In today’s digital landscape, AWS cloud security has become a critical concern for organizations of all sizes. As businesses increasingly rely on cloud infrastructure, the need for advanced security strategies to protect sensitive data and systems has never been more pressing. AWS cloud security encompasses a wide range of tools, practices, and policies designed to safeguard cloud-based assets from cyber threats, data breaches, and unauthorized access.
This article delves into top advanced security strategies for AWS cloud environments. It explores the shared responsibility model, strong identity and access management, data encryption methods, and network segmentation techniques. The piece also covers continuous monitoring, security automation, incident response planning, and compliance considerations. By implementing these strategies, organizations can enhance their AWS cloud security posture and better protect their valuable digital assets.
Understanding AWS Shared Responsibility Model
The AWS Shared Responsibility Model is a fundamental framework that outlines the distribution of security and compliance responsibilities between AWS and its customers. This model is crucial for organizations to understand as they navigate the complexities of cloud security.
Cloud vs. Customer Responsibilities
The Shared Responsibility Model delineates specific areas of responsibility for both AWS and its customers. AWS takes charge of securing the underlying infrastructure that supports all services offered in the AWS Cloud. This includes the hardware, software, networking, and facilities that run AWS Cloud services [1]. The cloud provider is responsible for the physical layer, which encompasses all hardware and infrastructure management, data backup, and disaster recovery [2].
On the other hand, customers assume responsibility for several key aspects:
- Guest operating system management, including updates and security patches
- Configuration of AWS-provided security group firewalls
- Data management and encryption
- Identity and Access Management (IAM)
- Application security and secure development practices
The extent of customer responsibility varies depending on the AWS services used. For instance, with abstracted services like Amazon S3 and DynamoDB, customers are responsible for managing their data, classifying assets, and applying appropriate permissions using IAM tools [1].
Importance in Security Strategy
Understanding and implementing the Shared Responsibility Model is crucial for maintaining a robust security posture in the AWS cloud. Here’s why it’s essential:
- Preventing Security Failures: Gartner estimates that through 2025, 99% of cloud security failures will be the customer’s fault [2]. By adhering to the Shared Responsibility Model, organizations can significantly reduce the risk of such failures.
- Compliance and Governance: The model helps organizations meet industry-specific certification requirements and maintain compliance with regulations such as GDPR, HIPAA, and PII [2].
- Operational Efficiency: By clearly defining responsibilities, the model helps organizations focus their security efforts on areas within their control, potentially reducing operational burden [3].
- Flexibility and Control: The nature of shared responsibility provides customers with the flexibility to deploy solutions that meet their specific security and compliance needs [3].
To effectively implement the Shared Responsibility Model, organizations should consider the following best practices:
- Thoroughly examine Service Level Agreements (SLAs) to understand the specific responsibilities for each AWS service used [2].
- Implement robust data classification and management practices, as data protection remains the customer’s responsibility regardless of the cloud service model [2].
- Prioritize IAM policy enforcement to maintain granular control over user access to cloud resources [2].
- Utilize appropriate security tools such as Data Loss Prevention (DLP) solutions, Data Security Posture Management (DSPM), and Data Detection & Response (DDR) to enhance overall security posture [2].
By embracing the Shared Responsibility Model and implementing these strategies, organizations can significantly enhance their AWS cloud security posture and better protect their valuable digital assets.
Implementing Strong Identity and Access Management
Implementing strong identity and access management (IAM) is crucial for maintaining a secure AWS cloud environment. AWS provides a comprehensive set of tools and best practices to help organizations manage user identities, control access to resources, and enforce the principle of least privilege.
AWS IAM Best Practices
To enhance security in AWS environments, organizations should adhere to several IAM best practices:
- Grant only the necessary permissions: It’s essential to provide users with the minimum level of access required to perform their tasks. This approach helps limit unintended access and facilitates tracking of resource access [4].
