SEC08-BP04 Enforce access control - AWS Well-Architected Framework (2022-03-31)

SEC08-BP04 Enforce access control

Enforce access control with least privileges and mechanisms, including backups, isolation, and versioning, to help protect your data at rest. Prevent operators from granting public access to your data.

Different controls including access (using least privilege), backups (see Reliability whitepaper), isolation, and versioning can all help protect your data at rest. Access to your data should be audited using detective mechanisms covered earlier in this paper including CloudTrail, and service level log, such as Amazon Simple Storage Service (Amazon S3) access logs. You should inventory what data is publicly accessible, and plan for how you can reduce the amount of data available over time. Amazon S3 Glacier Vault Lock and Amazon S3 Object Lock are capabilities providing mandatory access control—once a vault policy is locked with the compliance option, not even the root user can change it until the lock expires. The mechanism meets the Books and Records Management requirements of the SEC, CFTC, and FINRA. For more details, see this whitepaper.

Level of risk exposed if this best practice is not established: Low

Implementation guidance

Resources

Related documents:

Related videos: