Security Perspective: Risk and Compliance - An Overview of the AWS Cloud Adoption Framework - Version 2

Security Perspective: Risk and Compliance

Security at AWS is job zero. The Security Perspective helps you structure the selection and implementation of security controls that meet your organization’s needs. All AWS customers benefit from a data center and network architecture built to satisfy the requirements of the most security-sensitive organizations. AWS and its partners offer hundreds of services and features to help organizations meet their security objectives for visibility, auditability, control, and agility.

This perspective organizes the capabilities that will help drive the transformation of your organization’s security culture. Figure 6 illustrates the AWS CAF Security Perspective Core Capabilities.

Figure 6: AWS CAF Security Perspective Capabilities

AWS CAF Security Perspective Capability Descriptions

Identity and Access Management – This capability enables you to create multiple access control mechanisms and manage the permissions for each of these within your AWS Account. Privileges must be granted before your user community can provision or orchestrate resources.

Detective Control – AWS provides the capability for native logging as well as services that you can leverage to provide greater visibility near to real time for occurrences in the AWS environment. Correlating the logs from AWS sources with other event sources like operating systems, applications, and databases can provide a robust security posture and enhance visibility.

Consider integrating AWS logging features into centralized logging and monitoring solutions to provide holistic visibility near to real time for occurrences in the AWS environment.

Infrastructure Security – Your AWS environment can be defined and adjusted to evolve with your workload and business requirements. This capability provides the opportunity to shape your AWS security controls in an agile fashion; automating your ability to build, deploy, and operate your security infrastructure.

As new security features become available in AWS, it is important that your organization’s IT Security teams update their skills and processes so that they can leverage these new features.

Data Protection – Addresses the capability for maintaining visibility and control over data, and how it is accessed and used in the organization.

Incident Response –Focuses on your organization’s capability to respond, manage, reduce harm, and restore operations during and after a security incident. With AWS, you have services and independent software vendor (ISV) solutions available to help you automate incident response and recovery, and to mitigate portions of disaster recovery. As you implement your cloud security, it is possible to shift the primary focus of the security team from response to performing forensics and root cause analysis.