Security
Questions
8 best practices
- SEC01-BP01: BP01 - Separate workloads using accounts
- SEC01-BP02: BP02 - Secure account root user and properties
- SEC01-BP03: BP03 - Identify and validate control objectives
- SEC01-BP04: BP04 - Stay up to date with security threats and recommendations
- SEC01-BP05: BP05 - Reduce security management scope
- SEC01-BP06: BP06 - Automate deployment of standard security controls
- SEC01-BP07: BP07 - Identify threats and prioritize mitigations using a threat model
- SEC01-BP08: BP08 - Evaluate and implement new security services and features regularly
6 best practices
- SEC02-BP01: BP01 - Use strong sign-in mechanisms
- SEC02-BP02: BP02 - Use temporary credentials
- SEC02-BP03: BP03 - Store and use secrets securely
- SEC02-BP04: BP04 - Rely on a centralized identity provider
- SEC02-BP05: BP05 - Audit and rotate credentials periodically
- SEC02-BP06: BP06 - Employ user groups and attributes
9 best practices
- SEC03-BP01: BP01 - Define access requirements
- SEC03-BP02: BP02 - Grant least privilege access
- SEC03-BP03: BP03 - Establish emergency access process
- SEC03-BP04: BP04 - Reduce permissions continuously
- SEC03-BP05: BP05 - Define permission guardrails for your organization
- SEC03-BP06: BP06 - Manage access based on lifecycle
- SEC03-BP07: BP07 - Analyze public and cross-account access
- SEC03-BP08: BP08 - Share resources securely within your organization
- SEC03-BP09: BP09 - Share resources securely with a third party
8 best practices
- SEC10-BP01: BP01: Identify key personnel and external resources
- SEC10-BP02: BP02: Develop incident management plans
- SEC10-BP03: BP03: Prepare forensic capabilities
- SEC10-BP04: BP04: Develop and test security incident response playbooks
- SEC10-BP05: BP05: Pre-provision access
- SEC10-BP06: BP06: Pre-deploy tools
- SEC10-BP07: BP07: Run simulations
- SEC10-BP08: BP08: Establish a framework for learning from incidents
8 best practices
- SEC11-BP01: BP01: Train for application security
- SEC11-BP02: BP02: Automate testing throughout the development and release lifecycle
- SEC11-BP03: BP03: Perform regular penetration testing
- SEC11-BP04: BP04: Conduct code reviews
- SEC11-BP05: BP05 - Centralize services for packages and dependencies
- SEC11-BP06: BP06 - Deploy software programmatically
- SEC11-BP07: BP07 - Regularly assess security properties of the pipelines
- SEC11-BP08: BP08 - Build a program that embeds security ownership in workload teams
The Security pillar includes the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
AWS Services for Security
AWS Identity and Access Management (IAM)
Enables you to manage access to AWS services and resources securely.
Amazon GuardDuty
Provides intelligent threat detection for your AWS accounts and workloads.
AWS Security Hub
Gives you a comprehensive view of your security alerts and security posture across your AWS accounts.
Amazon Inspector v2
Provides enhanced automated vulnerability management for EC2 instances, container images, and Lambda functions with improved scanning speed, broader coverage, and integration with software bill of materials (SBOM).
AWS Security Lake
Automatically centralizes security data from AWS environments, SaaS providers, on-premises, and cloud sources into a purpose-built data lake stored in your account. Provides normalized security data in Open Cybersecurity Schema Framework (OCSF) format.
AWS Config (Enhanced Capabilities)
Provides enhanced configuration management and compliance monitoring with expanded rule coverage, advanced remediation capabilities, improved multi-account support, and enhanced organizational compliance features.
AWS Key Management Service (KMS)
Makes it easy for you to create and manage cryptographic keys and control their use.
AWS Shield
Provides protection against DDoS attacks for applications running on AWS.
Amazon Macie
Uses machine learning to automatically discover, classify, and protect sensitive data in AWS, providing data security and data privacy capabilities.
AWS CloudTrail
Provides governance, compliance, operational auditing, and risk auditing of your AWS account with enhanced insights and advanced event selectors.
AWS WAF
Helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources.