--- title: AWS Security Governance at Scale, V1.4.5 tags: Resources, Talk description: Resources to support the Security Engineering on AWS course from AWS Training and Certification --- # AWS Security Governance at Scale, V1.4.5 ![](https://i.imgur.com/dwKhVi6.jpg) Instructor: Scott Jones Email: scojoe@amazon.com ### :pushpin: Bookmark these links: :::info - [x] **Path to this page:** https://bit.ly/scojoe-on-secgov - [x] **Path to our classroom:** https://us-east-1.student.classrooms.aws.training/class/vRJg1SHWaSSKe6xqBvBDzJ - [x] **Polling page:** https://pollev.com/awsboston ::: --- ### :books: Essential Resources :::warning - AWS Cloud Security: https://aws.amazon.com/security/ - AWS Security Documentation: https://docs.aws.amazon.com/security/ - AWS Security Resources: http://aws.amazon.com/security/security-resources/ - AWS Compliance Programs: https://aws.amazon.com/compliance/programs/ - AWS Security Blog: https://aws.amazon.com/blogs/security/ - AWS [Best Practices for Security, Identity, & Compliance](https://aws.amazon.com/architecture/security-identity-compliance/) - What's new in [AWS Security, Identity, and Complaince](https://aws.amazon.com/new/?whats-new-content-all.sort-by=item.additionalFields.postDateTime&whats-new-content-all.sort-order=desc&awsf.whats-new-categories=marketing-marchitecture%23security-identity-and-compliance). - AWS Cloud Security [Quickstarts]( https://aws.amazon.com/quickstart/?solutions-all.filter-tech-category=tech-category%23security-identity-compliance&awsf.filter-content-type=*all&awsf.filter-tech-category=tech-category%23security-identity-compliance) - AWS Security-related [Workshops](https://workshops.aws/card/security) ::: --- ## AWS Security Checklists These checklists provide recommendations that align with the Well-Architected Framework Security Pillar. Learn more at: * [Security Pillar – AWS Well Architeched Framework](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html) ### Checklist 1: Identity and Access Management 1. **Secure your AWS account**. Use [*AWS Organizations*](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html#features ) to manage your accounts, use the [*root user*](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html ) by exception with [*multi-factor authentication (MFA)*](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa ) enabled, and configure [*account contacts*](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts.html). 2. **Rely on centralized identity provider.** Centralize identities using either [*AWS IAM Identity Center (Successor to AWS Single Sign-On*)](https://aws.amazon.com/single-sign-on/getting-started/ ) or a [*third-party provider*](https://aws.amazon.com/security/partner-solutions/ ) to avoid routinely creating IAM users or using long-term access keys—this approach makes it easier to manage multiple AWS accounts and federated applications. 3. **Use multiple AWS accounts to separate workloads and workload stages such as production and non-production.** Multiple AWS accounts permit you to separate data and resources, and activate the use of [*Service Control Policies*](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html ) to implement guardrails. [*AWS Control Tower*](https://aws.amazon.com/controltower/ ) can help you easily set up and govern a [*multi-account AWS environment*](https://aws.amazon.com/organizations/getting-started/best-practices/). 4. **Store and use secrets securely.** Where you cannot use temporary credentials, like tokens from [*AWS Security Token Service*](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html), store your secrets like database passwords using [*AWS Secrets Manager*](at https://aws.amazon.com/secrets-manager/) which handles encryption, rotation, and access control. --- ### Checklist 2: Detection 1. **Enable foundational services: AWS CloudTrail, Amazon GuardDuty, and AWS Security Hub.** For all your AWS accounts [*configure CloudTrail to log API activity*](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html), use [*GuardDuty for continuous monitoring*](https://aws.amazon.com/guardduty/), and use [*AWS Security Hub*](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) for a comprehensive view of your security posture. 2. **Configure service and application-level logging.** In addition to your application logs, activate logging at the service level, such as [*Amazon VPC Flow Logs*](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) and [*Amazon S3, CloudTrail, and Elastic Load Balancer access logging*](https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html), to gain visibility into events. Configure logs to flow to a central account and protect them from manipulation or deletion. 3. **Configure monitoring and alerts, and investigate events.