal stage in the development cycle, provide builder training on handling findings, utilize tools for efficiency, and analyze results to inform future testing and training.

Manual code reviews

Application security

Code: SEC11-BP04

Incorporate manual code reviews into your software development process to ensure code quality and facilitate team upskilling. This step, conducted before deployment, involves reviewers other than the code author and can be complemented by automated tools. Key benefits include improved code quality, consistent development practices, fewer issues in later stages, and enhanced team knowledge. 

Avoid pitfalls like skipping reviews, self-review, neglecting automation, or not training reviewers in security. 

Implement code review as an essential part of your development flow, using tools like Amazon CodeGuru Reviewer to manage the process. 

Ensure a review approval is required before code advances, and use the reviews to identify areas where automation can detect issues more efficiently.

Centralize services for packages and dependencies

Application security

Code: SEC11-BP05

Centralize the sourcing of software packages and dependencies for your development teams to enhance security and control. This strategy enables the pre-validation of packages, thus reducing the risk of incorporating problematic software. 

Key benefits include a clearer understanding of package usage, the ability to promptly inform teams about necessary updates, and minimized risk of incorporating insecure packages.

Avoid pitfalls like indiscriminately using internet-sourced packages or failing to pre-test packages. Use AWS CodeArtifact or similar solutions to create an accessible, centralized repository, ensuring it integrates into your AWS account setup. Implement automated testing for new packages, track usage metrics, and establish an efficient system for updating and requesting new packages. Regularly scan repository packages to identify and address vulnerabilities.

Deploy software programmatically

Application security

Code: SEC11-BP06

Opt for programmatic software deployments to minimize human error and ensure consistent, reliable deployments. 

This method enhances confidence in the release process, reduces the risk of deployment failures, and allows for faster release cycles with automatic rollback for unexpected deployment issues. Ensure your software functions uniformly across different environments by externalizing configuration data, following twelve-factor application principles. 

Cryptographically signing your software packages further ensures integrity from testing to deployment. Key actions include building robust CI/CD pipelines using tools like AWS CodeBuild and AWS CodePipeline, separating environments as per AWS best practices, eliminating persistent human access to production environments, and adopting blue/green deployment models with canary testing. 

Utilize AWS Signer or AWS Key Management Service (AWS KMS) for package signing and verification.

Regularly assess security properties of the pipelines

Application security

Code: SEC11-BP07

Incorporate the Well-Architected Security Pillar principles into your CI/CD pipelines, focusing on permission separation and regular security assessments. Ensure pipeline tests are immutable by builders and maintain minimal deployment permissions to prevent incorrect environment deployments. 

Avoid long-term credentials, configure pipelines for state emission to validate build environment integrity, and regularly review pipeline permissions. 

Benefits include heightened software integrity and the ability to halt deployments during suspicious activities. Use managed CI/CD services with IAM roles to reduce credential leakage risks. 

Start with AWS's Deployment Pipelines Reference Architecture, use AWS IAM Access Analyzer for least privilege policies, and integrate monitoring and alerting with services like Amazon EventBridge for timely anomaly detection.

Build a program that embeds security ownership in workload teams

Application security

Code: SEC11-BP08

Develop a program that encourages builder teams to take ownership of security decisions in their software development, with security teams validating these decisions later. This approach can be achieved by either training builders in security or having security professionals work closely with builder teams. 

Starting with a focus on application security training and threat modeling, this initiative should be piloted with a few teams first, ensuring leadership support. 

Key benefits include faster security reviews, fewer security issues at later stages, better software quality, identification of systemic improvement areas, and enhanced perception of the security function. Track metrics like participant numbers, review duration, and feedback to refine the program. 

Choose a program name like Guardians, Champions, or Advocates, and decide on the operational model—training builders or integrating security experts within teams.

References

The Security Pillar of the AWS Well-Architected Framework

Best Practices for Security, Identity, & Compliance

Security best practices for Amazon S3 - Amazon Simple Storage Service

Operational Best Practices for NCSC Cloud Security Principles - AWS Config