# Security management
<a name="securityoperations"></a>

 Security plays a key role and is foundational to all functions of the M&G Guide. Security management is the process of setting up, measuring, and improving security processes and tools. The M&G Guide focuses on cloud-ready environments so that you are well prepared to host your workloads. We recommend following the security best practices described in the [Well-Architected Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html) whitepaper for each type of workload you run on AWS. You will find that the same principles for well-architected workloads apply for how you effectively secure and manage cloud-ready environments. Specifically, the security pillar includes a comprehensive view of the best practices for management and governance of security capabilities, some of which are highlighted later in this guide. Further information on cloud adoption best practices that align with the Security Pillar can also be found in [AWS CAF](https://aws.amazon.com/professional-services/CAF/). 

 To scale with AWS, it is important to continually address and refine your security capabilities alongside the rest of your management and governance functions. This includes the identification, management, and resolution of security issues and findings across all your environments. As your scale increases with AWS, it is essential to adapt your security management to the dynamic nature and ephemeral lifespan of cloud resources. This adaptation includes response mechanisms as well as ownership. In some cases, ownership of security might merge with, and in other cases require new, accountability and responsibility models. 

 The M&G Guide recommends standard ways to address AWS security across the eight management and governance functions. For instance, in the [Controls](controls.md) section, we demonstrate the need for security controls to be included across your management and governance tooling. In this Security Management section, we outline security tools and functions that are equally important to operating and scaling efficiently. Each area of your cloud operations is responsible for implementing appropriate security controls. These should include capabilities to identify, protect, detect, respond, and recover from security issues and events. 

## Security architecture
<a name="sec-arch"></a>

 The [AWS Security Reference Architecture (AWS SRA)](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html) is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment that is aligned to the [Well-Architected Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html). This overall architectural guidance complements detailed, service-specific recommendations, such as those found in the [AWS Security Documentation](https://docs.aws.amazon.com/security/). For example, AWS SRA recommends complementing the security architecture implemented in your environments with a specific OU and account for security tooling. Where services support this, delegate administration of security-related services to the security tooling account. The security tooling account will then serve as a central pane of glass to the member accounts, providing insights for extended detection and response (XDR) activities. Where required, also provide for engineering and builder teams to create specialized or localized security capabilities that are specific to their workloads. Note that this reference architecture can be extended to include AWS Partner solutions following the same patterns. 

## Automated findings and campaigns
<a name="sec-auto"></a>

 Following the prescriptive guidance in the [Controls](controls.md) section of this guide, after you have detective controls in place across your multi-account strategy, deviations from the controls should result in security findings. A *finding* is a specific deviation from a control associated with a specific AWS account, AWS Region, environment, or resource. For each detective mechanism you have, you should also have a clearly defined process in the form of a runbook or playbook to investigate. Tickets should be automatically created based on findings with information about the deviation, remediation guidance, and deadlines. Tickets are assigned to the resource, account, or environment owner. 

 A *campaign* is a way to aggregate issues around a particular control or set of controls and drive action towards remediation. Campaigns include the development of campaign metrics to measure progress. You can also use campaigns and tickets to drive action to have account owners put preventive controls in place. 

 Note that both campaigns and findings will need to be tuned along with your threat detection tools. This tuning will allow you to remove any noise created from false positives or negatives. In contrast, any patterns from campaigns or findings will need to be translated to additional controls. 

## Security metrics
<a name="sec-metr"></a>

 A mature internal security metrics program is crucial for managing security in the cloud. In general, this is completed by following the guidance of “what gets measured, gets done”. After you have controls in place, security metrics are the primary way to assess whether your security posture is improving, and whether your controls are adequate. You should have metrics for each part of your security organization, and these metrics should be reviewed regularly to verify that they have the right level of organizational buy-in and attention. For example, mean time to identify (MTTI) root cause and mean time to respond (MTTR) provide insights into your security incident response effectiveness. Make sure that you have good processes and continuous improvement around capturing, reviewing, and remediating insights gained from them. 