- Use IAM groups and attributes: Instead of defining permissions for individual users, utilize group and identity attributes to dynamically set permissions at scale. This method allows for more efficient management of access rights, especially when users change roles or leave projects [5].
- Implement permissions boundaries: Use managed policies to set maximum permissions that an identity-based policy can grant to an IAM entity. This feature ensures that entities can only perform actions allowed by both their identity-based policies and permissions boundaries [5].
- Employ attribute-based access control: Utilize resource tags to grant access based on criteria such as resource purpose, owner, or environment. This approach enables fine-grained resource access without the need for complex, custom policies for each job function [5].
- Regularly review and update permissions: Conduct periodic reviews of user permissions throughout their lifecycle to verify that access rights remain appropriately restrictive and to prevent permissions creep [5].
Multi-Factor Authentication
Multi-Factor Authentication (MFA) adds an extra layer of security to AWS accounts by requiring users to provide additional verification beyond their username and password. AWS supports various MFA options:
- Virtual MFA devices: These are software apps compliant with RFC 6238, a standards-based TOTP (time-based one-time password) algorithm. They generate six-digit authentication codes and can be installed on phones or other devices [6].
- Hardware MFA devices: These are physical tokens provided by third-party vendors, used exclusively with AWS accounts [7].
- FIDO security keys: These are hardware devices that support FIDO Alliance specifications [7].
Key points about MFA implementation:
- Users can register up to eight MFA devices of any combination of supported types [6] [7].
- For enhanced security, it’s recommended to enable multiple MFA devices for AWS account root users and IAM users [7].
- When using virtual MFA apps, enabling cloud backup or sync features can help prevent loss of access due to device loss or damage [6].
Least Privilege Principle
The principle of least privilege is a fundamental concept in AWS security, stating that identities should only be permitted to perform the minimum set of actions necessary to fulfill their specific tasks [5]. Implementing this principle helps balance usability, efficiency, and security while limiting the potential impact of security breaches.
To apply the least privilege principle effectively:
- Start with no permissions: By default, IAM users and roles have no permissions. Explicitly grant required permissions using IAM policies [5].
- Use specific actions and resources: When creating IAM policies, specify only the necessary service actions and resources. For example, if an EC2 instance needs to access an S3 bucket for configuration data, grant read access only to the specific bucket containing the relevant data [4].
- Implement conditions: Utilize condition elements in IAM policies to further restrict access based on attributes or tags. For instance, use the s3:ExistingObjectTag condition to allow GetObject requests only when object tags meet specific criteria [4].
- Employ service control policies: Use these policies to centrally control maximum available permissions for member accounts in your organization, including restrictions on root user permissions in member accounts [5].
- Restrict production access: Limit access to production environments to users with valid use cases, and revoke access promptly after task completion [5].
By implementing these advanced security strategies for identity and access management, organizations can significantly enhance their AWS cloud security posture and better protect their valuable digital assets.
Encrypting Data at Rest and in Transit
Encrypting data is a crucial aspect of maintaining a secure AWS cloud environment. It provides an additional layer of defense against unauthorized access and data breaches. There are two primary types of data encryption: data at rest and data in transit.
Data at rest refers to information that is stored and not actively moving through networks, such as data in databases, object storage, or archives. Data in transit, on the other hand, is information actively moving through a network, such as between network resources or to and from the cloud [8].
AWS Key Management Service
AWS Key Management Service (AWS KMS) is a fundamental tool for creating and managing cryptographic keys to protect data in AWS environments. It integrates seamlessly with numerous AWS services that support data encryption, making it a versatile solution for comprehensive data protection [9].
Key features of AWS KMS include:
- KMS Keys: These are the primary resources in AWS KMS, representing cryptographic keys. There are three types of KMS keys:
- Customer managed keys: Created and managed by users
- AWS managed keys: Created by AWS services on behalf of users
- AWS owned keys: Owned and managed by AWS for use across multiple accounts [9]
- Key Policies: Each KMS key has a single key policy that controls access to the key. These policies work in conjunction with IAM policies to provide granular control over key usage [9].
