<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon

AWS Well-Architected Framework Security Best Practices

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

The AWS Well-Architected Framework has been a staple for many years for AWS practitioners of all sorts, including cloud architects and platform engineers. It’s a blueprint for architectural and design best practices that will lay the foundation for resilience, operational efficiency, and security on the AWS Cloud. 

On the security side, while not expressly connected to, Well-Architected has many similar guiding principles as those found in CISA Secure by Design and NIST Zero Trust Architecture. In short: if you follow the design principles in Well-Architected, you’ll start out with a stronger secure foundation.

Word of caution, however, humans are humans, and attackers exploit that every second of every day, so it’s imperative to bake security into your cloud architecture. One glimpse into the world of the techniques and tactics used by attackers is found in the MITRE ATT&CK Framework. I even wrote about how you can protect your Kubernetes clusters from attack. Many of those defensive mitigations can be implemented proactively, so you’ll also maintain that strong secure foundation.

Well-Architected Design Principles

There are 7 design principles that Well-Architected enumerates:

  1. Implement a strong identity foundation
  2. Maintain traceability
  3. Apply security at all layers
  4. Automate security best practices
  5. Protect data in transit and at rest
  6. Keep people away from data
  7. Prepare for security events

It should be no surprise that the first, and most important, design principle is to Implement a strong identity foundation. Since the early days of AWS Cloud, identity has been the perimeter for access to AWS and customer-managed resources. 

Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources. Centralize identity management, and aim to eliminate reliance on long-term static credentials.”

We’ll break down each of the recommendations for identity security, and how StrongDM fits in with AWS Well-Architected.

AWS Well-Architected Framework Security Best Practices

Implement the principle of least privilege

Least privilege is the principle that people and systems should have the minimal access required to do their job. On one hand, this makes complete sense, we’re granting access to the minimal amount of actions a user can perform on a minimal amount of resources, but we leave that access standing, 24x7x365. Instead of having standing access, let’s move to a Zero Standing Access and Zero Standing Privileges model that’s implemented with Just-in-Time and Dynamic Access workflows, where we can dramatically reduce the risk exposure. 

By only granting access to resources when someone needs it, when they need it, and for the duration they need, we can achieve a risk reduction by as much as 98.8%. Bonus points for that access being automatically revoked to ensure that we don’t have all of that standing access left behind.

moving-from-standing-to-jit-access

Enforce separation of duties with appropriate authorization for each interaction with your AWS resources

Separation of duties is the principle no user should be given enough access to negatively impact your environment. For example, a software engineer probably shouldn’t have access to internal financial data. When you have a truly dynamic and  automated access workflow model, separation of duty is a byproduct of the Zero Standing Privileges model

Furthermore, the authorization should be continuously checked to ensure that the user’s device being used for access remains relatively risk-free from malware during the session, their IP address hasn’t changed, or they haven’t been instantly teleported to another geolocation during their access window.

Centralized identity management

Managing identities and authenticating through a centralized identity management provider is the way to ensure that provisioning and deprovisioning of people is happening across many systems and services, including your cloud infrastructure. Ideally, if a user is deprovisioned, that should immediately revoke all access grants, and stop any active sessions because they would no longer be unauthorized. Multiple factors of authentication should also be implemented, including more modern methods such as passkeys and biometric tokens.

Aim to eliminate reliance on long-term static credentials

Static credentials have been a problem for cloud admins and architects since the beginning. API access keys and passwords should never be embedded in application configuration files or even worse, checked into code repositories. There have been too many middle-of-the-night security incidents that were ultimately caused by the unintentional storing of API keys in a public S3 bucket or Git repo.

It’s about Maturing your Security Access Strategy

secure-access-maturity-model-1

Achieving a truly mature, dynamic access model is a journey. Operationalizing all of the design principles in the AWS Well-Architected framework doesn't happen overnight, neither does maturing your access. Many of the principles in the above maturity model apply directly to the principles within the Well-Architected framework. 

