The AWS Well Architected Framework (WAF) helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. It has 5 pillars — operational excellence, security, reliability, performance efficiency, and cost optimization.
The security pillar outlines 7 design principles:
- Implement a strong identity foundation: Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources. Centralize identity management and aim to eliminate reliance on long-term static credentials.
- Enable traceability: Monitor, alert, and audit actions and changes to your environment in real time. Integrate log and metric collection with systems to automatically investigate and take action.
- Apply security at all layers: Apply a defense in depth approach with multiple security controls. Apply to all layers (for example, edge of network, VPC, load balancing, every instance and compute service, operating system, application, and code).
- Automate security best practices: Automated software-based security mechanisms improve your ability to securely scale more rapidly and cost-effectively. Create secure architectures, including the implementation of controls that are defined and managed as code in version-controlled templates.
- Protect data in transit and at rest: Classify your data into sensitivity levels and use mechanisms, such as encryption, tokenization, and access control where appropriate.
- Keep people away from data: Use mechanisms and tools to reduce or eliminate the need for direct access or manual processing of data. This reduces the risk of mishandling or modification and human error when handling sensitive data.
- Prepare for security events: Prepare for an incident by having incident management and investigation policy and processes that align to your organizational requirements. Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery.
The above mentioned 7 principles should be applied to all 6 areas of security in the cloud:
- Identity and Access Management
- Infrastructure protection
- Data Protection
- Incident Response
Leveraging the design principles outlined in this blog post ensures a strong security posture. Future blog posts will outline details on each of the design principles and how they are applied to the areas of cloud security.