Understanding Security Perspective within the AWS Cloud Adoption Framework
The AWS Cloud Adoption Framework is a set of key guidelines and information that organizes the challenging process of migration to the cloud. One of the crucial sections of the document is “Security” describing the comprehensive model for ensuring security in AWS infrastructure. We present an article that continues the series of posts on AWS CAF and also explains this key perspective.
The AWS Cloud Adoption Framework (CAF) is a set of guidelines aimed at simplifying and structuring the cloud adoption process with best practices and opportunities for maximum benefits. The document is divided into six areas, and today we will focus on the Security perspective describing the capabilities and advantages of the AWS Cloud in terms of maintaining security, integrity and availability.
The role of security in the world of cloud computing
Security plays a key role in Amazon Web Services and is the foundation that enables organizations to deploy new technologies, including Machine Learning or Artificial Intelligence. Cloud computing is based on data and resources stored and shared remotely, which raises additional challenges and requirements in this area. For this reason, security should be a consideration both at the very beginning of the cloud journey and every step of the way. AWS provides comprehensive and extensive solutions that allow as to create an environment built from the ground up with the highest level of security in mind.
A high level of security is realized through a special set of tools covering many areas of the Security topic, as well as services and best practices. The AWS CAF document describes the most important principles, the implementation of which in cloud environment guarantees a high level of security. It is also worth noting that AWS offers constant security updates and news, providing the latest technologies and tools so that organizations can effectively adapt to the changing landscape of threats.
Security perspective – the main principles
The AWS Cloud Adoption Framework covers best practices to achieve key business objectives when moving to the cloud. The Security perspective is split into several key principles to achieve and maintain a high level of security, as well as legal and regulatory compliance.
Governance and security assurance
Security management is the process of developing, maintaining and effectively communicating security-related roles, duties, responsibilities, policies, processes and procedures, through the RACI (Responsible, Accountable, Consulted, Informed) model and the GRC (Governance, Risk and Compliance) system. By clearly defining these principles, security can be achieved effectively and in an integrated approach, and will enable a better understanding of available resources and risks.
In the case of cloud computing, the primary operation should be to conduct relevant research and inventories to hollow out appropriate priorities, standards and policies. Moreover, regular risk assessments will help determine the possibility and impact of identified risks on the organization. In ensuring an adequate level of security, it is also crucial to achieve compliance with legal requirements and regulations, for example, GDPR (General Data Protection Regulation).
AWS provides a set of templates and documents that make it easy to implement appropriate mechanisms and security policies that meet both industry and regulatory needs.
Access management
Dynamic access management is the foundation for high security and limiting unauthorized access. AWS CAF includes descriptions of key concepts in the proper design of identity and access management architectures.
With AWS Identity and Access Management (IAM), we can create appropriate identities and grant users the necessary permissions to manage AWS resources. Effective identity and access administration helps confirm that the proper people and machines have access to the required resources for a given situation or need, which fits within the framework of the principle of lowest possible access. Importantly, AWS also uses multi-factor authentication (MFA) for greater identification and restriction of unauthorized access.
Vulnerability management
New vulnerabilities in the systems in use can emerge with upcoming updates and modifications, or are discovered later in the lifecycle of the software. Dynamic response to detected threats (CVEs), as well as in-house actions to identify them, are among the key activities to be maintained as part of a cloud infrastructure.
AWS CAF describes many important tools available in AWS Cloud Services. AWS Config allows for monitoring configuration status and inventory of resources. Amazon Inspector can be used for automated scanning of security vulnerabilities in EC2 instances, Amazon ECR (Amazon Elastic Container Registry) containers and AWS Lambda functions.
Infrastructure protection
Securing infrastructure against accidental and unauthorized access and potential threats contributes significantly to improving the level of security in the cloud environment. Using a multi-layer defense strategy based on IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) under the Zero Trust model, we are able to implement a variety of mechanisms to secure data and systems.
