This content is outdated. This version of the Well-Architected Framework is now found at: https://docs.aws.amazon.com/en_us/wellarchitected/2022-03-31/framework/security.html

SEC 1: How do you securely operate your workload?

To operate your workload securely, you must apply overarching best practices to every area of security. Take requirements and processes that you have defined in operational excellence at an organizational and workload level, and apply them to all areas. Staying up to date with AWS and industry recommendations and threat intelligence helps you evolve your threat model and control objectives. Automating security processes, testing, and validation allow you to scale your security operations.

Resources

Security Best Practices the Well-Architected Way
Managing Multi-Account AWS Environments Using AWS Organizations
Enable AWS adoption at scale with automation and governance
AWS Security Hub: Manage Security Alerts and Automate Compliance
Using AWS Control Tower to Govern Multi-Account AWS Environments
IAM Best Practices
Getting started with AWS Organizations
AWS Control Tower
Security Bulletins
AWS Security Audit Guidelines
How to use service control policies to set permission guardrails across accounts in your AWS Organization

Best Practices:

Improvement Plan

Separate workloads using accounts

  • Use AWS Organizations: Use AWS Organizations to centrally enforce policy-based management for multiple AWS accounts.
    Getting started with AWS Organizations
    How to use service control policies to set permission guardrails across accounts in your AWS Organization
  • Consider AWS Control Tower: AWS Control Tower provides an easy way to set up and govern a new, secure, multi-account AWS environment based on best practices.
    AWS Control Tower
  • Secure AWS account

  • Use AWS Organizations: Use AWS Organizations to centrally enforce policy-based management for multiple AWS accounts.
    Getting started with AWS Organizations
    How to use service control policies to set permission guardrails across accounts in your AWS Organization
  • Limit use of the AWS root user: Only use the root user to perform tasks that specifically require it.
    AWS Tasks That Require AWS Account Root User Credentials
  • Enable MFA for the root user: Enable MFA on the AWS account root user, if AWS Organizations is not managing root users for you.
    Lab: AWS account and root user
    Root user
  • Periodically change the root user password: Changing the root user password reduces the risk that a saved password can be used. Especially important if you are not using AWS Organizations and anyone has physical access.
    Changing the AWS account root user password
  • Enable notification when the AWS account root user is used: Being notified automatically reduces risk.
    How to receive notifications when your AWS account's root access keys are used
  • Restrict access to newly added Regions.: For new AWS Regions, IAM resources, such as users and roles, will only be propagated to the Regions that you enable.
    Setting permissions to enable accounts for upcoming AWS Regions
  • Consider CloudFormation StackSets: CloudFormation StackSets can be used to deploy resources including IAM policies, roles, and groups into different AWS accounts and Regions from an approved template.
    Use CloudFormation StackSets
  • Identify and validate control objectives

  • Identify compliance requirements: Discover the organizational, legal, and compliance requirements that your workload must comply with.
  • Identify AWS compliance resources: Identify resources that AWS has available to assist you with compliance.
    https://aws.amazon.com/compliance/
    https://aws.amazon.com/artifact/
  • Keep up to date with security threats

  • Subscribe to threat intelligence sources: Regularly review threat intelligence information from multiple sources that are relevant to the technologies used in your workload.
    Common Vulnerabilities and Exposures List
  • Consider AWS Shield Advanced service: It provides near real-time visibility into intelligence sources, if your workload is internet accessible.
    AWS Shield
  • Keep up to date with security recommendations

  • Follow AWS updates: Subscribe or regularly check for new recommendations, tips and tricks.
    AWS Well-Architected Labs
    AWS security blog
    AWS service documentation
  • Subscribe to industry news: Regularly review news feeds from multiple sources that are relevant to the technologies that are used in your workload.
    Example: Common Vulnerabilities and Exposures List
  • Automate testing and validation of security controls in pipelines

  • Automate configuration management: Enforce and validate secure configurations automatically by using a configuration management service or tool.
    AWS Systems Manager
    AWS CloudFormation
    Set Up a CI/CD Pipeline on AWS
  • Identify and prioritize risks using a threat model

  • Create a threat model: A threat model can help you identify and address potential security threats.
    NIST: Guide to Data-Centric System Threat Modeling
  • Evaluate and implement new security services and features regularly

  • Plan regular reviews: Create a calendar of review activities that includes compliance requirements, evaluation of new AWS security features and services, and staying up to date with industry news.
  • Discover AWS services and features: Discover the security features that are available for the services that you are using, and review new features as they are released.
    AWS security blog
    AWS security bulletins
    AWS service documentation
  • Define AWS service on-boarding process: Define processes for on-boarding of new AWS services. Include how you evaluate new AWS services for functionality, and the compliance requirements for your workload.
  • Test new services and features: Test new services and features as they are released in a non-production environment that closely replicates your production one.
  • Implement other defense mechanisms: Implement automated mechanisms to defend your workload, explore the options available.
    Remediating non-compliant AWS resources by AWS Config Rules