# Security foundations
**Topics**
+ [SEC 1 How do you securely operate your workload?](sec-01.md)
# SEC 1 How do you securely operate your workload?
To operate your workload securely, you must apply overarching best practices to every area of security. Take requirements and processes that you have defined in operational excellence at an organizational and workload level, and apply them to all areas. Staying up to date with AWS and industry recommendations and threat intelligence helps you evolve your threat model and control objectives. Automating security processes, testing, and validation allow you to scale your security operations.
**Topics**
+ [SEC01-BP01 Separate workloads using accounts](sec_securely_operate_multi_accounts.md)
+ [SEC01-BP02 Secure AWS account](sec_securely_operate_aws_account.md)
+ [SEC01-BP03 Identify and validate control objectives](sec_securely_operate_control_objectives.md)
+ [SEC01-BP04 Keep up-to-date with security threats](sec_securely_operate_updated_threats.md)
+ [SEC01-BP05 Keep up-to-date with security recommendations](sec_securely_operate_updated_recommendations.md)
+ [SEC01-BP06 Automate testing and validation of security controls in pipelines](sec_securely_operate_test_validate_pipeline.md)
+ [SEC01-BP07 Identify and prioritize risks using a threat model](sec_securely_operate_threat_model.md)
+ [SEC01-BP08 Evaluate and implement new security services and features regularly](sec_securely_operate_implement_services_features.md)
# SEC01-BP01 Separate workloads using accounts
Start with security and infrastructure in mind to enable your organization to set common guardrails as your workloads grow. This approach provides boundaries and controls between workloads. Account-level separation is strongly recommended for isolating production environments from development and test environments, or providing a strong logical boundary between workloads that process data of different sensitivity levels, as defined by external compliance requirements (such as PCI-DSS or HIPAA), and workloads that don’t.
**Level of risk exposed if this best practice is not established:** High
## Implementation guidance
+ Use AWS Organizations: Use AWS Organizations to centrally enforce policy-based management for multiple AWS accounts.
+ [Getting started with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started.html)
+ [How to use service control policies to set permission guardrails across accounts in your AWS Organization ](https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-in-your-aws-organization/)
+ Consider AWS Control Tower: AWS Control Tower provides an easy way to set up and govern a new, secure, multi-account AWS environment based on best practices.
+ [AWS Control Tower](https://aws.amazon.com/controltower/)
## Resources
**Related documents:**
+ [IAM Best Practices ](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html?ref=wellarchitected)
+ [Security Bulletins](https://aws.amazon.com/security/security-bulletins)
+ [AWS Security Audit Guidelines](https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html?ref=wellarchitected)
**Related videos:**
+ [Managing Multi-Account AWS Environments Using AWS Organizations](https://youtu.be/fxo67UeeN1A)
+ [Security Best Practices the Well-Architected Way ](https://youtu.be/u6BCVkXkPnM)
+ [Using AWS Control Tower to Govern Multi-Account AWS Environments ](https://youtu.be/2t-VkWt0rKk)
# SEC01-BP02 Secure AWS account
There are a number of aspects to securing your AWS accounts, including the securing of, and not using the [root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html), and keeping your contact information up-to-date. You can use [AWS Organizations](https://aws.amazon.com/organizations/) to centrally manage and govern your accounts as you grow and scale your workloads in AWS. AWS Organizations helps you manage accounts, set controls, and configure services across your accounts.
**Level of risk exposed if this best practice is not established:** High
## Implementation guidance
+ Use AWS Organizations: Use AWS Organizations to centrally enforce policy-based management for multiple AWS accounts.
+ [Getting started with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started.html)
+ [How to use service control policies to set permission guardrails across accounts in your AWS Organization ](https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-in-your-aws-organization/)
+ Limit use of the AWS account root user: Only use the root user to perform tasks that specifically require it.
+ [Tasks that require root user credentials](https://docs.aws.amazon.com/accounts/latest/reference/root-user-tasks.html) in the *AWS Account Management Reference Guide*
+ Enable multi-factor-authentication (MFA) for the root user: Enable MFA on the AWS account root user, if AWS Organizations is not managing the root user for you.
+ [Root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa)
+ Periodically change the root user password: Changing the root user password reduces the risk that a saved password can be used. This is especially important if you are not using AWS Organizations and anyone has physical access.
+ [ Changing the AWS account root user password ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_change-root.html)
+ Enable notification when the AWS account root user is used: Being notified automatically reduces risk.
+ [ How to receive notifications when your AWS account's root user access keys are used ](https://aws.amazon.com/blogs/security/how-to-receive-notifications-when-your-aws-accounts-root-access-keys-are-used/)
+ Restrict access to newly added Regions: For new AWS Regions, IAM resources, such as users and roles, will only be propagated to the Regions that you enable.