** Activate AWS Config to track the history of resources, and Config Managed Rules to automatically alert or remediate on undesired changes. For all your sources of logs and events, from [*AWS CloudTrail*](https://aws.amazon.com/cloudtrail/), to [*Amazon GuardDuty*](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html) and your application logs, configure alerts for high priority events and investigate. --- ### Checklist 3: Infrastructure Protection 1. **Patch your operating system, applications, and code.** Use [*AWS Systems Manager Patch Manager*](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html) to automate the patching process of all systems and code for which you are responsible, including your OS, applications, and code dependencies. AWS Security Checklist 2. **Implement distributed denial-of-service (DDoS) protection for your internet facing resources.** Use [*Amazon CloudFront*](https://aws.amazon.com/cloudfront/), [*AWS WAF*](https://aws.amazon.com/waf/) and [*AWS Shield*](https://aws.amazon.com/shield/) to provide layer 7 and layer 3/layer 4 DDoS protection. 3. **Control access using VPC Security Groups and subnet layers.** Use [*security groups*](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) for controlling inbound and outbound traffic, and automatically apply rules for both security groups and WAFs using [*AWS Firewall Manager*](https://aws.amazon.com/firewall-manager/). Group different resources into different subnets to create routing layers, for example database resources do not need a route to the internet. --- ### Checklist 4: Data Protection 1. **Protect data at rest.** Use [*AWS Key Management Service (KMS)*](https://aws.amazon.com/kms/) to protect data at rest across a wide range of AWS services and your applications. Enable default encryption for [*Amazon EBS volumes*](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default), and [*Amazon S3 buckets*](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html). 2. **Encrypt data in transit.** Enable encryption for all network traffic, including Transport Layer Security (TLS) for web-based network infrastructure you control using [*AWS Certificate Manager*](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html) to manage and provision certificates. 3. **Use mechanisms to keep people away from data.** Keep all users away from directly accessing sensitive data and systems. For example, provide an [*Amazon QuickSight*](https://docs.aws.amazon.com/quicksight/latest/user/working-with-dashboards.html) dashboard to business users instead of direct access to a database, and perform actions at a distance using [*AWS Systems Manager automation*](https://aws.amazon.com/systems-manager/) documents and [*Run Command*](https://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html). --- ### Checklist 5: Incident Response 1. **Ensure you have an incident response (IR) plan.** Begin your IR plan by building runbooks to respond to unexpected events in your workload. For details, see the [*AWS Security Incident Response Guide*](https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/welcome.html). 2. **Make sure that someone is notified to take action on critical findings.** Begin with [*GuardDuty findings*](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html). Turn on GuardDuty and ensure that someone with the ability to take action receives the notifications. Automatically creating trouble tickets is the best way to ensure that GuardDuty findings are integrated with your operational processes. 3. **Practice responding to events.** Simulate and practice incident response by running regular game days, incorporating the lessons learned into your incident management plans, and continuously improving them. --- ### AWS Services and Compliance [*AWS services in Scope by Compliance Program*](https://aws.amazon.com/compliance/services-in-scope/) provides a list of AWS Services in Scope of AWS assurance programs. Unless specifically excluded, features of each of the services are considered in scope of the assurance programs and are reviewed and tested as part of the assessment. --- ### Additional Resources - The AWS Control Tower controls library: https://docs.aws.amazon.com/controltower/latest/userguide/controls-reference.html - AWS Service Catalog Hub and Spoke Model: How to Automate the Deployment and Management of Service Catalog to Many Accounts: https://aws.amazon.com/blogs/mt/aws-service-catalog-hub-and-spoke-model-how-to-automate-the-deployment-and-management-of-service-catalog-to-many-accounts/ - GoDaddy’s journey to the cloud and their Standard Cloud Platform: https://aws.amazon.com/blogs/mt/godaddys-journey-to-the-cloud-and-their-standard-cloud-platform/ - Enhancing configuration management at Verizon using AWS Systems Manager: https://aws.amazon.com/blogs/mt/enhancing-configuration-management-at-verizon-using-aws-systems-manager/ - AWS Quick Start: Connector with ServiceNow: https://aws.amazon.com/quickstart/connect/servicenow/ - Integrating with ServiceNow: https://docs.aws.amazon.com/systems-manager/latest/userguide/integrations-partners-servicenow.html - Atlassian and AWS Integrations: https://www.atlassian.com/partnerships/aws/integrations