The Five Pillars of the Well-Architected Framework
Creating a software system is a lot like constructing a building. If the foundation
 is not solid structural problems could undermine the integrity and function of
 the building. When architecting technology solutions, if you neglect the five
 pillars of security, reliability, performance efficiency, cost optimisation, and
 operational excellence it can become challenging to build a system that delivers
 on your expectations and requirements. When you incorporate these pillars into
 your architecture, it will help you produce stable and efficient systems. This will
 allow you to focus on the other aspects of design, such as functional
 requirements.
This section describes focuses on the AWS well architected security pillar:
Security Pillar
The Security pillar includes the ability to protect information, systems, and
 assets while delivering business value through risk assessments and mitigation
 strategies.
Design Principles
In the cloud, there are a number of principles that can help you strengthen your
 system security.
- Apply security at all layers: Rather than running security appliances
 (e.g., firewalls) only at the edge of your infrastructure, use firewalls and
 other security controls on all of your resources (e.g., every virtual
 server, load balancer, and network subnet).
- Enable traceability: Log and audit all actions and changes to your
 environment.
- Implement a principle of least privilege: Ensure that authorisation
 is appropriate for each interaction with your AWS resources and
 implement strong logical access controls directly on resources.
 Amazon Web Services – AWS Well-Architected Framework
- Focus on securing your system: With the AWS Shared Responsibility
 Model you can focus on securing your application, data, and operating
 systems, while AWS provides secure infrastructure and services.
- Automate security best practices: Software-based security
 mechanisms improve your ability to securely scale more rapidly and cost-effectively.
 Create and save a patched, hardened image of a virtual server,
 and then use that image automatically on each new server you launch.
 Create an entire trust zone architecture that is defined and managed in a
 template via revision control. Automate the response to both routine and
 anomalous security events.
Definition
There are five best practice areas for Security in the cloud:
- Identity and access management
- Detective controls
- Infrastructure protection
- Data protection
- Incident response
Before you architect any system, you need to put in place practices that
 influence security. You will want to control who can do what. In addition, you
 want to be able to identify security incidents, protect your systems and services,
 and maintain the confidentiality and integrity of data through data protection.
 You should have a well-defined and practiced process for responding to security
 incidents. These tools and techniques are important because they support
 objectives such as preventing financial loss or complying with regulatory
 obligations.
The AWS Shared Responsibility Model enables organisations that adopt the
 cloud to achieve their security and compliance goals. Because AWS physically
 secures the infrastructure that supports our cloud services, AWS customers can
 focus on using services to accomplish their goals. The AWS Cloud also provides
 greater access to security data and an automated approach to responding to
 security events.
Best Practices
Identity and Access Management
Identity and access management are key parts of an information security
 program, ensuring that only authorised and authenticated users are able to
 access your resources, and only in a manner that is intended. For example,
 you’ll define principals (users, groups, services, and roles that take action in
 your account), build out policies aligned with these principals, and implement
 strong credential management. These privilege-management elements form the
 core concepts of authentication and authorisation.
In AWS, privilege management is primarily supported by the AWS Identity and
 Access Management (IAM) service, which allows customers to control access to
 AWS services and resources for users. You can apply granular policies, which
 assign permissions to a user, group, role, or resource. You also have the ability
 to require strong password practices, such as complexity level, avoiding re-use,
 and using multi-factor authentication (MFA). You can use federation with your
 existing directory service. For workloads that require systems to have access to
 AWS, IAM enables secure access through instance profiles, identity federation,
 and temporary credentials.
The following questions focus on privilege management considerations for
 security (for a list of security question, answers, and best practices, see the
 Appendix).
SEC 1. How are you protecting access to and use of the AWS root account credentials?
 SEC 2. How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API?
 SEC 3. How are you limiting automated access to AWS resources? (e.g., applications, scripts, and/or third-party tools or services)
It is critical to keep root account credentials protected, and to this end AWS
 recommends attaching MFA to the root account and locking the credentials with
 the MFA in a physically secured location. The IAM service allows you to create
 and manage other non-root user permissions, as well as establish access levels
 to resources.
Detective Controls
You can use detective controls to identify a potential security incident. These
 controls are an essential part of governance frameworks, and can be used to
 support a quality process, a legal or compliance obligation, and for threat
 identification and response efforts. There are different types of detective
 controls. For example, conducting an inventory of assets and their detailed
 attributes promotes more effective decision making (and lifecycle controls) to
 help establish operational baselines. Or you can use internal auditing, an
 examination of controls related to information systems, to ensure that practices
 meet policies and requirements, and that you have set the correct automated
 alerting notifications based on defined conditions. These controls are important
 reactive factors that help organisations identify and understand the scope of
 anomalous activity.
In AWS you can implement detective controls by processing logs, events and
 monitoring that allows for auditing, automated analysis, and alarming. AWS
 CloudTrail logs, AWS API calls, and Amazon CloudWatch provide monitoring of
 metrics with alarming, and AWS Config provides configuration history. Service
 level logs are also available, for example you can use Amazon Simple Storage
 Service (S3) to log access requests. Finally Amazon Glacier provides a vault lock
 feature to preserve mission-critical data with compliance controls designed to
 support auditable long-term retention.
The following question focuses on detective controls considerations for security:
SEC 4. How are you capturing and analysing logs?
Log management is important to a well-architected design for reasons ranging
 from security/forensics to regulatory or legal requirements. It is critical that you
 analyse logs and respond to them, so that you can identify potential security
 incidents. AWS provides functionality that makes log management easier to
 implement by giving customers the ability to define a data-retention lifecycle, or
 define where data will be preserved, archived, and/or eventually deleted. This
 makes predictable and reliable data handling simpler and more cost effective.