+ [ Setting permissions to enable accounts for upcoming AWS Regions](https://aws.amazon.com/blogs/security/setting-permissions-to-enable-accounts-for-upcoming-aws-regions/)
+ Consider AWS CloudFormation StackSets: CloudFormation StackSets can be used to deploy resources including IAM policies, roles, and groups into different AWS accounts and Regions from an approved template.
+ [ Use CloudFormation StackSets ](https://aws.amazon.com/blogs/aws/use-cloudformation-stacksets-to-provision-resources-across-multiple-aws-accounts-and-regions/)
## Resources
**Related documents:**
+ [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html)
+ [AWS Security Audit Guidelines ](https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html)
+ [ IAM Best Practices ](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
+ [Security Bulletins ](https://aws.amazon.com/security/security-bulletins/)
**Related videos:**
+ [ Enable AWS adoption at scale with automation and governance ](https://youtu.be/GUMSgdB-l6s)
+ [ Security Best Practices the Well-Architected Way ](https://youtu.be/u6BCVkXkPnM)
**Related examples:**
+ [ Lab: AWS account and root user ](https://youtu.be/u6BCVkXkPnM)
# SEC01-BP03 Identify and validate control objectives
Based on your compliance requirements and risks identified from your threat model, derive and validate the control objectives and controls that you need to apply to your workload. Ongoing validation of control objectives and controls help you measure the effectiveness of risk mitigation.
**Level of risk exposed if this best practice is not established:** High
## Implementation guidance
+ Identify compliance requirements: Discover the organizational, legal, and compliance requirements that your workload must comply with.
+ Identify AWS compliance resources: Identify resources that AWS has available to assist you with compliance.
+ [https://aws.amazon.com/compliance/ ](https://aws.amazon.com/compliance/)
+ [ https://aws.amazon.com/artifact/](https://aws.amazon.com/artifact/)
## Resources
**Related documents:**
+ [AWS Security Audit Guidelines](https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html)
+ [ Security Bulletins](https://aws.amazon.com/security/security-bulletins/)
**Related videos:**
+ [AWS Security Hub CSPM: Manage Security Alerts and Automate Compliance](https://youtu.be/HsWtPG_rTak)
+ [Security Best Practices the Well-Architected Way](https://youtu.be/u6BCVkXkPnM)
# SEC01-BP04 Keep up-to-date with security threats
To help you define and implement appropriate controls, recognize attack vectors by staying up to date with the latest security threats. Consume AWS Managed Services to make it easier to receive notification of unexpected or unusual behavior in your AWS accounts. Investigate using AWS Partner tools or third-party threat information feeds as part of your security information flow. The [Common Vulnerabilities and Exposures (CVE) List ](https://cve.mitre.org/) list contains publicly disclosed cyber security vulnerabilities that you can use to stay up to date.
**Level of risk exposed if this best practice is not established:** High
## Implementation guidance
+ Subscribe to threat intelligence sources: Regularly review threat intelligence information from multiple sources that are relevant to the technologies used in your workload.
+ [Common Vulnerabilities and Exposures List ](https://cve.mitre.org/)
+ Consider [AWS Shield Advanced](https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc) service: It provides near real-time visibility into intelligence sources, if your workload is internet accessible.
## Resources
**Related documents:**
+ [AWS Security Audit Guidelines](https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html)
+ [AWS Shield](https://aws.amazon.com/shield/)
+ [ Security Bulletins](https://aws.amazon.com/security/security-bulletins/)
**Related videos:**
+ [Security Best Practices the Well-Architected Way ](https://youtu.be/u6BCVkXkPnM)
# SEC01-BP05 Keep up-to-date with security recommendations
Stay up-to-date with both AWS and industry security recommendations to evolve the security posture of your workload. [AWS Security Bulletins](https://aws.amazon.com/security/security-bulletins/?card-body.sort-by=item.additionalFields.bulletinDateSort&card-body.sort-order=desc&awsf.bulletins-year=year%232009) contain important information about security and privacy notifications.
**Level of risk exposed if this best practice is not established:** High
## Implementation guidance
+ Follow AWS updates: Subscribe or regularly check for new recommendations, tips and tricks.
+ [AWS Well-Architected Labs](https://wellarchitectedlabs.com/?ref=wellarchitected)
+ [AWS security blog](https://aws.amazon.com/blogs/security/?ref=wellarchitected)
+ [AWS service documentation](https://aws.amazon.com/documentation/?ref=wellarchitected)
+ Subscribe to industry news: Regularly review news feeds from multiple sources that are relevant to the technologies that are used in your workload.