- Integration with AWS CloudTrail: This integration enables logging of KMS key usage for auditing, regulatory, and compliance purposes [9].
Best practices for using AWS KMS include:
- Adhering to the principle of least privilege when granting permissions
- Separating key administration and key usage roles
- Avoiding the use of “kms:*” in IAM or key policies
- Implementing service control policies (SCPs) to prevent unauthorized key deletion
- Logging AWS KMS API calls in CloudTrail for monitoring and auditing [9]
SSL/TLS Implementation
Secure Socket Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols used to encrypt data in transit. Implementing SSL/TLS is essential for protecting sensitive information as it moves between clients and servers or between different AWS services [10].
Key aspects of SSL/TLS implementation in AWS:
- Certificate Management: AWS Certificate Manager (ACM) simplifies the process of obtaining, deploying, and renewing SSL/TLS certificates. ACM provides free certificates verified by Amazon Trust Services (ATS) [11].
- Database Connections: AWS supports SSL/TLS connections for various database engines, including Db2, MariaDB, Microsoft SQL Server, MySQL, Oracle, and PostgreSQL. This encryption adds a layer of security for data moving between clients and database instances [10].
- Certificate Authority (CA): When setting up SSL/TLS connections, users can choose the CA that signs the DB server certificate. AWS provides CAs to sign DB server certificates for databases [10].
- Server Identity Verification: To enhance security, users can implement server identity verification by validating the server certificate installed on their database [10].
Best practices for SSL/TLS implementation:
- Use SSL/TLS for all sensitive data transfers, especially for compliance requirements like PCI-DSS, FedRAMP, and HIPAA [11].
- Regularly update and renew certificates to maintain security standards.
- Implement proper certificate validation to prevent man-in-the-middle attacks.
- Use ACM to automate certificate management tasks, reducing the risk of human error [11].
By implementing these encryption strategies for both data at rest and in transit, organizations can significantly enhance their AWS cloud security posture and better protect their valuable digital assets against potential threats and unauthorized access.
Network Security and Segmentation
VPC Design
Effective network security and segmentation in AWS begin with a well-designed Virtual Private Cloud (VPC). A VPC allows organizations to create isolated network environments within the AWS cloud, providing control over IP address ranges, subnets, and routing tables. To enhance security, it’s crucial to implement a hub-and-spoke model using AWS Transit Gateway. This centralized approach facilitates traffic inspection and filtering between VPCs, zones, and on-premises networks [12].
A key strategy in VPC design is to define security zones and inspect traffic between untrusted zones. Untrusted zones may include remote sites managed by third parties, vendor VPCs outside an organization’s control, or sandbox/dev VPCs with relaxed security rules [12]. By implementing this approach, organizations can reduce costs while maintaining robust security measures.
Security Groups and NACLs
AWS provides two primary tools for controlling network access within a VPC: security groups and network access control lists (NACLs). While both serve similar purposes, they operate at different levels and offer distinct functionalities [13].
Security groups act as virtual firewalls at the instance level, controlling inbound and outbound traffic. They allow organizations to specify which traffic is permitted or denied to AWS resources within the VPC. By default, all internet traffic to a security group is implicitly denied unless an allow rule is created [13].
NACLs, on the other hand, function at the subnet level, offering an additional layer of security. Unlike security groups, NACLs allow both allow and deny rules, making them useful for explicitly blocking certain types of traffic to an entire subnet [13]. This capability is particularly valuable when responding to DDoS attacks, as it enables the creation of custom rules to mitigate attacks based on source IPs or other signatures [13].
To illustrate the difference, consider a scenario with Amazon EC2 instances behind an Elastic Load Balancer. The instances themselves should have private IPs only and not be publicly accessible. Instead, access to the required target listener ports can be provided to the Elastic Load Balancer using a security group rule that allows access from 0.0.0.0/0, combined with a NACL on the target group subnet to permit only Elastic Load Balancing IP ranges to communicate with the instances [13].
