This content is outdated. This version of the Well-Architected Framework is now found at: https://docs.aws.amazon.com/en_us/wellarchitected/2022-03-31/framework/security.html

SEC 6: How do you protect your compute resources?

Compute resources in your workload require multiple layers of defense to help protect from external and internal threats. Compute resources include EC2 instances, containers, AWS Lambda functions, database services, IoT devices, and more.

Resources

Securing Serverless and Container Services
Running high-security workloads on Amazon EKS
Security best practices for the Amazon EC2 instance metadata service
AWS Systems Manager
Replacing a Bastion Host with Amazon EC2 Systems Manager
Security Overview of AWS Lambda
Lab: Automated Deployment of Web Application Firewall

Best Practices:

Perform vulnerability management: Frequently scan and patch for vulnerabilities in your code, dependencies, and in your infrastructure to help protect against new threats.
Reduce attack surface: Reduce your attack surface by hardening operating systems, minimizing components, libraries, and externally consumable services in use.
Implement managed services: Implement services that manage resources, such as Amazon RDS, AWS Lambda, and Amazon ECS, to reduce your security maintenance tasks as part of the shared responsibility model.
Automate compute protection: Automate your protective compute mechanisms including vulnerability management, reduction in attack surface, and management of resources.
Enable people to perform actions at a distance: Removing the ability for interactive access reduces the risk of human error, and the potential for manual configuration or management. For example, use a change management workflow to deploy EC2 instances using infrastructure as code, then manage EC2 instances using tools instead of allowing direct access or a bastion host.
Validate software integrity: Implement mechanisms (for example, code signing) to validate that the software, code, and libraries used in the workload are from trusted sources and have not been tampered with.

Improvement Plan

Perform vulnerability management

Configure Amazon Inspector: Amazon Inspector tests the network accessibility of your Amazon EC2 instances and the security state of the applications that run on those instances. Amazon Inspector assesses applications for exposure, vulnerabilities, and deviations from best practices.
What is Amazon Inspector?

Scan source code: Scan libraries and dependencies for vulnerabilities.
Amazon CodeGuru
OWASP: Source Code Analysis Tools

Reduce attack surface

Harden operating system: Configure operating systems to meet best practices.
Securing Amazon Linux
Securing Microsoft Windows Server

Harden containerized resources: Configure containerized resources to meet security best practices.

AWS Lambda best practices: Implement AWS Lambda best practices
AWS Lambda best practices

Implement managed services

Explore available services: Explore, test, and implement services that manage resources, such as Amazon RDS, AWS Lambda, and Amazon ECS.
AWS Home

Automate compute protection

Automate configuration management: Enforce and validate secure configurations automatically by using a configuration management service or tool.
AWS Systems Manager
AWS CloudFormation
Lab: Automated deployment of VPC
Lab: Automated deployment of EC2 web application

Automate patching of EC2 instances: AWS Systems Manager Patch Manager automates the process of patching managed instances with both security-related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications.
AWS Systems Manager Patch Manager
Centralized multi-account and multi-region patching with AWS Systems Manager Automation

Implement intrusion detection and prevention: Implement an intrusion detection and prevention tool to monitor and stop malicious activity on instances.

Consider APN Partner solutions: APN Partners offer hundreds of industry-leading products that are equivalent, identical to, or integrate with existing controls in your on-premises environments. These products complement the existing AWS services to enable you to deploy a comprehensive security architecture and a more seamless experience across your cloud and on-premises environments.
Infrastructure security

Enable people to perform actions at a distance

Replace console access: Replace console access (SSH or RDP) to instances with AWS Systems Manager Run Command to automate management tasks.
AWS Systems Manager Run Command

Validate software integrity

Investigate mechanisms: Code signing is one mechanism that can be used to validate software integrity.
NIST: Security Considerations for Code Signing