SEC01-BP06 Automate deployment of standard security controls

Apply modern DevOps practices as you develop and deploy security controls that are standard across your AWS environments.  Define standard security controls and configurations using Infrastructure as Code (IaC) templates, capture changes in a version control system, test changes as part of a CI/CD pipeline, and automate the deployment of changes to your AWS environments.

Desired outcome: IaC templates capture standardized security controls and commit them to a version control system.  CI/CD pipelines are in places that detect changes and automate testing and deploying your AWS environments.  Guardrails are in place to detect and alert on misconfigurations in templates before proceeding to deployment.  Workloads are deployed into environments where standard controls are in place.  Teams have access to deploy approved service configurations through a self-service mechanism.  Secure backup and recovery strategies are in place for control configurations, scripts, and related data.

Common anti-patterns:

• Making changes to your standard security controls manually, through a web console or command-line interface.

• Relying on individual workload teams to manually implement the controls a central team defines.

• Relying on a central security team to deploy workload-level controls at the request of a workload team.

• Allowing the same individuals or teams to develop, test, and deploy security control automation scripts without proper separation of duties or checks and balances. 

Benefits of establishing this best practice: Using templates to define your standard security controls allows you to track and compare changes over time using a version control system.  Using automation to test and deploy changes creates standardization and predictability, increasing the chances of a successful deployment and reducing manual repetitive tasks.  Providing a self-serve mechanism for workload teams to deploy approved services and configurations reduces the risk of misconfiguration and misuse. This also helps them to incorporate controls earlier in the development process.

Level of risk exposed if this best practice is not established: Medium

Implementation guidance

When following the practices described in SEC01-BP01 Separate workloads using accounts, you will end up with multiple AWS accounts for different environments that you manage using AWS Organizations.  While each of these environments and workloads may need distinct security controls, you can standardize some security controls across your organization.  Examples include integrating centralized identity providers, defining networks and firewalls, and configuring standard locations for storing and analyzing logs.  In the same way you can use infrastructure as code (IaC) to apply the same rigor of application code development to infrastructure provisioning, you can use IaC to define and deploy your standard security controls as well.

Wherever possible, define your security controls in a declarative way, such as in AWS CloudFormation, and store them in a source control system.  Use DevOps practices to automate the deploying your controls for more predictable releases, automated testing using tools like AWS CloudFormation Guard, and detecting drift between your deployed controls and your desired configuration.  You can use services such as AWS CodePipeline, AWS CodeBuild, and AWS CodeDeploy to construct a CI/CD pipeline. Consider the guidance in Organizing Your AWS Environment Using Multiple Accounts to configure these services in their own accounts that are separate from other deployment pipelines.

You can also define templates to standardize defining and deploying AWS accounts, services, and configurations.  This technique allows a central security team to manage these definitions and provide them to workload teams through a self-service approach.  One way to achieve this is by using Service Catalog, where you can publish templates as products that workload teams can incorporate into their own pipeline deployments.  If you are using AWS Control Tower, some templates and controls are available as a starting point.  Control Tower also provides the Account Factory capability, allowing workload teams to create new AWS accounts using the standards you define.  This capability helps remove dependencies on a central team to approve and create new accounts when they are identified as needed by your workload teams.  You may need these accounts to isolate different workload components based on reasons such as the function they serve, the sensitivity of data being processed, or their behavior.

Implementation steps

1. Determine how you will store and maintain your templates in a version control system.

2. Create CI/CD pipelines to test and deploy your templates.  Define tests to check for misconfigurations and that templates adhere to your company standards.

3. Build a catalog of standardized templates for workload teams to deploy AWS accounts and services according to your requirements.

4. Implement secure backup and recovery strategies for your control configurations, scripts, and related data.

Resources

Related best practices:

• OPS05-BP01 Use version control

• OPS05-BP04 Use build and deployment management systems

• REL08-BP05 Deploy changes with automation

• SUS06-BP01 Adopt methods that can rapidly introduce sustainability improvements

Related documents:

• Organizing Your AWS Environment Using Multiple Accounts

Related examples:

• Automate account creation, and resource provisioning using Service Catalog, AWS Organizations, and AWS Lambda

• Strengthen the DevOps pipeline and protect data with AWS Secrets Manager, AWS KMS, and AWS Certificate Manager

Related tools:

• AWS CloudFormation Guard

• Landing Zone Accelerator on AWS