<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Life's like a box of chocolates 🍫 Your access shouldn't be. Register for our new webinar.

Search
Close icon
Search bar icon

AWS Well-Architected Framework Security Best Practices

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

The AWS Well-Architected Framework has been a staple for many years for AWS practitioners of all sorts, including cloud architects and platform engineers. It’s a blueprint for architectural and design best practices that will lay the foundation for resilience, operational efficiency, and security on the AWS Cloud. 

On the security side, while not expressly connected to, Well-Architected has many similar guiding principles as those found in CISA Secure by Design and NIST Zero Trust Architecture. In short: if you follow the design principles in Well-Architected, you’ll start out with a stronger secure foundation.

Word of caution, however, humans are humans, and attackers exploit that every second of every day, so it’s imperative to bake security into your cloud architecture. One glimpse into the world of the techniques and tactics used by attackers is found in the MITRE ATT&CK Framework. I even wrote about how you can protect your Kubernetes clusters from attack. Many of those defensive mitigations can be implemented proactively, so you’ll also maintain that strong secure foundation.

Well-Architected Design Principles

There are 7 design principles that Well-Architected enumerates:

  1. Implement a strong identity foundation
  2. Maintain traceability
  3. Apply security at all layers
  4. Automate security best practices
  5. Protect data in transit and at rest
  6. Keep people away from data
  7. Prepare for security events

It should be no surprise that the first, and most important, design principle is to Implement a strong identity foundation. Since the early days of AWS Cloud, identity has been the perimeter for access to AWS and customer-managed resources. 

Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources. Centralize identity management, and aim to eliminate reliance on long-term static credentials.”

We’ll break down each of the recommendations for identity security, and how StrongDM fits in with AWS Well-Architected.

AWS Well-Architected Framework Security Best Practices

Implement the principle of least privilege

Least privilege is the principle that people and systems should have the minimal access required to do their job. On one hand, this makes complete sense, we’re granting access to the minimal amount of actions a user can perform on a minimal amount of resources, but we leave that access standing, 24x7x365. Instead of having standing access, let’s move to a Zero Standing Access and Zero Standing Privileges model that’s implemented with Just-in-Time and Dynamic Access workflows, where we can dramatically reduce the risk exposure. 

By only granting access to resources when someone needs it, when they need it, and for the duration they need, we can achieve a risk reduction by as much as 98.8%. Bonus points for that access being automatically revoked to ensure that we don’t have all of that standing access left behind.

moving-from-standing-to-jit-access

Enforce separation of duties with appropriate authorization for each interaction with your AWS resources

Separation of duties is the principle no user should be given enough access to negatively impact your environment. For example, a software engineer probably shouldn’t have access to internal financial data. When you have a truly dynamic and  automated access workflow model, separation of duty is a byproduct of the Zero Standing Privileges model

Furthermore, the authorization should be continuously checked to ensure that the user’s device being used for access remains relatively risk-free from malware during the session, their IP address hasn’t changed, or they haven’t been instantly teleported to another geolocation during their access window.

Centralized identity management

Managing identities and authenticating through a centralized identity management provider is the way to ensure that provisioning and deprovisioning of people is happening across many systems and services, including your cloud infrastructure. Ideally, if a user is deprovisioned, that should immediately revoke all access grants, and stop any active sessions because they would no longer be unauthorized. Multiple factors of authentication should also be implemented, including more modern methods such as passkeys and biometric tokens.

Aim to eliminate reliance on long-term static credentials

Static credentials have been a problem for cloud admins and architects since the beginning. API access keys and passwords should never be embedded in application configuration files or even worse, checked into code repositories. There have been too many middle-of-the-night security incidents that were ultimately caused by the unintentional storing of API keys in a public S3 bucket or Git repo.

It’s about Maturing your Security Access Strategy

secure-access-maturity-model-1

Achieving a truly mature, dynamic access model is a journey. Operationalizing all of the design principles in the AWS Well-Architected framework doesn't happen overnight, neither does maturing your access. Many of the principles in the above maturity model apply directly to the principles within the Well-Architected framework. 

As you progress through the maturity model, your access aperture will narrow. In the widest aperture, you are granting access at the AWS account level, then eventually you’ll be granting access to resources at both the control plane, such as configurations, and inside the data plane, such as databases and data objects.

context-narrows-the-aperture-for-access-and-decreases-risk

So how do we get to a place where we truly don’t have standing privileges? How can I dynamically grant access to an EKS cluster or RDS Postgres database in a just-in-time way? Is Zero Standing Privileges achievable?

baby-astronaut-staring-out-of-the-porthole

StrongDM is a Critical to Implementing Well-Architected

sdm-helps-with-aws-well-architected-framework

Our Solution Guide for AWS Well-Architected prescribes how you can apply StrongDM capabilities to many of the design principles and best practices found in the framework, not just Identity Security. 

We have product features that allow you to implement tag-based, dynamic access workflows that can be kicked off from Slack, for example. We allow you to grant access to RDS databases and EKS clusters, and have full visibility into the actions your users are taking on those resources, and in the case of SSH and RDP, full session recording. Our microsegmentation network architecture ensures the session from client to resource is fully encrypted and secure. 

So yes! You can achieve Zero Standing Access and Zero Standing Privileges not just on your AWS resources and accounts, but across many resource types, including the legacy stuff you’re still trying to figure out how to get over to the cloud.

Looking to implement Zero Standing Privileges? Book a StrongDM demo to see it in action.


About the Author

, DAM Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the DAM Evangelist at StrongDM, taking the message of Dynamic Access Management to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Vendor Access Management (VAM) Explained
Vendor Access Management (VAM) Explained
Vendor Access Management (VAM) is the systematic control and oversight of vendor access to an organization's systems, applications, and data. It involves processes such as onboarding and offboarding vendors, utilizing solutions for Just-in-Time access, ensuring security, and streamlining workflows to minimize operational inefficiencies.
What Is Fine-Grained Access Control? Challenges, Benefits & More
What Is Fine-Grained Access Control? Challenges, Benefits & More
Fine-grained access control systems determine a user’s access rights—to infrastructure, data, or resources, for example—once past initial authentication. Unlike coarse-grained access control (CGAC), which relies on a single factor, such as role, to grant access, FGAC relies on multiple factors. For example, it may consider policies (policy-based access control, or PBAC), attributes (attribute-based access control, or RBAC), or a user’s behavior in a certain context (behavior-based access control, or BBAC).
Implicit Trust vs. Explicit Trust in Access Management
Implicit Trust vs. Explicit Trust in Access Management
Trust is an essential cornerstone in access management. However, not all trust is created equal. When it comes to how you approach access, two types of trust stand out: implicit trust and explicit trust.
Joiners, Movers, and Leavers (JML) Process (How to Secure It)
Joiners, Movers, and Leavers (JML) Process (How to Secure It)
People come, and people go, and while digital identities should cease to exist after a departure, many times, this doesn’t happen. At any given time, organizations can have thousands of user identities to manage and track, so when processes aren’t automated, it’s easy for many identities to fall through the cracks. This phenomenon is called Identity Lifecycle Management, and when it comes to access and security, it’s worth the time to get it right.
Reduce Security Risk with StrongDM Device Trust
Reduce Security Risk with StrongDM Device Trust
We are thrilled to announce a new feature to our StrongDM® Dynamic Access Management (DAM) platform: Device Trust. This feature amplifies your organization's security posture by employing device posture data from endpoint security leaders CrowdStrike or SentinelOne.