SEC 1: How do you securely operate your workload?

To operate your workload securely, you must apply overarching best practices to every area of security. Take requirements and processes that you have defined in operational excellence at an organizational and workload level, and apply them to all areas. Staying up to date with AWS and industry recommendations and threat intelligence helps you evolve your threat model and control objectives. Automating security processes, testing, and validation allow you to scale your security operations.

Resources

Security Best Practices the Well-Architected Way
Managing Multi-Account AWS Environments Using AWS Organizations
Enable AWS adoption at scale with automation and governance
AWS Security Hub: Manage Security Alerts and Automate Compliance
Using AWS Control Tower to Govern Multi-Account AWS Environments
IAM Best Practices
Getting started with AWS Organizations
AWS Control Tower
Security Bulletins
AWS Security Audit Guidelines
How to use service control policies to set permission guardrails across accounts in your AWS Organization

Best Practices:

• Separate workloads using accounts: Organize workloads in separate accounts and group accounts based on function or a common set of controls rather than mirroring your company’s reporting structure. Start with security and infrastructure in mind to enable your organization to set common guardrails as your workloads grow.

• Secure AWS account: Secure access to your accounts, for example by enabling MFA and restrict use of the root user, and configure account contacts.

• Identify and validate control objectives: Based on your compliance requirements and risks identified from your threat model, derive and validate the control objectives and controls that you need to apply to your workload. Ongoing validation of control objectives and controls help you measure the effectiveness of risk mitigation.

• Keep up to date with security threats: Recognize attack vectors by staying up to date with the latest security threats to help you define and implement appropriate controls.

• Keep up to date with security recommendations: Stay up to date with both AWS and industry security recommendations to evolve the security posture of your workload.

• Automate testing and validation of security controls in pipelines: Establish secure baselines and templates for security mechanisms that are tested and validated as part of your build, pipelines, and processes. Use tools and automation to test and validate all security controls continuously. For example, scan items such as machine images and infrastructure as code templates for security vulnerabilities, irregularities, and drift from an established baseline at each stage.

• Identify and prioritize risks using a threat model: Use a threat model to identify and maintain an up-to-date register of potential threats. Prioritize your threats and adapt your security controls to prevent, detect, and respond. Revisit and maintain this in the context of the evolving security landscape.

• Evaluate and implement new security services and features regularly: AWS and APN Partners constantly release new features and services that allow you to evolve the security posture of your workload.

Improvement Plan

Separate workloads using accounts

Use AWS Organizations: Use AWS Organizations to centrally enforce policy-based management for multiple AWS accounts.
Getting started with AWS Organizations
How to use service control policies to set permission guardrails across accounts in your AWS Organization

Consider AWS Control Tower: AWS Control Tower provides an easy way to set up and govern a new, secure, multi-account AWS environment based on best practices.
AWS Control Tower

Secure AWS account

Use AWS Organizations: Use AWS Organizations to centrally enforce policy-based management for multiple AWS accounts.
Getting started with AWS Organizations
How to use service control policies to set permission guardrails across accounts in your AWS Organization

Limit use of the AWS root user: Only use the root user to perform tasks that specifically require it.
AWS Tasks That Require AWS Account Root User Credentials

Enable MFA for the root user: Enable MFA on the AWS account root user, if AWS Organizations is not managing root users for you.
Lab: AWS account and root user
Root user

Periodically change the root user password: Changing the root user password reduces the risk that a saved password can be used. Especially important if you are not using AWS Organizations and anyone has physical access.
Changing the AWS account root user password

Enable notification when the AWS account root user is used: Being notified automatically reduces risk.
How to receive notifications when your AWS account's root access keys are used

Restrict access to newly added Regions.: For new AWS Regions, IAM resources, such as users and roles, will only be propagated to the Regions that you enable.
Setting permissions to enable accounts for upcoming AWS Regions

Consider CloudFormation StackSets: CloudFormation StackSets can be used to deploy resources including IAM policies, roles, and groups into different AWS accounts and Regions from an approved template.
Use CloudFormation StackSets

Identify and validate control objectives

Identify compliance requirements: Discover the organizational, legal, and compliance requirements that your workload must comply with.

Identify AWS compliance resources: Identify resources that AWS has available to assist you with compliance.
https://aws.amazon.com/compliance/
https://aws.amazon.com/artifact/

Keep up to date with security threats

Subscribe to threat intelligence sources: Regularly review threat intelligence information from multiple sources that are relevant to the technologies used in your workload.
Common Vulnerabilities and Exposures List

Consider AWS Shield Advanced service: It provides near real-time visibility into intelligence sources, if your workload is internet accessible.
AWS Shield

Keep up to date with security recommendations

Follow AWS updates: Subscribe or regularly check for new recommendations, tips and tricks.
AWS Well-Architected Labs
AWS security blog
AWS service documentation

Subscribe to industry news: Regularly review news feeds from multiple sources that are relevant to the technologies that are used in your workload.
Example: Common Vulnerabilities and Exposures List

Automate testing and validation of security controls in pipelines

Automate configuration management: Enforce and validate secure configurations automatically by using a configuration management service or tool.
AWS Systems Manager
AWS CloudFormation
Set Up a CI/CD Pipeline on AWS

Identify and prioritize risks using a threat model

Create a threat model: A threat model can help you identify and address potential security threats.
NIST: Guide to Data-Centric System Threat Modeling

Evaluate and implement new security services and features regularly

Plan regular reviews: Create a calendar of review activities that includes compliance requirements, evaluation of new AWS security features and services, and staying up to date with industry news.

Discover AWS services and features: Discover the security features that are available for the services that you are using, and review new features as they are released.
AWS security blog
AWS security bulletins
AWS service documentation

Define AWS service on-boarding process: Define processes for on-boarding of new AWS services. Include how you evaluate new AWS services for functionality, and the compliance requirements for your workload.

Test new services and features: Test new services and features as they are released in a non-production environment that closely replicates your production one.

Implement other defense mechanisms: Implement automated mechanisms to defend your workload, explore the options available.
Remediating non-compliant AWS resources by AWS Config Rules