Security
The job of the security pillar is to help protect your assets, your systems, and your information associated with AWS. This pillar should also assist you with risk assessments and your mitigation practices.
This pillar consists of the following important design principles:
Use strong identity practices in your architecture: Fortunately, AWS provides tools to make this easy. For example, with AWS Identity and Access Management (IAM), you can create multiple accounts for users and administrators, which helps ensure that there is a least privilege practice in place. Users can select the account that provides just the permissions they need. Of course, IAM also centralizes the user accounts that need to interact with AWS, and centralization of accounts is another strong identity practice.
Ensure full traceability in all operations: It is important to continuously monitor, alert, and audit actions and modifications in your environment as they occur. AWS provides excellent tools to accomplish this. For example, you can use AWS CloudWatch and AWS CloudTrail together to monitor, alert, and audit seamlessly. As part of this design principle, you should incorporate log and metric collection into your systems to enable automated investigations and responses.
Implement security in absolutely all layers of your architecture: To achieve this design principle, you should examine your AWS solution layer by layer and component by component from a security perspective. You should use tools at each layer to help secure that layer and its resources. This is what we like to call a “defense in depth” solution in IT.
Make a concerted effort to automate as many security best practices as possible: Don’t forget security when you are focusing on automation in your AWS solutions. Automation reduces human errors and helps your security scale in a big way.
Secure information at rest, in transit, and in use: In addition to following a defense-in-depth approach, you should mentally divide your AWS data and resources into three categories—data at rest, data in transit, and data in use—and apply the appropriate security controls to each category. The AWS Cloud has a number of tools integrated right into the platform. You can also lean on third-party solutions from AWS partners and customers in the AWS Marketplace.
As much as possible, keep people away from data: You can use the technologies of AWS to prevent people from directly interacting with data. I know this sounds really harsh, but it eliminates all kinds of security concerns and also addresses accuracy and operational excellence concerns.
Prepare as much as possible for the inevitable security events in your architecture and cloud: Are you and your teams ready for a major security incident in the cloud? How can you be sure? You should establish incident management policies and procedures that are in line with your organization’s needs. Conduct incident response drills and leverage automation tools to expedite detection, investigation, and recovery processes.