Securing your workloads
Controls and recommendations in this section help you secure your workloads running in AWS, while you are building them. They emphasize secure practices for managing application secrets and scope of access, minimizing access routes to private resources, and using encryption to protect data in transit and at rest.
This section contains the following topics:
- WKLD.01 – Use IAM roles for compute environment permissions
- WKLD.02 – Restrict credential usage scope with resource-based policies permissions
- WKLD.03 – Use ephemeral secrets or a secrets-management service
- WKLD.04 – Prevent application secrets from being exposed
- WKLD.05 – Detect and remediate exposed secrets
- WKLD.06 – Use Systems Manager instead of SSH or RDP
- WKLD.07 – Log data events for S3 buckets with sensitive data
- WKLD.08 – Encrypt Amazon EBS volumes
- WKLD.09 – Encrypt Amazon RDS databases
- WKLD.10 – Deploy private resources into private subnets
- WKLD.11 – Restrict network access by using security groups
- WKLD.12 – Use VPC endpoints to access supported services
- WKLD.13 – Require HTTPS for all public web endpoints
- WKLD.14 – Use edge-protection services for public endpoints
- WKLD.15 – Define security controls in templates and deploy them by using CI/CD practices