Implementing security controls on AWS
Iqbal Umair, Gurpreet Kaur Cheema, Wasim Hossain, Joseph Nguyen, San Brar, and Lucia Vanta, Amazon Web Services (AWS)
December 2023 (document history)
Security is critical to every company, and it is a key pillar in the AWS Well-Architected Framework. However, many do not know how to work through security considerations and create a holistic automated security testing and remediation strategy for their cloud environments. By using AWS services and tools, such as AWS Config, Amazon GuardDuty, and AWS CloudFormation, you can create a security testing strategy and build it into your AWS Cloud environments.
To help meet your company’s security policy and standards, security controls are the technical or administrative guardrails that help prevent, detect, or reduce the ability of a threat actor to exploit a security vulnerability. They are designed to protect the confidentiality, integrity, and availability of resources and data. The following are examples of security controls:
-
Implementing multi-factor authentication for users that need to sign in to an application
-
Logging, monitoring, and querying actions for the purposes of performing real-time audits of account activity
-
Making sure that sensitive data is encrypted
-
Making sure logs are stored according to your company’s retention policy
There are four types of security controls: preventative, proactive, detective, and responsive. This guide describes each type in more detail and focuses on how to implement and automate these controls in the AWS Cloud. This guide helps you implement security controls that are continuous and proactive.
Intended audience
This guide is intended for architects and security engineers who are responsible for implementing security controls in the AWS Cloud. If your company has not defined a security policy, control objectives, or standards, as described in Security controls in the governance framework, we recommend that you complete these governance tasks before proceeding with this guide.