Infrastructure Protection
Infrastructure protection includes control methodologies, such as defence in
 depth and multi-factor authentication, which are necessary to meet best
 practices and industry or regulatory obligations. Use of these methodologies is
 critical for successful ongoing operations in either the cloud or on-premises.
In AWS, you can implement stateful and stateless packet inspection, either by
 using AWS native technologies or by using partner products and services
 available through the AWS Marketplace. You can also use Amazon Virtual
 Private Cloud (VPC), to create a private, secured, and scalable environment in
 which you can define your topology—including gateways, routing tables, and
 public and/or private subnets.
The following questions focus on infrastructure protection considerations for
 security:
SEC 5. How are you enforcing network and host-level boundary protection?
 SEC 6. How are you leveraging AWS service level security features?
 SEC 7. How are you protecting the integrity of the operating systems on your Amazon EC2 instances?
Multiple layers of defence are advisable in any type of environment, and in the
 case of infrastructure protection, many of the concepts and methods are valid
 across cloud and on-premises models. Enforcing boundary protection,
 monitoring points of ingress and egress, and comprehensive logging,
 monitoring, and alerting are all essential to an effective information security
 plan.
As mentioned in the Design Principles section, AWS customers are able to
 tailor, or harden, the configuration of an EC2 instance, and persist this
 configuration to an immutable Amazon Machine Image (AMI). Then, whether
 triggered by Auto Scaling or launched manually, all new virtual servers
 (instances) launched with this AMI receive the hardened configuration.
Data Protection
Before architecting any system, foundational practices that influence security
 should be in place. For example, data classification provides a way to categorise
 organisational data based on levels of sensitivity and encryption protects data
 by rendering it unintelligible to unauthorised access. These tools and techniques
 are important because they support objectives such as preventing financial loss
 or complying with regulatory obligations.
In AWS, the following practices facilitate protection of data:
- AWS customers maintain full control over their data.
- AWS makes it easier for you to encrypt your data and manage keys, including regular key rotation, which can be easily automated natively by AWS or maintained by a customer.
- Detailed logging that contains important content, such as file access and changes, is available.
- AWS has designed storage systems for exceptional resiliency. As an example, Amazon Simple Storage Service (S3) is designed for 11 nines of durability. (For example, if you store 10,000 objects with Amazon S3, you can on average expect to incur a loss of a single object once every 10,000,000 years.)
- Versioning, which can be part of a larger data lifecycle management process, can protect against accidental overwrites, deletes, and similar harm.
- AWS never initiates the movement of data between regions. Content placed in a region will remain in that region unless the customer explicitly enable a feature or leverages a service that provides that functionality.
The following questions focus on considerations for data security:
SEC 8. How are you classifying your data?
 SEC 9. How are you encrypting and protecting your data at rest?
 SEC 10. How are you managing keys?
 SEC 11. How are you encrypting and protecting your data in transit?
AWS provides multiple means for encryption of data at rest and in transit. We
 build features into our products and services that make it easier to encrypt your
 data. For example, we have implemented Server Side Encryption (SSE)
 for Amazon S3 to make it easier for you to store your data in an encrypted form.
 You can also arrange for the entire HTTPS encryption and decryption process
 (generally known as SSL termination) to be handled by Elastic Load Balancing.
Incident Response
Even with extremely mature preventive and detective controls, organisations
 should still put processes in place to respond to and mitigate the potential
 impact of security incidents. The architecture of your workload will strongly
 affect the ability of your teams to operate effectively during an incident to
 isolate or contain systems and to restore operations to a known-good state.
 Putting in place the tools and access ahead of a security incident, then routinely
 practicing incident response will make sure the architecture is updated to
 accommodate timely investigation and recovery.
In AWS, the following practices facilitate effective incident response:
- Detailed logging is available that contains important content, such as file
 access and changes.
- Events can be automatically processed and trigger scripts that automate
 run books through the use of AWS APIs.
- You can pre-provision tooling and a “clean room” using AWS
 CloudFormation. This allows you to carry out forensics in a safe, isolated
 environment.
The following questions focus on considerations for incident response:
SEC 12. How do you ensure you have the appropriate incident response?
Ensure that you have a way to quickly grant access for your InfoSec team, and
 automate the isolation of instances as well at the capturing of data and state for
 forensics.
Key AWS Services
The AWS service that is essential to security is AWS Identity and Access
 Management (IAM), which allows you to securely control access to AWS
 services and resources for your users. The following services and features
 support the four areas of security:
Identity and access management: IAM enables you to securely control
 access to AWS services and resources. Multi-factor authentication (MFA), adds
 an extra layer of protection on top of your user name and password.
Detective controls: AWS CloudTrail records AWS API calls, AWS Config
 provides a detailed inventory of your AWS resources and configuration, and
 Amazon CloudWatch is a monitoring service for AWS resources.
Infrastructure protection: Amazon Virtual Private Cloud (VPC) lets you
 provision a private, isolated section of the AWS Cloud where you can launch
 AWS resources in a virtual network.
Data protection: Services such as Elastic Load Balancing, Amazon Elastic
 Block Store (EBS), Amazon Simple Storage Service (S3), and Amazon Relational
 Database Service (RDS) include encryption capabilities to protect your data in
 transit and at rest. AWS Key Management Service (KMS) makes it easier for
 customers to create and control keys used for encryption.
Incident response: IAM should be used to grant appropriate authorisation to
 incident response teams. Amazon CloudFormation can be used to create a
 trusted environment for conducting investigations.
 
 