AWS security

An organization’s deployment pipelines should contain a range of embedded dynamic, static, and infrastructure compliance tools which provide feedback of an application's security posture. Amazon Inspector is a powerful tool to scan AWS workloads for vulnerabilities and produce a risk score that helps prioritize remediation.

Drive toward an evergreen approach to deployment and avoid the operational and security complexities of managing many image versions across the enterprise. AWS Step Functions can be used to build a robust process to redeploy immutable infrastructure and create that evergreen setup. This ensures resources are deployed with all the best security practices in place in a timely manner.

Develop data classification policies and apply the appropriate security controls. Implement strong authentication policies via AWS Identity Access Management (IAM) and network flow control policies with AWS Network Access Control Lists (ACLs). Enable AWS Key Management Service (KMS) for encryption of data at rest. In combination with AWS CloudTrail, an organization can restrict and log access to sensitive data.

Automate policy compliance and controls using policy as code (PAC). AWS Control Tower can assist with environment automation that employs best-practice blueprints for system configuration and security. Credera has expertise utilizing the AWS Well-Architected Tool with assessments and information gathered from AWS Config and AWS Audit Manager.

Reduce the impact of security incidents by establishing incident response plans and a framework for simulating incidents. Prepare AWS Accounts for incident response activities and write runbooks for common response tasks. Amazon Guard Duty is a threat detection service that monitors AWS workloads and user accounts. If a threat is detected, an automated remediation action can be executed. Detailed user activity tracking and API usage is available with AWS CloudTrail. AWS CloudWatch provides verbose logging and utilization metrics of applications and infrastructure.

Employ a zero-trust architecture where each resource has its own identity, which can be permissioned and assigned access to other resources (such as storage and APIs) using AWS Identity Access Management (IAM). This gives finer control of your security and enables it to be standardized much more easily. The IAM Access Analyzer helps achieve least privileged access goals. Amazon Guard Duty provides continuous security monitoring of events in AWS. Combined with other data sources this can highlight potential instances of malicious behavior.