AWS on Well-Architected Security

With rising numbers of businesses turning to AWS, Amazon has published a series of resources on cybersecurity best practices. Amazon Well-Architected Labs are hands-on war games and practical code that you can use to teach yourself or your IT team self-defense for the modern business. If you have an AWS account, you can access them on this website or on Github. You can also use their Well-Architected Tool, which has been public since 2014, to review your system or a proposed upgrade at no charge to you. But before you dive into those resources, let’s have a look at what Amazon coders consider best practices for building and maintaining a well-architected security plan.

The Five Pillars

Amazon coders identify five pillars of good web architecture: operational excellence, security, reliability, performance efficiency, and cost optimization. Ideally, you should think about those elements in that order. First, focus on building a system that works, then, as a close second, make sure it’s hacker-proof. Only when those elements are in place should you worry about making your system more reliable, more efficient, and more budget-friendly.

Fixing a Bad System

So you’ve inherited an e-commerce system with bad security. Or you’ve tried to save money by building one yourself, or by hiring a cheap contractor. When you ran your system through the Well-Architected Tool, you saw more problems than you had the time or money to fix. How do you prioritize your problems to get into acceptable shape?

The issues you should look at first are the ones that have to do with identity and access management (IAM). Don’t use shared root credentials, and make sure it’s hard to impersonate an admin. Next, try to find an automated system that can fix as many of your other problems as possible. Your third move should be to turn on AWS’s detective services, like CloudTrail and GuardDuty, as low-cost ways of patching security flaws. Finally, get a plan in place for a security breach. This isn’t the plan a cybersecurity geek would recommend, but it’s a practical guide for business owners who just need to get their web systems in good enough shape.

Keeping People Away from Data

AWS bases its recommendation around a number of design principles, basic goals that it wants all its clients to follow. Most, like “Protect data in transit and at rest” and “Enable traceability” don’t come as a surprise to clients. However, one that tends to catch people off-guard is “Keep people away from data.” Surely the point of data is that it should be shared?

Not really, say security experts. In fact, people are data’s natural enemy. Unnecessary access to data causes it to get corrupted, unintentionally deleted, and accidentally shared. Security is easiest when data is on the virtual shelf.

Responding to Incidents

AWS recommends using their security service, GuardDuty, as a starting point for incident detection. It will detect problems like bitcoin mining that some similar services miss. If you use GuardDuty, which has a one-month free trial, be sure to turn on alerts so that you’re made aware of incidents in real time.

Once you’ve activated GuardDuty, build a security breach playbook for your organization. Make sure you have plans in place for all common issues, written down and accessible to your whole team. The plans should cover gathering relevant information, identifying the potential source of failure, isolating faults, and determining the root causes of issues. You can write these up in markdown language and store them in your source code, so you never forget to update them. If you have time, AWS recommends spending one day a month on “Game Days,” in which your team picks a common incident from your GuardDuty findings and has fun coming up with a playbook together. If you have a big team, you can divide up and make it into a competition with prizes.

Bear these best practices in mind as you and your team make your way through AWS’s tools. Building a well-architected framework doesn’t have to be expensive or time-consuming. It just has to work.

To learn more about building up the online side of your business in a safe and practical way, contact us.


You may also like

security pillar

What is the Security Pillar of AWS Well-Architected Framework

governance and automation

Enabling AWS Adoption at Scale with Governance and Automation

Security on AWS

Automate your security on AWS