Infrastructure protection in the AWS cloud can be based on a number of provided tools. The primary method is to use virtual private clouds (VPCs) with appropriate subnets and routing tables with associated IP address ranges (CIDRs). Appropriate network access control lists (NACLs) and Security Groups should also be implemented.
Within AWS Organizations, we can create a special shared services area, allowing centralized and unified security control across the environment and defining basic shared services. AWS Resource Access Manager (AWS RAM) allows us to share resources between accounts in a specified environment. The shared services architecture should also include an account or accounts that will be used to centrally deploy managed security services. This includes the ability to use administration consoles for services such as AWS Config, Amazon GuardDuty, Amazon Macie, IAM Identity Center and AWS Security Hub.
Data protection
During the journey to the cloud, data must be continuously classified based on its relevance and sensitivity. The goal is to continuously protect data from unauthorized access and potential threats. AWS CAF directs the creation of appropriate data lifecycle management policies, and notes that the protection of certain data may be tied to legal requirements.
Implementing appropriate data protection techniques can be done at several levels and through a number of options. One of the primary ones is data encryption both during transmission and during storage. AWS CAF also highlights the option to store sensitive data in multiple accounts, as well as the ability to use machine learning and artificial intelligence to automatically discover, classify and protect sensitive data. Also important is the use of an appropriate tagging system, which makes it much easier to categorize sprawling resources.
Application security
As part of providing multi-layered security, AWS CAF encourages vulnerability detection and remediation as early as the software development process. Proper vulnerability scanning can use automation and static code analysis tools to identify commonly known issues.
AWS provides a number of tools to facilitate software development with a focus on security. awslabs/git-secrets will help find static sensitive data, such as secret strings. Amazon CodeGuru is a service that will automatically perform a review of prepared source code. AWS Secret Manager is also an important service that allows us to securely store passwords and other identification and access data, while AWS CloudWatch will help monitor and detect misconfigurations of AWS resources.
Threat detection and incident response
In order to maintain a high level of security, the Amazon Cloud Adoption Framework highlights the necessity of identifying threats and responding appropriately to incidents. It also points to the need to define tactical, operational and strategic objectives, as well as to develop an overall methodology for monitoring threats in various sources, for example, network traffic, operating systems, applications, databases and end devices. Detecting threats and responding appropriately to incidents results in reducing potential damage.
AWS services offer a number of tools dedicated to detecting threats. Worth mentioning is AWS CloudTrail, a log collection service, as well as Amazon GuardDuty Findings that detects potential security vulnerabilities and other threats. Other AWS services also offer a lot of important information and logs, including Elastic Load Balancing, Amazon Route 53, Amazon S3 and VPC Flow Logs. To ensure proper incident management policies, AWS CAF encourages the creation of adequate plans, such as runbooks or playbooks, as well as ongoing security education and development.
Security perspective – what are the benefits?
Security is the essential building block of an organization’s modern infrastructure. The AWS Cloud Adoption Framework document is a set of best practices and guidelines, and their implementation brings real benefits. The AWS CAF helps to align cloud resources with specific security requirements, as well as to maintain it through continuous education, monitoring and appropriate incident response. AWS services offer a range of tools to enhance security at multiple layers.
From a Security perspective, Implementing the AWS Cloud Adoption Framework is supporting organizations in building and maintaining secure cloud environments that comply with industry best practices and regulatory requirements.
Security perspective – summary
Security is one of six perspectives covered in the AWS Cloud Adoption Framework document, but it’s hard not to position it as the foundation of any modern organization’s infrastructure and a key step in the digital transformation process. Maintaining a high level of security can ensure that data is protected, that customer privacy is protected, and that service continuity is maintained.
Although there is an option to move to the cloud without using the AWS Cloud Adoption Framework, it is not recommended. There is a significant risk that migrating to the cloud may fail and/or not deliver the maximum amount of benefits. For more information on how to effectively use the AWS CAF in a successful cloud migration, please contact our specialists at kontakt@lcloud.pl.