AWS WAF Integration
To further enhance application security, organizations can integrate AWS Web Application Firewall (WAF) with their VPC architecture. AWS WAF is a web application firewall that monitors HTTP and HTTPS requests forwarded to protected web application resources [14].
AWS WAF offers several benefits, including:
- Protection against web attacks using customizable criteria
- Ability to allow, block, or count web requests based on specified rules
- Implementation of CAPTCHA and silent challenge controls to reduce bot traffic
- Real-time metrics and sampled web requests
- Automated administration using the AWS WAF API [14]
For Amazon Lightsail instances, AWS WAF can be integrated using VPC peering. This allows developers to deploy AWS WAF in front of their Lightsail instances, providing additional protection against attacks such as SQL injection, cross-site scripting (XSS), and distributed denial of service (DDoS) [15].
By implementing these advanced network security and segmentation strategies, organizations can significantly enhance their AWS cloud security posture and better protect their valuable digital assets against potential threats and unauthorized access.
Continuous Monitoring and Threat Detection
In the ever-evolving landscape of cloud security, continuous monitoring and threat detection play a crucial role in safeguarding AWS environments. Organizations can leverage various AWS services and third-party solutions to maintain a robust security posture and quickly identify potential threats.
AWS CloudTrail
AWS CloudTrail is a service that enables operational and risk auditing, governance, and compliance of AWS accounts. It records actions taken by users, roles, or AWS services as events, providing a comprehensive history of activity within an AWS environment [16]. CloudTrail is automatically enabled when an AWS account is created, allowing for immediate visibility into recent events through the CloudTrail console’s Event history feature [16].
To establish an ongoing record of activity, organizations can create trails. These trails can be configured for a single AWS Region or across all Regions, with log files delivered to a centralized Amazon S3 bucket [16]. This centralized approach facilitates efficient log management and analysis.
Key features and best practices for AWS CloudTrail include:
- Log file integrity validation to detect any modifications or deletions
- Encryption of log files for enhanced security
- Integration with CloudWatch Logs for real-time monitoring
- Centralization of logs from all AWS accounts and Regions
- Application of lifecycle policies to S3 buckets containing log files
To prevent unauthorized disabling of logging, organizations can apply a service control policy (SCP) in AWS Organizations that explicitly denies the StopLogging
and DeleteTrail
actions [16].
Amazon GuardDuty
Amazon GuardDuty is a managed threat detection service that analyzes various data sources to generate security findings for AWS accounts [17]. It monitors foundational data sources such as AWS CloudTrail event logs, VPC Flow Logs, and DNS logs, as well as additional features like Kubernetes audit logs and Lambda network activity logs when enabled [17].
GuardDuty findings provide detailed information about unique security issues, helping organizations investigate and respond to potential threats [17]. To maximize the value of GuardDuty, it’s recommended to configure settings for exporting findings to an S3 bucket, allowing for long-term storage beyond the default 90-day retention period [17].
Security Information and Event Management (SIEM)
SIEM solutions offer real-time monitoring of workloads, identification of security issues, and expedited root-cause analysis for AWS Control Tower environments [18]. Several SIEM options are available for integration with AWS services:
- Cribl LogStream: Enables efficient data routing, replay from Amazon S3, and volume reduction while maintaining compliance [18].
- Splunk: Provides automatic configuration and setup of AWS services, incorporating data from CloudTrail, AWS Config, and other sources using Kinesis Data Firehose and Splunk HTTP Event Collector [18].
- Sumo Logic: Offers a cloud-native machine data analytics platform that provides a unified view of AWS environments, facilitating quick issue resolution and improved system availability [18].
- Logz.io: Provides an AI-powered ELK-as-a-Service for unified monitoring, troubleshooting, and security in distributed cloud environments [18].