## Security response management
<a name="sec-resp"></a>

 Enterprises are mandated to protect their digital infrastructure from a wide range of threats and require in-depth visibility into their infrastructure and applications to make faster data-driven decisions. Enterprises need to take proactive actions to ensure timely threat intelligence. Security solutions must monitor workloads in real-time, identify security issues, and expedite root-cause analysis. Essential elements of these tools allow you to Identify, prioritize, and mitigate threats, gain visibility into suspicious activities, and acknowledge risks. The Security Pillar outlines specific recommendations for building your workloads while thinking proactively about security. This is the foundation for helping ensure that you can respond effectively to security insights you are gathering. 

 Security management functions are responsible for analyzing and responding to security events. Where in the past this was done with human-powered processes, we recommend you automate these identification and remediation systems. This automation will help increase your security posture along with your ability to scale. At cloud scale, use automated workflows wherever possible to investigate events of interest and gather information on unexpected changes. Require that these workflows be tested in development environments to ensure operational resilience. Detect advanced security threats by combining monitoring from network, firewall, identity, control plane, vulnerability and patch management, workloads, and data protection processes with your existing threat detection capabilities. Threat detection can be used to determine the expected pattern of API calls per role, application, or service, and determine the levels that indicate an unexpected deviation. This activity will allow you to maximize your telemetry by layering behavioral analytics with your log analytics. The Security Pillar outlines how to build a comprehensive detective capability with options that include automated remediation and AWS Partner solutions. This capability is enabled through the [configuration of environments](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/configure.html) with centralized analysis of logs, findings, and metrics. Automating aspects of your incident management process also improves reliability and increases the speed of your response, which creates an environment easier to assess in after-action reviews. 

# Interoperable functions
<a name="interoperable-functions-3"></a>

 The eight management and governance functions, supported by AWS services and AWS Partner solutions, work together and interoperate to reduce complexity. Outputs from functions are used to inform or integrate with other functions. For security management this includes: 
+  **Controls** continually updated and tuned as a result of your security findings and patterns. 
+  Changes in the definition or behavior of your **Network connectivity** as part of your security findings and patterns, with automated remediation when applicable. 
+  Changes in the definition or behavior of your **Identity management** as part of your security findings and patterns, with automated remediation when applicable. 
+  A **Service management** framework integrated such that security incident response procedures and vulnerability management procedures (including security incident response findings and campaigns) are integrated with tooling from the service management framework. 
+  Centralized **Monitoring and observability** tools informing security management functions, with specific automated remediation. 
+  Unexpected changes in cost and spend patterns as part of your **Cloud Financial Management**, which should be visible and are included in your security findings and patterns, with automated remediation when applicable. 
+  Security tools which are **Sourced and distributed** with preconfigured security controls in a hub and spoke pattern across your environments. 

# Implementation priorities
<a name="implementation-priorities-3"></a>

 For security management, we recommend that you deploy your security capabilities (XDR, CSPM, etc.) using the same mechanisms as the base foundation of capabilities for each of your accounts. In the [Controls](controls.md) section, we recommend that you begin with assessing your risk posture and [developing a threat model](https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/), and thereafter selecting appropriate controls for each environment. In addition, you should set a foundation with specific security tools aligned to your environments and accounts, additional logging, and integration to your incident management and security analytics capabilities. 

## Design a Well-Architected security environment
<a name="sec-envr"></a>

 Design capabilities with governance and security instrumentation in mind, following the best practices described in the [AWS Well-Architected Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html). Your [security foundations](https://docs.aws.amazon.com/wellarchitected/latest/framework/a-sec-security.html) should include: 
+  Separating and securing your workloads across a multi-account strategy 
+  Identifying and validating control objectives based on your compliance requirements and risk assessments 
+  Recognizing and staying up to date with the latest security threats and vectors, recommendations, and effective controls 
+  Establishing secure baselines and templates for security mechanisms that are tested and validated continually as part of your build, pipelines, and processes 
+  Identifying and prioritizing risks using threat modeling 
+  Evolving the security posture of your workloads using new features and enhancements of AWS and AWS Partner services 
+  Enabling encryption at rest and in motion for cloud storage, databases and traffic that includes sensitive data in motion 

