Secure workload operations

Operating network workloads in the cloud involves the whole lifecycle of a workload from design, build, run, and ongoing improvement. This includes applying DevSecOps principles. To achieve this, a recommended mechanism is to gather requirements and processes defined in the Operational Excellence Pillar of the Well-Architected Framework at an organizational and workload level, and apply them in all areas. The Operational Excellence Pillar discusses how an organization supports business objectives, the ability to run workloads effectively, gain insight into their operations, and to nearly continuously improve supporting processes and procedures to deliver business value.

Automation allows consistency and repeatability of processes. Customers should look to apply DevSecOps principles by aligning the security and development functions more closely: automating security processes, testing, and validating deployments help scale cloud operations. Adoption of AWS services can be supported across the development pipelines to apply security end-to-end across continuous integration/continuous deployment (CI/CD) pipelines, closed-loop workflows, and automated operations as the preferred methodology to deploy and manage the lifecycle of network workloads.

CSPs should also consider the following practices to support secure cloud operations:

• Identify and prioritize threats and risks using a threat model — Threat modeling provides a systematic approach to aid in finding and addressing security issues early in the design process. Earlier is better, because mitigations have a lower cost compared to later in the lifecycle. Use a threat model to identify and maintain an up-to-date registry of potential threats.

• Identify and validate control objectives — Based on your compliance requirements and the threats identified from the threat model, derive and validate the control objectives and controls to apply to the network workload. Ongoing validation of control objectives and controls helps measure the effectiveness of risk mitigation such as identifying your network workload’s compliance requirements and identifying available AWS resources to assist you with your compliance. More on AWS compliance resources can be found here and AWS security and compliance reports here.

• Keep up-to-date with security recommendations — Stay up-to-date with both AWS and industry security recommendations to evolve the security posture of the workload. AWS Security Bulletins contain important information about security and privacy notifications.

• Evaluate and implement new security services and features regularly — Evaluate and implement security services and features from AWS and AWS Partners that evolve the security posture of your workload. The AWS Security Blog highlights new AWS services and features, implementation guides, and general security guidance. 

• Automate testing and validation of security controls in pipelines — Establish secure baselines and templates for security mechanisms that are tested and validated as part of CI/CD pipelines and processes. Use tools and automation to test and validate security controls nearly continuously in a DevOps fashion.

• Enable logging — Enable logging across components in conjunction with the Security Operations team to support visibility strategy and monitoring. Consider adopting a centralized logging approach for analysis and insights of security data by using Amazon Security Lake.

  • AWS CloudTrail — Provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

  • Amazon CloudWatch — A monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events.

  • Amazon Security Lake — Automatically centralizes security data from AWS and third-party sources into a data lake stored in your AWS account. Amazon Security Lake gives you an understanding of the security posture across your entire organization.