SIEM solutions significantly enhance an organization’s ability to detect and respond to security incidents. Studies have shown that AWS SIEM solutions generally outperform many competitors in terms of incident detection and response times, largely due to their optimized cloud infrastructure and machine learning-driven analytics [19]. This rapid response capability is crucial for modern enterprises, where even minimal downtime can result in substantial financial and reputational losses [19].
By implementing a combination of AWS native services like CloudTrail and GuardDuty, along with integrated SIEM solutions, organizations can establish a comprehensive continuous monitoring and threat detection strategy for their AWS cloud environments.
Automating Security Operations
AWS Systems Manager
AWS Systems Manager offers a range of tools to automate security operations in cloud environments. One of its key features is the ability to implement least privilege access, which is fundamental in reducing security risks and potential impacts from errors or malicious intent [20]. By granting only the permissions required to perform specific tasks, organizations can significantly enhance their security posture.
Another crucial aspect of Systems Manager is the use of SecureString parameters to encrypt and protect sensitive data. This feature, available in Parameter Store, allows for secure storage and reference of confidential information such as passwords or license keys [20]. The SecureString data type utilizes AWS Key Management Service (KMS) to encrypt parameter values, ensuring an additional layer of protection.
To further enhance security, Systems Manager enables the validation of user input for document parameters. This is achieved by defining allowedValues and allowedPattern in Systems Manager documents (SSM documents) [20]. These features help prevent unauthorized or incorrect inputs, thereby reducing the risk of security breaches or operational errors.
For organizations requiring enhanced network security, Systems Manager can be integrated with Amazon Virtual Private Cloud (VPC) and VPC endpoints [20]. This integration allows for private connections between VPCs and supported AWS services without the need for internet gateways or other public-facing infrastructure, significantly reducing the attack surface.
Infrastructure as Code for Security
Implementing infrastructure as code (IaC) is a fundamental principle in DevOps that can be applied to security operations. This approach treats infrastructure provisioning with the same rigor as application code development [21]. By defining all configurations in a declarative way and storing them in source control systems like AWS CodeCommit, organizations can ensure consistency, repeatability, and reliability in their security infrastructure.
AWS offers several services to define infrastructure as code, including:
- AWS CloudFormation
- AWS Serverless Application Model
- AWS Cloud Development Kit (CDK)
- AWS CDK for Kubernetes
- AWS CDK for Terraform
- AWS Cloud Control API [21]
These tools enable the creation, deployment, and maintenance of security infrastructure in a programmatic, descriptive, and declarative manner. This approach provides clarity and reliability in security operations, reducing the risk of human error and inconsistencies that can arise from manual processes or outdated runbooks [21].
When implementing IaC for security automation, it’s important to consider the interactions between automated processes and manually created resources. For instance, when using GuardDuty automated agent configuration, resources created by IaC tools may depend on VPC endpoints created by GuardDuty [22]. To maintain full control over resources configured by IaC tools, organizations should create necessary VPC endpoints and security groups before enabling GuardDuty automated agent configuration [22].
By leveraging these automation tools and practices, organizations can significantly enhance their security operations, ensuring consistency, scalability, and rapid response to potential threats in their AWS environments.
Incident Response and Recovery Planning
AWS-Specific Incident Response Procedures
Effective incident response in AWS environments requires a comprehensive understanding of cloud-specific challenges and opportunities. Organizations should focus on three key aspects: preparation, operations, and post-incident activity [23]. Preparation involves enabling detective controls, ensuring appropriate access to necessary tools and cloud services, and developing both manual and automated playbooks. Operations follow the NIST phases of incident response: detect, analyze, contain, eradicate, and recover. Post-incident activity involves learning from events and simulations to improve response efficacy and reduce risk [23].
When designing incident response strategies for AWS, organizations should consider several cloud-specific principles:
- Establish clear response objectives with stakeholders and leadership.
- Implement response patterns within the cloud environment.
- Preserve logs, resources, and evidence in a dedicated response account.
- Utilize redeployment mechanisms for quick remediation.