## Choose security tools to match your enterprise needs
<a name="sec-tools"></a>

 Security monitoring tools should allow for granular security monitoring across infrastructure, applications, and workloads as well as provide aggregated views for pattern analysis. As with all other security management tools, it is important to extend your XDR tools to provide functions to assess, detect, respond, and remediate the security of your applications, resources, and environments on AWS. Using these tools with the interoperable functions of the M&G Guide can provide a mechanism for you to enable further use cases for compliance monitoring, incident response, DevSecOps integration, risk assessment and visualization. Cloud Security Posture Management (CSPM) tools can also be used to manage and remediate common vulnerabilities and exposures (CVEs) in your AWS environments. Use a vulnerability management solution that assesses infrastructure and applications for vulnerabilities or deviations from best practices, and produces a detailed list of findings prioritized by level of severity.  

## Analyze and model for threats
<a name="sec-anal"></a>

 Implement continual monitoring and measurement against industry and security benchmarks. When designing your instrumentation approach, determine what types of event data and information will best inform your security management functions. This monitoring should encompass several attack vectors including service usage. Your security foundations should include a comprehensive secure logging and analytics capability across your multi-account environments that includes the ability to correlate events from multiple sources. 

 Prevent changes to this configuration with specific controls and guardrails. AWS Security Hub CSPM and AWS Partner tools provide dashboards across a multi-account environment and should be integrated with [event-triggering systems](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/) in AWS for security and incident event management functions. Develop thresholds and metrics based on expected behavior of your environments. Use anomaly detection to identify unintended activities when thresholds are exceeded. Configure and monitor Amazon CloudWatch alarms for exceeded thresholds across IAM activity, resource creation, failed access attempts, policy and configuration changes, VPC-related changes (security groups, NACLs, gateways, and route tables), API calls, and activities in unapproved AWS Regions. 

 Develop a threat modeling practice to engage with business stakeholders, cloud infrastructure architects, compliance, application developers, security and other key stakeholders. The AWS Well-Architected Framework calls out threat modeling as a specific best practice within the Security Pillar, under the question [SEC 1: How do you securely operate your workload?](https://docs.aws.amazon.com/wellarchitected/latest/framework/a-sec-security.html) Preventive, detective, and responsive controls should be put in place as responses to both workload and environment level threats identified in threat modeling exercises. 

 Enable log aggregation as a foundation for your threat modeling and log analytics capabilities that is extended as new accounts or environments are created, updated, or deleted. Use XDR with multiple telemetry sources to identify if correlated events qualify as recordable incidents. Use the threat model as the basis for table top exercises, building incident response playbooks and runbooks, and develop automated testing. Codify your compliance objectives using AWS Config or AWS Partner products. 

## Automate incident management workflows, findings, and campaigns
<a name="sec-incident"></a>

 The [Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html) outlines how to build a comprehensive detective capability with options that include automated remediation and AWS Partner integrations. This capability is enabled through the [configuration of environments](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/configure.html) with centralized analysis of logs, findings, and metrics. Typical automation might include AWS Lambda function “responders” that react to specific changes in the environment, orchestrating automatic scaling, isolating suspect system components, deploying just-in-time investigative tools, and creating workflow and ticketing to shut down and learn from a closed loop organizational response. Each account, application, or resource should be provisioned with a baseline configuration aligned with your security operations. This includes provisioning specific security tools, which also align to your observability requirements. Develop remediation processes which allow you to isolate cloud resources for forensic analysis. 

## Select, measure, and continually improve your security metrics
<a name="sec-sel"></a>

 Follow the guidance of “*what gets measured, gets done*”. Implement metrics for each part of your security organization and review regularly to verify you have the right level of organization buy-in and attention. Measure the performance of your security operations along with the threats themselves. Include metrics around your security operations paired with metrics around security campaigns, findings, and tools. For example, mean time to identify (MTTI) root cause and mean time to respond (MTTR) provide insights into your security incident response effectiveness. Drive operational insights and reviews to continually improve your threat modeling, threat detection, incident management, and response and remediation capabilities. 

