6. Pillar #2 - Security
BEST PRACTICES - Security
Describe Best Practices for Security
Apply Security At All Layers
1. Apply a defense in depth approach with multiple security controls. 2. Apply to all layers (for example, edge of network, VPC, load balancing, every instance and compute service, operating system, application, and code).
Automate Security Best Practices
1. Automated software-based security mechanisms improve your ability to securely scale more rapidly and cost-effectively. 2. Create secure architectures, including the implementation of controls that are defined and managed as code in version-controlled templates.
Protect Data In Transit And At Rest
1. Classify your data into sensitivity levels and use mechanisms, such as encryption, tokenization, and access control where appropriate.
SEC 4: How do you detect and investigate security events?
1. Configure service and application logging 2. Analyze logs, findings, and metrics centrally 3. Automate response to events 4. Implement actionable security events
SEC 5: How do you protect your network resources?
1. Create network layers 2. Control traffic at all layers 3. Automate network protection 4. Implement inspection and protection
SEC 1: How do you securely operate your workload?
1. Separate workloads using accounts 2. Secure AWS account 3. Identify and validate control objectives 4. Keep up to date with security threats 5. Keep up to date with security recommendations 6. Automate testing and validation of security controls in pipelines 7. Identify and prioritize risks using a threat model 8. Evaluate and implement new security services and features regularly
SEC 3: How do you manage permissions for people and machines?
1. Define access requirements 2. Grant least privilege access 3. Establish emergency access process 4. Reduce permissions continuously 5. Define permission guardrails for your organization 6. Manage access based on life cycle 7. Analyze public and cross account access 8. Share resources securely
DESIGN PRINCIPLES
1. Enable traceability 2. Apply security at all layers 3. Automate security best practices 4. Protect data in transit and at rest 5. Keep people away from data 6. Prepare for security events
SEC 10: How do you anticipate, respond to, and recover from incidents?
1. Identify key personnel and external resources 2. Develop incident management plans 3. Prepare forensic capabilities 4. Automate containment capability 5. Pre-provision access 6. Pre-deploy tools 7. Run game days
SEC 7: How do you classify your data?
1. Identify the data within your workload 2. Define data protection controls 3. Automate identification and classification 4. Define data lifecycle management
SEC 8: How do you protect your data at rest?
1. Implement secure encryption key management 2. Enforce encryption at rest 3. Automate data at rest protection 4. Enforce access control 5. Use mechanisms to keep people away from sensitive data
SEC 9: How do you protect your data in transit?
1. Implement secure key and certificate management 2. Enforce encryption in transit 3. Automate detection of unintended data access 4. Authenticate network communications
Enable Traceability
1. Monitor, alert, and audit actions and changes to your environment in real time. 2. Integrate log and metric collection with systems to automatically investigate and take action.
SEC 6: How do you protect your compute resources?
1. Perform vulnerability management 2. Reduce attack surface 3. Implement managed services 4. Automate compute protection 5. Enable people to perform actions at a distance 6. Validate software integrity
Prepare For Security Events
1. Prepare for an incident by having incident management and investigation policy and processes that align to your organizational requirements. 2. Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery.
Keep People Away From Data
1. Use mechanisms and tools to reduce or eliminate the need for direct access or manual processing of data. 2. This reduces the risk of mishandling or modification and human error when handling sensitive data.
SEC 2: How do you manage authentication for people and machines?
1. Use strong sign-in mechanisms 2. Use temporary credentials 3. Store and use secrets securely 4. Rely on a centralized identity provider 5. Audit and rotate credentials periodically 6. Leverage user groups and attributes
Overview - Security
Ability to protect data, systems, and assets to take advantage of cloud technologies to improve your security.
Data Protection
SEC 7: How do you classify your data? ANS 7: 1. Classification provides a way to categorize data, based on criticality and sensitivity in order to help you determine appropriate protection and retention controls. SEC 8: How do you protect your data at rest? ANS 8: 1. Protect your data at rest by implementing multiple controls, to reduce the risk of unauthorized access or mishandling. SEC 9: How do you protect your data in transit? ANS 9: 1. Protect your data in transit by implementing multiple controls to reduce the risk of unauthorized access or loss.
Incident Response
SEC 10: How do you anticipate, respond to, and recover from incidents? ANS 10: 1. Preparation is critical to timely and effective investigation, response to, and recovery from security incidents to help minimize disruption to your organization.
Security
SEC 1: How do you securely operate your workload? ANS 1: 1. To operate your workload securely, you must apply overarching best practices to every area of security. 2. Take requirements and processes that you have defined in operational excellence at an organizational and workload level, and apply them to all areas. 3. Staying up to date with recommendations from AWS, industry sources, and threat intelligence helps you evolve your threat model and control objectives. 4. Automating security processes, testing, and validation allow you to scale your security operations.
Identity and Access Management
SEC 2: How do you manage identities for people and machines? ANS 2: 1. There are two types of identities you need to manage when approaching operating secure AWS workloads. 2. Understanding the type of identity you need to manage and grant access helps you ensure the right identities have access to the right resources under the right conditions. Human Identities: a. Your administrators, developers, operators, and end users require an identity to access your AWS environments and applications. b. These are members of your organization, or external users with whom you collaborate, and who interact with your AWS resources via a web browser, client application, or interactive command-line tools. Machine Identities: a. Your service applications, operational tools, and workloads require an identity to make requests to AWS services, for example, to read data. b. These identities include machines running in your AWS environment such as Amazon EC2 instances or AWS Lambda functions. c. You may also manage machine identities for external parties who need access. d. Additionally, you may also have machines outside of AWS that need access to your AWS environment. SEC 3: How do you manage permissions for people and machines? ANS 3: 1. Manage permissions to control access to people and machine identities that require access to AWS and your workload. 2. Permissions control who can access what, and under what conditions.
Detection
SEC 4: How do you detect and investigate security events? ANS 4: 1. Capture and analyze events from logs and metrics to gain visibility. 2. Take action on security events and potential threats to help secure your workload.
Infrastructure Protection
SEC 5: How do you protect your network resources? ANS 5: 1. Any workload that has some form of network connectivity, whether it's the internet or a private network, requires multiple layers of defense to help protect from external and internal network-based threats. SEC 6: How do you protect your compute resources? ANS 6: 1. Compute resources in your workload require multiple layers of defense to help protect from external and internal threats. 2. Compute resources include EC2 instances, containers, AWS Lambda functions, database services, IoT devices, and more.
DEFINITION - BEST PRACTICES
There are six best practice areas for security in the cloud: 1. Security 2. Identity and Access Management 3. Detection 4. Infrastructure Protection 5. Data Protection 6. Incident Response