- Automate responses where possible, reserving human intervention for complex cases.
- Choose scalable solutions to match cloud computing capabilities.
- Continuously learn and improve processes through simulations and post-incident analysis [23].
It’s crucial to understand the three domains where security incidents may occur in AWS: service, infrastructure, and application. Each domain requires different knowledge, tools, and response processes [23].
Disaster Recovery Strategies
AWS offers four main disaster recovery (DR) strategies, each with varying levels of cost, complexity, and recovery times:
- Backup and restore: This strategy involves backing up systems and restoring them from backup during a disaster. It provides the lowest cost but the longest Recovery Time Objective (RTO) [24].
- Pilot light: Core services run in standby mode, with additional services triggered as needed during a disaster. This approach offers a medium cost and RTO [24].
- Warm standby: A full backup system runs in standby mode, with live data replicated from the production environment. This strategy provides a high cost but low RTO [24].
- Multi-site active/active: A full, secondary production system runs concurrently, ready to serve traffic when needed. This approach offers the highest cost but a near-zero RTO [24].
When implementing these strategies, organizations should consider the following principles:
- Create backups in the same Region as the source and replicate them to other Regions for enhanced availability [24].
- Leverage Infrastructure as Code (IaC) services like AWS CloudFormation for consistent deployment across Regions [24].
- Implement techniques to improve detection and recovery, such as serverless automation using Amazon EventBridge [24].
To ensure the effectiveness of DR strategies, organizations should regularly test their plans before initial implementation and on an ongoing basis [24]. By carefully selecting and implementing the appropriate DR strategy, businesses can significantly enhance their ability to recover from disasters and maintain continuity of operations in their AWS environments.
Compliance and Governance in AWS
AWS offers a comprehensive suite of tools and services to help organizations maintain compliance and governance in their cloud environments. These solutions enable businesses to meet regulatory requirements, implement best practices, and maintain a strong security posture.
AWS Config
AWS Config provides detailed visibility into the configuration of AWS resources, allowing organizations to track changes and assess their impact over time [25]. This service is crucial for maintaining compliance and governance by enabling fine-grained monitoring of resource configurations and detecting potential misconfigurations [25].
Key features of AWS Config include:
- Resource inventory tracking
- Configuration change notifications
- Evaluation of resource configurations against rules
- Historical configuration data access
Organizations can leverage AWS Config to demonstrate compliance by accessing historical configurations of their resources [25]. This capability is particularly valuable for auditing purposes and for troubleshooting issues by reverting to the last known good configuration of a problematic resource [25].
Compliance Frameworks Integration
AWS integrates with numerous compliance frameworks, allowing organizations to meet industry-specific and regulatory requirements. Third-party auditors assess the security and compliance of AWS services as part of multiple compliance programs, including SOC, PCI, FedRAMP, and HIPAA [26].
To support compliance efforts, AWS provides several resources:
- AWS Artifact: Offers on-demand access to AWS compliance reports [27].
- AWS Audit Manager: Enables continuous auditing of AWS usage [27].
- AWS Security Hub: Provides a unified security and compliance center [27].
These tools help organizations maintain compliance across various frameworks and standards. For example, the AWS Security Hub uses security controls to evaluate AWS resources and check compliance against industry standards and best practices [26].
Additionally, AWS offers guidance documents such as Security and Compliance Quick Start Guides and Architecting for HIPAA Security and Compliance on Amazon Web Services [26]. These resources assist organizations in deploying security-focused environments and creating HIPAA-eligible applications.
By leveraging these compliance and governance tools, organizations can effectively manage risks, meet regulatory requirements, and maintain a secure cloud environment in AWS.
Conclusion
Securing AWS cloud environments has become a top priority for organizations in today’s digital landscape. The strategies discussed in this article provide a comprehensive approach to enhance cloud security, covering aspects from identity management to disaster recovery. By implementing these advanced techniques, businesses can better protect their valuable digital assets and maintain a strong security posture in the face of evolving cyber threats.