# AWS security management services
<a name="aws-security-management-services"></a>

 The following AWS services can be used to help you meet the prescribed benefits of the M&G Guide: 

 [AWS Security Hub CSPM](https://aws.amazon.com/security-hub/) is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation. AWS Security Hub CSPM aggregates, organizes, and prioritizes your findings from multiple AWS services as well as from AWS Partner solutions, enabling you to quickly assess the security posture across your AWS accounts. AWS Security Hub CSPM runs automated configurations and compliance checks based on open standards, such as CIS Benchmarks, NIST frameworks, and AWS Foundational Security Best Practices. 

 [Amazon GuardDuty](https://aws.amazon.com/guardduty/) is a threat detection service that continually monitors for malicious activity and unintended behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. Amazon GuardDuty uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs. 

 Both AWS Security Hub CSPM and Amazon GuardDuty have the concept of an *administrator* and *member* account. The administrator account can view the aggregated findings of all member accounts within a Region. You should delegate administration of Security Hub CSPM and GuardDuty to the security audit account provisioned by AWS Control Tower. 

 [AWS Security Hub CSPM Automated Response and Remediation](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/) is a solution that uses AWS Security Hub CSPM to provide a ready-to-deploy architecture and a library of automated playbooks. The solution creates an Service Catalog portfolio of predefined security response and remediation actions called playbooks. Individual playbooks are deployed in the Security Hub CSPM primary account. Each playbook contains the necessary custom actions, AWS Identity and Access Management (IAM) roles, Amazon CloudWatch Events, Systems Manager automation documents, AWS Lambda functions, and AWS Step Functions needed to start a remediation workflow within a single AWS account, or across multiple accounts. 

 [Amazon Detective](https://aws.amazon.com/detective/) automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations. 

 [AWS Control Tower](https://aws.amazon.com/controltower/) implements centralized logging and audit accounts that use AWS CloudTrail and Amazon CloudWatch. This is done using AWS Config for detective guardrail enablement, and SCPs from AWS Organizations for preventive controls. 

 [AWS Systems Manager](https://aws.amazon.com/systems-manager/) allows you to create automated responses to security misconfigurations via specific automation documents, with patch management functions. 

 Using [automated reasoning technology](https://aws.amazon.com/security/provable-security/) (the application of mathematical logic to help answer critical questions about your infrastructure), AWS is able to identify opportunities to improve your security posture. We call this *provable security* providing higher assurance in security of the cloud and in the cloud. Automated reasoning capabilities include [IAM Access Analyzer](https://aws.amazon.com/iam/features/analyze-access/), [VPC Reachability Analyzer](https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html), [Amazon CodeGuru](https://aws.amazon.com/codeguru/), [Amazon S3 Block Public Access](https://aws.amazon.com/s3/features/block-public-access/), and Amazon Inspector network reachability. 

 If you would like support implementing this guidance, or assisting you with building the foundational elements prescribed by the M&G Guide, we recommend you review the offerings provided by [AWS Professional Services](https://aws.amazon.com/professional-services/) or the AWS Partners in the [Built on Control Tower program](https://aws.amazon.com/controltower/partners/). 

 If you are seeking help to operate your workloads in AWS following this guidance, [AWS Managed Services (AMS)](https://aws.amazon.com/managed-services/) can augment your operational capabilities as a short-term accelerator or a long-term solution, letting you focus on transforming your applications and businesses in the cloud. 

 

# Integrated security management partners
<a name="integrated-security-management-partners"></a>

 The M&G Guide recommends you consider the following questions when choosing an AWS Partner solution for security management functions: 
+  Is the solution from an AWS Security Competency Partner? 
+  Does the solution support multi-account, and work across all your required AWS Regions? 
+  Are security findings aligned to your controls surfaced with appropriate remediation steps? Is this auditable? 
+  Does the AWS Partner incorporate new threat vectors, maintain and manage their own findings, and add them to the operations tools on a regular basis? 
+  Does the solution provide analysis and troubleshooting tools for security operations teams? 

 To help improve the security posture across a multi-account environment, you need to implement security functions, such as vulnerability assessment, firewalls, and intrusion prevention. AWS Marketplace offers integrated software solutions for AWS Control Tower that help enterprises secure diverse workloads and provide broader visibility into assets, events and vulnerabilities. 

