1. Training & Enablement

It is vital to build a security capability from a training and enablement perspective. AWS has a tailored learning path for security practitioners, starting with the free, online AWS Security Fundamentals training, culminating with a certification to attest technical expertise.

Security teams should do this and aim to be security certified for sure, but biggest gains are observed when *all* users of AWS spend the time to go through the free, online security fundamentals training.

  • Assign an owner for 'cloud security'
  • Assign a 'cloud security champion' in each development team
  • Mandate that all teams that use cloud to complete AWS Security Fundamentals Training
  • Cloud security team to obtain AWS Certified Security Speciality

2. Cloud Vendor Due-diligence

Security in the cloud is a shared responsibility. As a customer of a cloud service provider you should ensure the CSP has appropriate controls for the level of sensitivity and criticality of your data and systems. Security due-diligence is often mandated by regulatory programs, especially within the financial services industry.

  • Assess the security controls of your cloud vendor annually
  • Use AWS Artifact to download compliance reports to verify CSP control objectives

3. Cloud Security Policy

Although the CSP provides a number of security controls as part of the shared responsibility model, ultimately it is your responsibility as a consumer of these services to ensure your control objectives are understood and appropriately met. Before embarking on a cloud migration, you should fully understand your obligations, whether they are derived from internal policy/standards (existing data protection polices), regulatory programs (MAS TRM), or industry standards (PCI-DSS) and then define a cloud security policy that is capable to meet and exceed these requirements. You don't have to start from a blank slate, there are multiple industry standard control frameworks to help getting you going depending on your organization and industry, pick something that is right for you. Personally I see customers adopting the NIST CSF, a selection of NIST800-53 controls tailored appropriately, CIS benchmarks, ISO27001/2 or PCI-DSS. Pick something that works, break it down by the shared security model and communicate to the development teams what they need to do (many controls will be inherited from the cloud provider and many will be common controls provided at the platform level).

  • Understand your obligations & document your control objectives
  • Convert control objectives into platform specific control procedures
  • Use our minimum-security baseline to get started

4. Cloud Service Specific Assessment

Cloud service providers have hundreds of different services and capabilities, all with their own unique security profile and attack surface. While the minimum-security baseline is useful to establish platform level controls, it is important to validate each new service you plan to use within your organization to ensure it can meet your defined control objectives. For example, when AWS launches a new service, how do you ensure it meets control objectives around data protection, encryption in transit, encryption at rest, etc.? Assessing individual services against your control objectives will allow for greater innovation and agility while ensuring a high bar of security. For services that do not fully meet your control objectives then application layer mitigations may need to be created.

  • Maintain a whitelist of approved services that can be used in production
  • Create a process for development teams to request new services to be approved
  • Assess services against your control objectives (see step 3), the output should be a defined configuration and additional mitigations required by the application team.
  • Enforce the use of approved services in production via AWS Service Control Policies (SCPs) (see step 6/7)

5. Security Architecture Review

AWS has hundreds of services, and development teams will be using them in unique ways to innovate and transform your business. The Well-Architected framework has been developed to help you build secure, high-performing, resilient, and efficient infrastructure for their applications. Based on five pillars — operational excellence, security, reliability, performance efficiency, and cost optimization — the Framework provides a consistent approach for customers and partners to evaluate architectures, and implement designs that will scale over time. In addition to the Well-Architected framework, AWS has published service specific security documentation to help you meet your security & compliance objectives.

6. Establish Centralized Governance

As your organizations usage of cloud increases it is important to have appropriate governance around your accounts, resources, consumption and security guardrails. While there are many operating models for cloud usage, a common pattern is one of centralized governance and de-centralized development. This allows your organization to balance security and compliance requirements with the innovation and agility your organization needs and expects. AWS Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts. Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance. You can also simplify billing by setting up a single payment method for all of your AWS accounts.

  • Set up AWS Organizations
  • Enroll existing accounts into your AWS Organization structure
  • Create a process for development teams to request a new account that automatically gets added to the Organization with appropriate guardrails

7. Prevent Security Events

Preventing security events is a key tenet of a successful security program. Such events can either be accidental mis-configurations (employee opening an Amazon S3 bucket to the public) or a malicious user exploiting a vulnerability (using exposed IAM access keys to compromise your systems). Once you have defined your control objectives, minimum security baseline and per-service configurations you should be able to determine which of those controls can be prevented using policy. AWS Service Control Policies (SCPs) can be used at an organization level to limit specific API calls. AWS Identity & Access Management Policies can be used to limit permissions on a user/role level.

  • Use AWS Organizations Service Controls Policies (SCPs) to enforce preventative controls
  • Use AWS Identity & Access Management policies to enforce least privilege and segregation of duties

8. Detect Security Events

Detecting security events in a cloud environment is a major benefit of cloud security over traditional on-premise security programs. Everything is an API and can be called in real-time, allowing your security team to have 100% accurate inventory over your assets, resources, systems and data. This is extremely powerful from a security perspective as you can describe your entire configuration in real time to detect security mis-configurations. In addition to real-time detection, you have the ability to respond in real-time by writing automation and serverless functions that react to changes and self-heal your infrastructure and systems. Services likes AWS Config rules allow you to 'codify' your security control objectives and determine in real-time your state of compliance against desired controls. Point of time assessments, monthly or annually are a thing of the past. Move to a real-time security & compliance framework to detect and respond to security events faster than ever before, embrace "Compliance-as-Code". Involve your line two technology risk and line three audit teams in engineering efforts.

  • Enable the detect controls listed in the minimum-security baseline
  • Centralize logs from cloud native services and application stack in a secure repository

9. Security Operations & Incident Response

While preventing and detecting security events should be the backbone of your security program, it is critical to ensure that any alerts that are detected are triaged and acted upon appropriately. Once an event has been triaged and confirmed to be a security concern, you should have well documented & tested runbooks to ensure your incident response mechanisms are effective. AWS IAM allows you to delegate access to other accounts and users using IAM roles. These "cross account roles" are typically used by CISO teams for two reasons.. 1) A "read-only" security audit account, allowing the infosec team to run their automated compliance tooling, inspect asset inventories, dive in query your resources in real-time (to find vulnerable versions of software or mis-configurations in response to zero-day alerts). 2) A "break-glass" incident response account that is able to take remediation action to prevent or respond to an on-going incident. You are setup for a bad day if your security team has no access (automated preferably) to your accounts to snapshot instances, backup data, change network/security group rules to thwart an ongoing cyber attack.

  • Ensure alerts and metrics from detective tools are acted upon
  • Create a process to triage and verify security events
  • Create runbooks for common security events

10. Repeatable Secure Patterns

As your adoption has grown, you have noticed that time and time again, developers in different teams are building similar architecture patterns for workloads (micro-services, containers, three-tier) leading to some minor variance in consistency of security! It is time to start adopting AWS Service Catalog to "build once, deploy many". By "codifying" these common patterns in to repeatable consumables, your development teams can take a fully compliant and secure business application or design, from a catalog and immediately deploy to production. You have the peace and mind knowing that these "approved" patterns meet your CISO teams high bar, they are stored in version control so can be continuously audited and if you want to make an improvement, everyone benefits from that checked-in change going forward.

  • Use AWS Cloudformation to document secure patterns
  • Use AWS Service Catalog to provide secure patterns to teams across your organization