To wrap up, the key to effective AWS cloud security lies in a multi-faceted approach that combines robust access controls, data encryption, network segmentation, and continuous monitoring. Organizations that adopt these strategies and leverage AWS’s security tools are better equipped to handle security incidents and comply with regulatory requirements. This proactive stance on security not only safeguards sensitive data but also builds trust with customers and stakeholders, ultimately contributing to long-term business success in the cloud era.
FAQs
1. What steps can I take to enhance security in my AWS cloud environment?
To improve AWS cloud security, adhere to the following best practices:
- Ensure CloudTrail’s security configurations are stringent.
- Implement IAM best practices.
- Regularly create backups.
- Follow recommended practices for using Amazon VPC.
- Employ network segmentation and security zoning.
- Enhance network security.
- Secure peripheral systems such as DNS.
2. What are the primary security vulnerabilities in cloud computing?
The top five security vulnerabilities in cloud computing are:
- Misconfigurations, which account for 80% of security issues due to improper setup of infrastructure, services, or applications.
- Theft of access credentials.
- Phishing attacks.
- API attacks.
- Shadow IT, which refers to IT systems used without explicit organizational approval.
3. What is considered the most critical aspect of security on AWS?
Cloud security is the utmost priority at AWS. AWS aims to protect its customers by utilizing data centers and network architectures designed to meet the stringent requirements of security-sensitive organizations.
4. How can I improve a user’s security on AWS?
To boost user security on AWS:
- Implement granular policies that assign specific permissions to users, groups, roles, or resources.
- Enforce strong password policies that include complexity requirements, discourage password reuse, and mandate multi-factor authentication (MFA).
- Consider federation with existing directory services to streamline user management and enhance security.
References
[1] – https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/shared-responsibility.html
[2] – https://cloudsecurityalliance.org/blog/2023/10/17/the-importance-of-the-shared-responsibility-model-for-your-data-security-strategy
[3] – https://docs.aws.amazon.com/whitepapers/latest/aws-risk-and-compliance/shared-responsibility-model.html
[4] – https://aws.amazon.com/blogs/security/techniques-for-writing-least-privilege-iam-policies/
[5] – https://docs.aws.amazon.com/wellarchitected/latest/framework/sec_permissions_least_privileges.html
[6] – https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html
[7] – https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html
[8] – https://docs.aws.amazon.com/prescriptive-guidance/latest/encryption-best-practices/welcome.html
[9] – https://docs.aws.amazon.com/prescriptive-guidance/latest/encryption-best-practices/kms.html
[10] – https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
[11] – https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
[12] – https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-network-security-for-vpc-to-vpc-and-on-premises-to-vpc-traffic.html
[13] – https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/security-groups-and-network-acls-bp5.html
[14] – https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
[15] – https://aws.amazon.com/blogs/compute/integrating-aws-waf-with-your-amazon-lightsail-instance/
[16] – https://docs.aws.amazon.com/prescriptive-guidance/latest/logging-monitoring-for-application-owners/cloudtrail.html
[17] – https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html
[18] – https://aws.amazon.com/marketplace/solutions/control-tower/siem
[19] – https://aws.amazon.com/marketplace/solutions/security/siem
[20] – https://docs.aws.amazon.com/systems-manager/latest/userguide/security-best-practices.html
[21] – https://docs.aws.amazon.com/whitepapers/latest/introduction-devops-aws/infrastructure-as-code.html
[22] – https://docs.aws.amazon.com/guardduty/latest/ug/using-iac-with-gdu-automated-agents-runtime-monitoring.html
[23] – https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/introduction.html
[24] – https://cloudian.com/guides/disaster-recovery/disaster-recovery-on-aws-4-strategies-and-how-to-deploy-them/
[25] – https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html
[26] – https://docs.aws.amazon.com/config/latest/developerguide/config-compliance.html
[27] – https://aws.amazon.com/compliance/