 [Alert Logic Managed Detection and Response (MDR)](https://aws.amazon.com/marketplace/solutions/control-tower/security/#AlertLogic) is always on, providing protection across your entire organization through five key elements: intelligence driven by data and humans, a scalable MDR platform, security experts named to your account, security insights at your fingertips, and protection tailored to each asset in your environments. 

 [Aqua Security SaaS](https://aws.amazon.com/marketplace/solutions/control-tower/security/#AquaSecurity) provides a SaaS-based, cloud security posture management (CSPM) solution for AWS Control Tower. Aqua CSPM continually audits your AWS accounts for security risks and misconfigurations. This is performed across hundreds of configuration settings and compliance best practices, enabling consistent, unified multi-account security. It also provides self-securing capabilities to help ensure your cloud accounts do not drift out of compliance by applying a policy-driven approach. 

 [Cloud Custodian](https://aws.amazon.com/security-hub/partners/) is a tool that unifies the dozens of tools and scripts most enterprises use for managing their public cloud accounts into one open source tool. It uses a stateless rules engine for policy definition and enforcement, with metrics, structured outputs and detailed reporting for clouds infrastructure. Cloud Custodian's integration with Security Hub CSPM allows it to both send findings to Security and receive findings for response and remediation actions. 

 [Crowdstrike Falcon Endpoint Protection](https://aws.amazon.com/marketplace/solutions/control-tower/security/#CrowdStrike) uses advanced artificial intelligence (AI), machine learning, behavioral protection, kernel level visibility and proactive threat hunting to identify potential attacks in real time. For enterprises who are adopting or migrating to cloud workloads, CrowdStrike Falcon Endpoint Protection provides comprehensive visibility and breach protection allowing you to rapidly adopt and secure technology across any workload. 

 [ExtraHop Reveal(x) 360](https://aws.amazon.com/marketplace/solutions/control-tower/network-orchestration/#ExtraHop) provides multi-layered visibility, threat detection, and investigation in AWS via integrations with Amazon VPC Traffic Mirroring for packet-level visibility and VPC Flow Logs for broad coverage. ExtraHop is an AWS Security Competency Partner and offers a free trial of Reveal(x) 360. To learn more, see Reveal(x) 360 in the AWS Marketplace. 

 [Logz.io](https://aws.amazon.com/marketplace/solutions/control-tower/siem/#Logz.io) AI-Powered ELK-as-a-Service is a cloud-native observability platform providing unified monitoring, troubleshooting, and security for distributed cloud environments. Intelligent log analytics help engineers and businesses resolve incidents faster and simplify cloud security. Logz.io’s analytics and optimization tools help businesses reduce overall logging expenses and identify production and security incidents in real time. 

 [Palo Alto Prisma Cloud](https://aws.amazon.com/marketplace/solutions/control-tower/security/#Palo_Alto) provides cloud security posture management (CSPM) and cloud workload protection (CWP) as a single pane of glass for comprehensive visibility and control. Securely provision automated account registrations, continual governance, and enterprise-wide management of multiple AWS accounts in just a few clicks. Prisma Cloud also extends cloud automation to integrated Lambda serverless remediation and manages it through a common policy and governance framework. 

 [Prowler](https://aws.amazon.com/security-hub/partners/) is a security assessment tool that gives customers direct insights into the security best practices of their AWS infrastructure. Customers can run Prowler to continuously monitor their security status. The main differentiators between Prowler and other existing services or solutions are the number of checks that are included out-of-the-box; no configuration needed to get insights; and no direct cost associated to its use. Prowler's checks follow guidelines from the CIS Amazon Web Services Foundations Benchmark and performs additional checks related to GDPR, PCI, and HIPAA. Prowler supports natively sending findings to AWS Security Hub CSPM. 

