Security Pillar - Dr. Miles Aron's Notes

## Design Principles - **Implement a strong identity foundation** - **Maintain traceability** - **Apply security at all layers** - **Automate security best practices** - **Protect data in transit and at rest** - **Keep people away from data** - **Prepare for security events** ## Best Practice Areas ### Security Foundations - Secure workload operation in AWS involves applying best practices, automating security, staying updated, and segregating workloads by account. ### Identity and Access Management - Human vs machine identities with tailored access controls - [[Principle of least privilege]] - Temporary credentials - Security best practices like strong passwords and MFA ### Detection - Use logging and monitoring tools such as [[CloudTrail]], [[CloudWatch]], [[Config]], and [[GuardDuty]] for security event detection, analysis, and response, aiding in compliance and threat identification. ### Infrastructure Protection - Infrastructure protection involves defense-in-depth and control methods in AWS, using [[NACL vs Security Groups Cheatsheet]] and packet inspection. - AWS promotes layered defense for network and compute resources, with options to harden compute configurations against threats. ### Data Protection - Foundational security practices like data classification (by criticality and sensitivity) - Encryption at rest and in transit (server-side encryption for S3, [[SSL termination]] for [[Elastic Load Balancing (ELB)]], encryption key management, detailed logging, resilient storage systems ([[Simple Storage Service (S3)]]) with 99.999999999% durability, versioning for data integrity, and strict regional data storage policies etc.) ### Incident Response - Detailed logging - Automated response tools - [[CloudFormation]] for forensics in a "clean room" - Rapidly investigate, respond to, and recover from security incidents with minimal operational disruption. ### Application Security (AppSec) - Incorporate application security by training teams, automating testing, understanding build infrastructures, and continuously validating security throughout the development and deployment lifecycle to prevent production issues. The [[AWS Shared Responsibility Model]] helps organizations that adopt the cloud to achieve their security and compliance goals. ## References [Security Pillar Whitepaper](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html?ref=wellarchitected-wp)