How do you securely operate your workload?

Security is one of the main areas you should look to improve when looking to achieve business success in the cloud. To operate your workload security best practices will have to be applied to every area of security. You’ll be one step closer to achieving this by staying up to date with industry recommendations and threat intelligence to continually improve your threat model and control your objectives. One of your main goals when it comes to security should always be automation. Automation of security processes, testing, and validation will allow you to scale your security operations when needed. In this article, we’ll discuss a series of AWS recommended best practices to securely operate your workload.


Separating workloads using accounts

Your workloads should be organized in separate accounts and group accounts based on function or a common set of controls instead of them mirroring your company’s reporting structure. To achieve this, you should start taking security and infrastructure in mind. This will enable your organization to set common guardrails as your workloads grow. You can achieve this by using AWS Organizations to your advantage to enforce policy-based management of your multiple AWS accounts.


Useful resources:

Getting started with AWS Organizations

How to use service control policies to set permission guardrails across accounts in your AWS Organization


Securing AWS accounts

Access to your accounts should not be underestimated when it comes to security. You can secure access to your AWS accounts by, for instance, enabling MFA, restricting the use of the root user, and configuring contacts. AWS Organizations is a great tool to make sure you have control of AWS accounts management policies. In addition, you should limit the use of the AWS root user only to the performance of tasks that specifically require it. To further secure the root user by periodically changing the root user password and enabling notifications for any time the root user account is being used. You should also consider using CloudFormation StackSets. These can be used to deploy resources, including IAM policies, roles, and groups into different AWS accounts from an approved template.


Useful resources:

Getting started with AWS Organizations

How to use service control policies to set permission guardrails across accounts in your AWS Organization

Root user

How to receive notifications when your AWS account's root access keys are used

Use CloudFormation StackSets


Identifying and validating control objectives

You should always have an updated model including compliance requirements and identified risks. Compliance requirements might involve organizational, legal and other compliance requirements associated with your workload. This can be used as the base upon which you can create and validate the control objectives and controls that you intend to apply to your workload. Control objectives and controls should be validated continuously, which will help your measure the effectiveness of your risk mitigation strategies.


Keeping up to date with security threats

Most of the battle when it comes to security is to have enough knowledge to prepare for threats in advance and prevent them or put measures in place to mitigate any negatives. It’s key to remain up to date with the latest security threats, which will allow you to accurately recognize attack vectors, helping you define and implement appropriate controls. One of the ways in which you can achieve this is by subscribing to threat intelligence resources that are relevant to the technologies used in your workload. AWS best practices also recommend the use of AWS Shield, an advanced service that provides close to real-time visibility into intelligence sources if your workload is able to be accessed via the internet.


Useful resources:

Common Vulnerabilities and Exposures List

AWS Shield


Keeping up to date with security recommendations

As mentioned before, knowledge will help more than you can imagine when it comes to security. By staying up to date with AWS and industry security recommendations, you will be in a better position to evolve the security model around your workload. AWS regularly puts out security updates with new recommendations, tips and tricks.


Useful resources:

AWS security blog

AWS service documentation


Automating testing and validation of security controls in pipelines

As part of your build, pipelines, and procedures, you must establish secure baselines and templates for any security mechanisms to be tested and validated. You can maximize the results of your efforts by using tools and automation to validate all security controls continuously. One of the ways in which you can achieve this can be, for example, by scanning items such as machine images and infrastructure as a code templates for security vulnerabilities and irregularities.


Useful resources:

AWS Systems Manager

AWS CloudFormation

Set Up a CI/CD Pipeline on AWS


Identifying and prioritizing risks using a threat model

The best way to identify and stay up to date with any potential threats is to maintain a threat model which includes a register of all potential risks. This will allow you to prioritize your threats and adapt your security controls to prevent, detect and respond accurately. Your threat model should be revisited regularly in an effort to keep it relevant in the context of an evolving security landscape.


Useful resources:

NIST: Guide to Data-Centric System Threat Modeling


Evaluating and implementing new security services and features regularly

It’s wonderful news that AWS and other APN Partners are constantly releasing new features and services to aid you in evolving the security posture of your workload. You should take the necessary steps to make sure you’re taking advantage of their full potential. This can be done by planning regular reviews of compliance requirements, evaluations of new AWS security features and services, and staying up to date with industry news.


Useful resources:

AWS security blog

AWS security bulletins

Remediating non-compliant AWS resources by AWS Config Rules