Security in the AWS Well-Architected Framework

yesterday, we took a look at the Operational Excellence pillar of the @awscloud Well-Architected Framework

today, my personal favourite, the Security Pillar

☁️ #cloud #devops

@marknca tweeted at 23-Nov-2021, 20:21

this thread is available unrolled at https://markn.ca/2021/security-in-the-aws-well-architected-framework/

…and yesterdays is up at https://markn.ca/2021/operational-excellence-in-the-aws-well-architected-framework/

☁️ #cloud #devops

@marknca tweeted at 23-Nov-2021, 20:21

one of the reasons I ❤️ the Well-Architected Framework so much is that it presents #security in CONTEXT

it’s not an isolated activity but one that must be considers next to the other four pillars. you need to find a balance here…the framework helps

☁️ #cloud #devops

@marknca tweeted at 23-Nov-2021, 20:21

there are formal definitions of the various types of security (cyber, information, physical, & operational) but I like the catch all:

To make sure that your systems work as intended and ONLY as intended

☁️ #cloud #devops

@marknca tweeted at 23-Nov-2021, 20:21

… it’s simple to understand in that context. all of these processes and controls we put in place are there to make sure that things work the way to expect and ONLY that way

that covers everything from attacks to mistakes. also, it’s more positive

☁️ #cloud #devops

@marknca tweeted at 23-Nov-2021, 20:21

…I cannot stand the conflict/FUD oriented view of security. yes there are malicious actors out there but security is so much more than that

besides, if you’re only ever trying to STOP things, you won’t see the other advantages, like building reslience

☁️ #cloud #devops

@marknca tweeted at 23-Nov-2021, 20:21

so, the Framework does use a formal definition (my rant aside). it states that security is, “the ability to protect data, systems, and assets to take advantage of cloud technologies.”

yawn

☁️ #cloud #devops

@marknca tweeted at 23-Nov-2021, 20:21

this pillar is broken down into five areas:

• identity & access
• detective controls
• infrastructure protection
• data protection
• incident response

☁️ #cloud #devops

@marknca tweeted at 23-Nov-2021, 20:21

in simple terms, those areas end up being:

• identity & access == who can do what, when?

• detective controls == is this normal?

• infrastructure protection == boundaries & chokepoints

☁️ #cloud #devops

@marknca tweeted at 23-Nov-2021, 20:21

…

• data protection == classification, management, & encryption

• incident response == +fan, time to contain & restore

☁️ #cloud #devops

@marknca tweeted at 23-Nov-2021, 20:21

like every pillar, this one has some key principles:

• identities have the least amount of privileges required
• know who did what, when
• security is a part of everything
• automate all tasks
• encrypt at rest & in transit
• prepare for the worst

☁️ #cloud #devops

@marknca tweeted at 23-Nov-2021, 20:21

you can read the whole Security pillar here: https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html

there’s a lot more in that document and in the references. but, like anything in the framework, Gamedays and practice will help you understand these concepts the best

/ ☁️ #cloud #devops

@marknca tweeted at 23-Nov-2021, 20:21

Start