Perspective of AWS CAFD Security Perspective Capabilities;
1. Security Governance
Develop and communicate security roles, responsibilities, policies, processes and procedures
Perform risk assessment on your organization. It can assist in determining the likelihood and impact of identified risk and vulnerabilities.
2. Security Assurance
Continuously monitor, evaluate, manage and improve the effectiveness of your security and privacy programs;
Establish demonstratable security and privacy controls.
Compliance certifications or attestations of the cloud vendor. (#awsartifacts)
3. Identity and Assess Management
Manage identities and permissions at acale.
-Rely on a centralized identity provider;
-Leverage user groups and attributes for fine-grained access at scale and temporary credentials
-use strong sign-in mechanism (enable Multi factor authentication
-Don’t use root user access unless necessary
-Principle of least privilege, set permissions boundaries (ABAC policies)
4. Threat Detection
Understand and identify potential security misconfigurations, threats or unexpected behaviors’.
– Leverage deception technology (#honeypots) to gain understanding of unauthorized user behaviors patterns
-Mine relevant data sources, process and analyze data
5. Vulnerability Management
Continuously identify, classify, remediate and mitigate security vulnerabilities
-use red teaming and penetration testing to identify vulnerabilities in your system architecture
6. Infrastructure protection
Validate that systems and services within your workloads are protected against unintended and unauthorized access and potential vulnerabilities.
-Use defense in depth to layer a series of defensive mechanisms
– Apply Zero trust to your systems and data in accordance with their value
-Use Virtual private cloud (VPC) endpoints for private connection to cloud resources.
7. Data Protection
Maintain visibility and control over data, and how it is accessed and used.
– classify your data based on criticality and sensitivity
– Data life cycle management
– Encrypt all data at rest and in transit (Data in S3 storage are automatically encrypt)
8. Application security
Detect and address security vulnerabilities during the software development process.
– Minimize human intervention by automating security related tasks
-use static code analysis tolls to identify common security issues.
9. Incident response
Reduce potential harm by consistently responding to security incidents quickly and effectively
– Use runbooks and create a library of incident response mechanisms
-simulate security events and practice your incident response through table-top exercises and game days.
-conduct post-incident analysis to learn from security incidents