The Five Pillars of the Well-Architected Framework
Creating a software system is a lot like constructing a building. If the foundation
is not solid structural problems could undermine the integrity and function of
the building. When architecting technology solutions, if you neglect the five
pillars of security, reliability, performance efficiency, cost optimisation, and
operational excellence it can become challenging to build a system that delivers
on your expectations and requirements. When you incorporate these pillars into
your architecture, it will help you produce stable and efficient systems. This will
allow you to focus on the other aspects of design, such as functional
requirements.
This section describes focuses on the AWS well architected security pillar:
Security Pillar
The Security pillar includes the ability to protect information, systems, and
assets while delivering business value through risk assessments and mitigation
strategies.
Design Principles
In the cloud, there are a number of principles that can help you strengthen your
system security.
- Apply security at all layers: Rather than running security appliances
(e.g., firewalls) only at the edge of your infrastructure, use firewalls and
other security controls on all of your resources (e.g., every virtual
server, load balancer, and network subnet). - Enable traceability: Log and audit all actions and changes to your
environment. - Implement a principle of least privilege: Ensure that authorisation
is appropriate for each interaction with your AWS resources and
implement strong logical access controls directly on resources.
Amazon Web Services – AWS Well-Architected Framework - Focus on securing your system: With the AWS Shared Responsibility
Model you can focus on securing your application, data, and operating
systems, while AWS provides secure infrastructure and services. - Automate security best practices: Software-based security
mechanisms improve your ability to securely scale more rapidly and cost-effectively.
Create and save a patched, hardened image of a virtual server,
and then use that image automatically on each new server you launch.
Create an entire trust zone architecture that is defined and managed in a
template via revision control. Automate the response to both routine and
anomalous security events.
Definition
There are five best practice areas for Security in the cloud:
- Identity and access management
- Detective controls
- Infrastructure protection
- Data protection
- Incident response
Before you architect any system, you need to put in place practices that
influence security. You will want to control who can do what. In addition, you
want to be able to identify security incidents, protect your systems and services,
and maintain the confidentiality and integrity of data through data protection.
You should have a well-defined and practiced process for responding to security
incidents. These tools and techniques are important because they support
objectives such as preventing financial loss or complying with regulatory
obligations.
The AWS Shared Responsibility Model enables organisations that adopt the
cloud to achieve their security and compliance goals. Because AWS physically
secures the infrastructure that supports our cloud services, AWS customers can
focus on using services to accomplish their goals. The AWS Cloud also provides
greater access to security data and an automated approach to responding to
security events.
Best Practices
Identity and Access Management
Identity and access management are key parts of an information security
program, ensuring that only authorised and authenticated users are able to
access your resources, and only in a manner that is intended. For example,
you’ll define principals (users, groups, services, and roles that take action in
your account), build out policies aligned with these principals, and implement
strong credential management. These privilege-management elements form the
core concepts of authentication and authorisation.
In AWS, privilege management is primarily supported by the AWS Identity and
Access Management (IAM) service, which allows customers to control access to
AWS services and resources for users. You can apply granular policies, which
assign permissions to a user, group, role, or resource. You also have the ability
to require strong password practices, such as complexity level, avoiding re-use,
and using multi-factor authentication (MFA). You can use federation with your
existing directory service. For workloads that require systems to have access to
AWS, IAM enables secure access through instance profiles, identity federation,
and temporary credentials.
The following questions focus on privilege management considerations for
security (for a list of security question, answers, and best practices, see the
Appendix).
SEC 1. How are you protecting access to and use of the AWS root account credentials?
SEC 2. How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API?
SEC 3. How are you limiting automated access to AWS resources? (e.g., applications, scripts, and/or third-party tools or services)
It is critical to keep root account credentials protected, and to this end AWS
recommends attaching MFA to the root account and locking the credentials with
the MFA in a physically secured location. The IAM service allows you to create
and manage other non-root user permissions, as well as establish access levels
to resources.
Detective Controls
You can use detective controls to identify a potential security incident. These
controls are an essential part of governance frameworks, and can be used to
support a quality process, a legal or compliance obligation, and for threat
identification and response efforts. There are different types of detective
controls. For example, conducting an inventory of assets and their detailed
attributes promotes more effective decision making (and lifecycle controls) to
help establish operational baselines. Or you can use internal auditing, an
examination of controls related to information systems, to ensure that practices
meet policies and requirements, and that you have set the correct automated
alerting notifications based on defined conditions. These controls are important
reactive factors that help organisations identify and understand the scope of
anomalous activity.
In AWS you can implement detective controls by processing logs, events and
monitoring that allows for auditing, automated analysis, and alarming. AWS
CloudTrail logs, AWS API calls, and Amazon CloudWatch provide monitoring of
metrics with alarming, and AWS Config provides configuration history. Service
level logs are also available, for example you can use Amazon Simple Storage
Service (S3) to log access requests. Finally Amazon Glacier provides a vault lock
feature to preserve mission-critical data with compliance controls designed to
support auditable long-term retention.
The following question focuses on detective controls considerations for security:
SEC 4. How are you capturing and analysing logs?
Log management is important to a well-architected design for reasons ranging
from security/forensics to regulatory or legal requirements. It is critical that you
analyse logs and respond to them, so that you can identify potential security
incidents. AWS provides functionality that makes log management easier to
implement by giving customers the ability to define a data-retention lifecycle, or
define where data will be preserved, archived, and/or eventually deleted. This
makes predictable and reliable data handling simpler and more cost effective.