 [Qualys](https://aws.amazon.com/security-hub/partners/) The Qualys integration with AWS Security Hub CSPM provides customers the ability to consume security and compliance findings about their AWS Instances and accounts within the AWS Security Hub CSPM console. Customers have access to critical vulnerabilities, missing patches, open ports, as well as the compliance to CIS, PCI, NIST, HIPAA, and security policies of their Instances and AMIs. Customers can also assess misconfigurations of VPCs, Security Groups, Amazon S3, and IAM against the CIS Benchmark. The Qualys integration with AWS Security Hub CSPM allows customers to prioritize their risks and automate remediation using services, such as AWS Lambda. 

 [Rapid7](https://aws.amazon.com/security-hub/partners/) InsightVM, a vulnerability assessment solution, uses the power of the Insight platform to provide visibility across your modern ecosystem, prioritize risk using attacker analytics, and remediate or contain threats with SecOps agility. With InsightVM, vulnerabilities are discovered in real time and prioritized actionably. By integrating InsightVM with AWS Security Hub CSPM, vulnerabilities detected in a business's Amazon EC2 instances are automatically sent to AWS Security Hub CSPM for a holistic view of its cloud security posture. With additional vulnerability context from InsightVM, businesses can prioritize its team’s security tasks more efficiently and reduce measurable risk in its AWS Cloud. 

 [Sonrai Dig](https://aws.amazon.com/marketplace/solutions/control-tower/security/#Sonrai_Security) is an enterprise cloud security platform providing complete visibility across all multi-account AWS environments. Built on our patented graph, Dig combines platform (CSPM), identity (CIEM), and data (Cloud DLP) controls, delivering speed and security where it matters in your cloud apps. Maturity Modeling effectively addresses alert fatigue by providing workload/environment context, while our Governance Automation Engine automates workflow, remediation, and prevention capabilities across cloud and security teams improving operational efficiency and ensuring end-to-end security.

 

 [Splunk Cloud](https://aws.amazon.com/marketplace/solutions/control-tower/siem/#Splunk)’s integration into AWS Control Tower allows administrators to automatically configure and set up AWS services. Data from AWS CloudTrail, AWS Config, and other sources can be incorporated into your Splunk deployment using Firehose and Splunk HTTP Event Collector (HEC). With Splunk Cloud, you can automatically collect data from newly vended AWS Accounts and dashboards and alert compliance with AWS Control Tower guardrails. 

 [Sumo Logic Cloud-Native Machine Data Analytics](https://aws.amazon.com/marketplace/solutions/control-tower/siem/#SumoLogic) pulls in critical operational data across services and accounts to give a unified view of AWS environments. Easily navigate from overview dashboards into account, Region, Availability Zone, or service-specific views. Intuitive navigation across logs and metrics data ensures that teams can quickly resolve issues, minimize downtime, and improve system availability. The Sumo Logic Continuous Intelligence Platform automates the collection, ingestion, and analysis of application, infrastructure, security, and IoT data to derive actionable insights. 

[Sysdig Secure](https://aws.amazon.com/marketplace/solutions/control-tower/operational-intelligence/#Sysdig) helps cloud and security teams detect and respond to threats, and manage cloud configurations, permissions, and compliance. Integration with AWS CloudTrail enables customers to protect existing and newly enrolled AWS accounts via AWS CloudTrail logs. Sysdig detects anomalous activity across AWS workloads with out-of-the-box policies based on open source Falco.

 [Tenable Vulnerability Management](https://aws.amazon.com/marketplace/solutions/control-tower/security/#Tenable) for Modern IT, Tenable.io provides the most accurate information about assets and vulnerabilities in your IT environments. Available as a cloud-delivered solution, Tenable.io features the broadest vulnerability coverage, intuitive dashboard visualizations for rapid analysis, and seamless integrations that help you maximize efficiency and increase effectiveness. 

 [Trend Micro Cloud One - Workload Security](https://aws.amazon.com/marketplace/solutions/control-tower/security/#TrendMicro) is purpose-built for server, cloud, and container environments, providing visibility across your entire hybrid cloud. Automatically protect against vulnerabilities, malware, and unauthorized changes with a wide range of powerful and intelligent capabilities. Workload Security automatically integrates with the DevOps toolchain and includes a rich set of REST APIs, which facilitate deployment, policy management, health checks, and compliance reporting.