SEC01-BP06 - Automate deployment of standard security controls
One-Click Remediation
Deploy CloudFormation stacks to implement this best practice with a single click.
Stacks deploy to your AWS account. Review parameters before creating. Standard AWS charges apply.
Implementation guidance
Automating the deployment of security controls helps ensure consistent application of security standards across your AWS environment. This reduces human error, increases efficiency, and provides a reliable security baseline for all your workloads.
Key steps for implementing this best practice:
-
Define standard security controls:
- Identify the security controls required for your workloads
- Document security control specifications and configurations
- Establish security baselines for different types of resources
- Define compliance requirements and security standards
-
Implement infrastructure as code (IaC):
- Use AWS CloudFormation or AWS CDK to define infrastructure
- Include security controls in your IaC templates
- Version control your IaC templates
- Implement security guardrails in your templates
-
Automate security testing and validation:
- Implement pre-deployment security scanning for IaC templates
- Use tools like cfn-nag or AWS CloudFormation Guard to validate templates
- Scan machine images for vulnerabilities before deployment
- Implement automated compliance validation
-
Implement continuous compliance monitoring:
- Use AWS Config to monitor resource configurations
- Create AWS Config Rules to automatically evaluate compliance
- Set up AWS Security Hub to aggregate security findings
- Implement automated remediation for non-compliant resources
-
Integrate security into CI/CD pipelines:
- Add security testing stages to your CI/CD pipelines
- Implement automated security gates that prevent deployment of non-compliant resources
- Include vulnerability scanning in your build process
- Automate security testing of application code
Implementation examples
Example 1: Automating security controls with AWS CloudFormation
View code
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Sub '${AWS::StackName}-secure-bucket'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'AES256'
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
VersioningConfiguration:
Status: Enabled
LoggingConfiguration:
DestinationBucketName: !Ref LoggingBucket
LogFilePrefix: 's3-access-logs/'Example 2: Automating security validation with AWS Config Rules
View code
Resources:
S3BucketPublicReadProhibited:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: s3-bucket-public-read-prohibited
Description: Checks that your S3 buckets do not allow public read access
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
S3BucketServerSideEncryptionEnabled:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: s3-bucket-server-side-encryption-enabled
Description: Checks that your S3 buckets have server-side encryption enabled
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
Scope:
ComplianceResourceTypes:
- AWS::S3::BucketExample 3: Automating security scanning in CI/CD pipeline
View code
version: 0.2
phases:
install:
runtime-versions:
python: 3.9
commands:
- pip install cfn-lint cfn-nag
pre_build:
commands:
- echo "Running CloudFormation template validation"
- cfn-lint templates/*.yaml
- echo "Running security scan on CloudFormation templates"
- cfn_nag_scan --input-path templates/
build:
commands:
- echo "Deploying CloudFormation stack"
- aws cloudformation deploy --template-file templates/main.yaml --stack-name secure-stack --capabilities CAPABILITY_IAMAWS services to consider
AWS CloudFormation
Provides a common language to model and provision AWS and third-party resources in your cloud environment. Enables you to define security controls as code and deploy them consistently.
AWS Config
Enables you to assess, audit, and evaluate the configurations of your AWS resources. Helps you maintain compliance with security standards and best practices through continuous monitoring and automated remediation.
Amazon Inspector
Automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.
AWS Security Hub
Provides a comprehensive view of your security state in AWS and helps you check your compliance with security standards and best practices. Aggregates, organizes, and prioritizes security alerts from multiple AWS services.
AWS CodePipeline
A fully managed continuous delivery service that helps you automate your release pipelines. Enables you to integrate security testing and validation into your deployment process.
AWS Systems Manager
Gives you visibility and control of your infrastructure on AWS. Helps you automate operational tasks, including the deployment and maintenance of security controls.
Benefits of automation
- Consistency: Security controls are applied consistently across all resources
- Reduced human error: Minimizes the risk of misconfiguration due to manual processes
- Scalability: Security controls scale with your infrastructure
- Auditability: Provides a clear record of security control implementation
- Efficiency: Reduces the time and effort required to implement security controls
- Rapid remediation: Enables quick response to security issues