Infrastructure Protection
Infrastructure protection includes control methodologies, such as defence in
depth and multi-factor authentication, which are necessary to meet best
practices and industry or regulatory obligations. Use of these methodologies is
critical for successful ongoing operations in either the cloud or on-premises.
In AWS, you can implement stateful and stateless packet inspection, either by
using AWS native technologies or by using partner products and services
available through the AWS Marketplace. You can also use Amazon Virtual
Private Cloud (VPC), to create a private, secured, and scalable environment in
which you can define your topology—including gateways, routing tables, and
public and/or private subnets.
The following questions focus on infrastructure protection considerations for
security:
SEC 5. How are you enforcing network and host-level boundary protection?
SEC 6. How are you leveraging AWS service level security features?
SEC 7. How are you protecting the integrity of the operating systems on your Amazon EC2 instances?
Multiple layers of defence are advisable in any type of environment, and in the
case of infrastructure protection, many of the concepts and methods are valid
across cloud and on-premises models. Enforcing boundary protection,
monitoring points of ingress and egress, and comprehensive logging,
monitoring, and alerting are all essential to an effective information security
plan.
As mentioned in the Design Principles section, AWS customers are able to
tailor, or harden, the configuration of an EC2 instance, and persist this
configuration to an immutable Amazon Machine Image (AMI). Then, whether
triggered by Auto Scaling or launched manually, all new virtual servers
(instances) launched with this AMI receive the hardened configuration.
Data Protection
Before architecting any system, foundational practices that influence security
should be in place. For example, data classification provides a way to categorise
organisational data based on levels of sensitivity and encryption protects data
by rendering it unintelligible to unauthorised access. These tools and techniques
are important because they support objectives such as preventing financial loss
or complying with regulatory obligations.
In AWS, the following practices facilitate protection of data:
- AWS customers maintain full control over their data.
- AWS makes it easier for you to encrypt your data and manage keys, including regular key rotation, which can be easily automated natively by AWS or maintained by a customer.
- Detailed logging that contains important content, such as file access and changes, is available.
- AWS has designed storage systems for exceptional resiliency. As an example, Amazon Simple Storage Service (S3) is designed for 11 nines of durability. (For example, if you store 10,000 objects with Amazon S3, you can on average expect to incur a loss of a single object once every 10,000,000 years.)
- Versioning, which can be part of a larger data lifecycle management process, can protect against accidental overwrites, deletes, and similar harm.
- AWS never initiates the movement of data between regions. Content placed in a region will remain in that region unless the customer explicitly enable a feature or leverages a service that provides that functionality.
The following questions focus on considerations for data security:
SEC 8. How are you classifying your data?
SEC 9. How are you encrypting and protecting your data at rest?
SEC 10. How are you managing keys?
SEC 11. How are you encrypting and protecting your data in transit?
AWS provides multiple means for encryption of data at rest and in transit. We
build features into our products and services that make it easier to encrypt your
data. For example, we have implemented Server Side Encryption (SSE)
for Amazon S3 to make it easier for you to store your data in an encrypted form.
You can also arrange for the entire HTTPS encryption and decryption process
(generally known as SSL termination) to be handled by Elastic Load Balancing.
Incident Response
Even with extremely mature preventive and detective controls, organisations
should still put processes in place to respond to and mitigate the potential
impact of security incidents. The architecture of your workload will strongly
affect the ability of your teams to operate effectively during an incident to
isolate or contain systems and to restore operations to a known-good state.
Putting in place the tools and access ahead of a security incident, then routinely
practicing incident response will make sure the architecture is updated to
accommodate timely investigation and recovery.
In AWS, the following practices facilitate effective incident response:
- Detailed logging is available that contains important content, such as file
access and changes. - Events can be automatically processed and trigger scripts that automate
run books through the use of AWS APIs. - You can pre-provision tooling and a “clean room” using AWS
CloudFormation. This allows you to carry out forensics in a safe, isolated
environment.
The following questions focus on considerations for incident response:
SEC 12. How do you ensure you have the appropriate incident response?
Ensure that you have a way to quickly grant access for your InfoSec team, and
automate the isolation of instances as well at the capturing of data and state for
forensics.
Key AWS Services
The AWS service that is essential to security is AWS Identity and Access
Management (IAM), which allows you to securely control access to AWS
services and resources for your users. The following services and features
support the four areas of security:
Identity and access management: IAM enables you to securely control
access to AWS services and resources. Multi-factor authentication (MFA), adds
an extra layer of protection on top of your user name and password.
Detective controls: AWS CloudTrail records AWS API calls, AWS Config
provides a detailed inventory of your AWS resources and configuration, and
Amazon CloudWatch is a monitoring service for AWS resources.
Infrastructure protection: Amazon Virtual Private Cloud (VPC) lets you
provision a private, isolated section of the AWS Cloud where you can launch
AWS resources in a virtual network.
Data protection: Services such as Elastic Load Balancing, Amazon Elastic
Block Store (EBS), Amazon Simple Storage Service (S3), and Amazon Relational
Database Service (RDS) include encryption capabilities to protect your data in
transit and at rest. AWS Key Management Service (KMS) makes it easier for
customers to create and control keys used for encryption.
Incident response: IAM should be used to grant appropriate authorisation to
incident response teams. Amazon CloudFormation can be used to create a
trusted environment for conducting investigations.