As you progress through the maturity model, your access aperture will narrow. In the widest aperture, you are granting access at the AWS account level, then eventually you’ll be granting access to resources at both the control plane, such as configurations, and inside the data plane, such as databases and data objects.

context-narrows-the-aperture-for-access-and-decreases-risk

So how do we get to a place where we truly don’t have standing privileges? How can I dynamically grant access to an EKS cluster or RDS Postgres database in a just-in-time way? Is Zero Standing Privileges achievable?

baby-astronaut-staring-out-of-the-porthole

StrongDM is a Critical to Implementing Well-Architected

sdm-helps-with-aws-well-architected-framework

Our Solution Guide for AWS Well-Architected prescribes how you can apply StrongDM capabilities to many of the design principles and best practices found in the framework, not just Identity Security. 

We have product features that allow you to implement tag-based, dynamic access workflows that can be kicked off from Slack, for example. We allow you to grant access to RDS databases and EKS clusters, and have full visibility into the actions your users are taking on those resources, and in the case of SSH and RDP, full session recording. Our microsegmentation network architecture ensures the session from client to resource is fully encrypted and secure. 

So yes! You can achieve Zero Standing Access and Zero Standing Privileges not just on your AWS resources and accounts, but across many resource types, including the legacy stuff you’re still trying to figure out how to get over to the cloud.

Looking to implement Zero Standing Privileges? Book a StrongDM demo to see it in action.


About the Author

, Technical Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the Technical Evangelist at StrongDM, taking the message of Zero Trust Privileged Access Management (PAM) to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Securing Network Devices with StrongDM's Zero Trust PAM Platform
Securing Network Devices with StrongDM's Zero Trust PAM Platform
Let’s talk about the unsung heroes of your on-premises infrastructure: network devices. These are the routers, switches, and firewalls that everyone forgets about…and takes for granted—until something breaks. And when one of those somethings breaks, it leads to some pretty bad stuff. If your network goes down, that’s bad, bad, bad for business. But if those devices lack the necessary security, well, that can leave you exposed in an incredibly dangerous way.
What Is Zero Trust for the Cloud? (And Why It's Important)
What Is Zero Trust for the Cloud? (And Why It's Important)
Zero Trust cloud security is a cybersecurity model that operates on the principle that no user, device, system, or action should be trusted by default — even if it's inside your organization’s own network. This approach minimizes the risk of breaches and other cyber threats by limiting access to sensitive information and resources based on user roles, device security posture, and contextual factors.
How to Prevent Password Sharing in Healthcare
How to Prevent Password Sharing in Healthcare (8 Ways)
Protecting sensitive patient data in healthcare isn't just a priority—it's a legal and ethical obligation. However, one of the most overlooked security gaps that healthcare organizations face is the practice of password sharing among employees. This seemingly harmless habit can quickly lead to unauthorized access and serious data breaches, putting both the organization and patients at risk. While often seen as a convenient shortcut, password sharing undermines the security of protected health information (PHI), potentially leading to HIPAA violations and data breaches. In this post, we'll explore eight effective ways to prevent password sharing in healthcare.
What Is Privileged Identity Management (PIM)? 7 Best Practices
What Is Privileged Identity Management (PIM)? 7 Best Practices
Privileged Identity Management (PIM) is a complex cybersecurity approach. But it’s the only proven method you can use to lock down access and protect your precious resources. It can help you keep cybercriminals out and ensure that even your trusted users can’t accidentally—or intentionally—jeopardize your system’s security.
What Is Zero Trust Data Protection?
What Is Zero Trust Data Protection?
Zero Trust Data Protection isn't just the best way to safeguard your data — given today's advanced threat landscape, it's the only way. Assuming inherent trust just because an access request is inside your network is just asking for a breach. By implementing the latest tactics in authentication, network segmentation, encryption, access controls, and continuous monitoring, ZT data security takes the opposite approach.