The security pillar describes how to take advantage of AWS products, services and best practices to protect systems and assure the availability, integrity and confidentiality of data.
Design Principles
- Implement a strong identity foundation: least privilege and enforce separation of duties
- Enable traceability: Monitor, alert, and audit actions and changes
- Apply security at all layers: defence in depth approach with multiple security controls
- Automate security best practices: implement security controls as code in version-controlled templates.
- Protect data in transit and at rest: classify your data and use encryption, tokenization, and access controls
- Keep people away from data: reduce or eliminate direct access
- Prepare for security events: create incident management and investigation policy and processes and run incident response simulations
Best Practices
- Identify and prioritize risks using a threat model:
- Identify and validate control objectives:
- Keep up to date with security threats:
- Keep up to date with security recommendations:
- Evaluate and implement new security services and features regularly:
- Automate testing and validation of security controls in pipelines:
Services
• AWS Identity & Access Management (IAM)
• AWS Artifact
• AWS Audit Manager
• Amazon Cognito
• Amazon Detective
• AWS Directory Service
• AWS Firewall Manager
• Amazon Cloud Directory
• Amazon GuardDuty
• Amazon Inspector
• Amazon Macie
• AWS Network Firewall
• AWS Resource Access Manager (AWS RAM)
• AWS Resource Groups
• AWS Secrets Manager
• AWS Security Hub
• AWS Shield
• AWS Single Sign-On
• Tag Editor
• AWS WAF
• AWS Cryptographic Services Overview
• AWS PKI Services Overview
• AWS CloudHSM
• AWS Key Management Service (AWS KMS)
• AWS Crypto Tools
• AWS Certificate Manager
• AWS Certificate Manager Private Certificate Authority
• AWS Signer