+ [Example: Common Vulnerabilities and Exposures List](https://cve.mitre.org/cve/?ref=wellarchitected)
## Resources
**Related documents:**
+ [Security Bulletins](https://aws.amazon.com/security/security-bulletins/)
**Related videos:**
+ [Security Best Practices the Well-Architected Way](https://youtu.be/u6BCVkXkPnM)
# SEC01-BP06 Automate testing and validation of security controls in pipelines
Establish secure baselines and templates for security mechanisms that are tested and validated as part of your build, pipelines, and processes. Use tools and automation to test and validate all security controls continuously. For example, scan items such as machine images and infrastructure-as-code templates for security vulnerabilities, irregularities, and drift from an established baseline at each stage. AWS CloudFormation Guard can help you verify that CloudFormation templates are safe, save you time, and reduce the risk of configuration error.
Reducing the number of security misconfigurations introduced into a production environment is critical—the more quality control and reduction of defects you can perform in the build process, the better. Design continuous integration and continuous deployment (CI/CD) pipelines to test for security issues whenever possible. CI/CD pipelines offer the opportunity to enhance security at each stage of build and delivery. CI/CD security tooling must also be kept updated to mitigate evolving threats.
Track changes to your workload configuration to help with compliance auditing, change management, and investigations that may apply to you. You can use AWS Config to record and evaluate your AWS and third-party resources. It allows you to continuously audit and assess the overall compliance with rules and conformance packs, which are collections of rules with remediation actions.
Change tracking should include planned changes, which are part of your organization’s change control process (sometimes referred to as MACD—Move, Add, Change, Delete), unplanned changes, and unexpected changes, such as incidents. Changes might occur on the infrastructure, but they might also be related to other categories, such as changes in code repositories, machine images and application inventory changes, process and policy changes, or documentation changes.
**Level of risk exposed if this best practice is not established:** Medium
## Implementation guidance
+ Automate configuration management: Enforce and validate secure configurations automatically by using a configuration management service or tool.
+ [AWS Systems Manager](https://aws.amazon.com/systems-manager/)
+ [AWS CloudFormation](https://aws.amazon.com/cloudformation/)
+ [Set Up a CI/CD Pipeline on AWS](https://aws.amazon.com/getting-started/projects/set-up-ci-cd-pipeline/)
## Resources
**Related documents:**
+ [How to use service control policies to set permission guardrails across accounts in your AWS Organization](https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-in-your-aws-organization/)
**Related videos:**
+ [Managing Multi-Account AWS Environments Using AWS Organizations](https://youtu.be/fxo67UeeN1A)
+ [Security Best Practices the Well-Architected Way](https://youtu.be/u6BCVkXkPnM)
# SEC01-BP07 Identify and prioritize risks using a threat model
Use a threat model to identify and maintain an up-to-date register of potential threats. Prioritize your threats and adapt your security controls to prevent, detect, and respond. Revisit and maintain this in the context of the evolving security landscape.
Threat modeling provides a systematic approach to aid in finding and addressing security issues early in the design process. Earlier is better since mitigations have a lower cost compared to later in the lifecycle.
The typical core steps of the threat modeling process are:
1. Identify assets, actors, entry points, components, use cases, and trust levels, and include these in a design diagram.
1. Identify a list of threats.
1. For each threat, identify mitigations, which might include security control implementations.
1. Create and review a risk matrix to determine if the threat is adequately mitigated.
Threat modeling is most effective when done at the workload (or workload feature) level, ensuring that all context is available for assessment. Revisit and maintain this matrix as your security landscape evolves.
**Level of risk exposed if this best practice is not established:** Low
## Implementation guidance
+ Create a threat model: A threat model can help you identify and address potential security threats.
+ [NIST: Guide to Data-Centric System Threat Modeling ](https://csrc.nist.gov/publications/detail/sp/800-154/draft)
## Resources
**Related documents:**
+ [AWS Security Audit Guidelines ](https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html)
+ [Security Bulletins ](https://aws.amazon.com/security/security-bulletins/)
**Related videos:**
+ [Security Best Practices the Well-Architected Way](https://youtu.be/u6BCVkXkPnM)
# SEC01-BP08 Evaluate and implement new security services and features regularly
Evaluate and implement security services and features from AWS and AWS Partners that allow you to evolve the security posture of your workload. The AWS Security Blog highlights new AWS services and features, implementation guides, and general security guidance. [What's New with AWS?](https://aws.amazon.com/new) is a great way to stay up to date with all new AWS features, services, and announcements.
**Level of risk exposed if this best practice is not established:** Low
## Implementation guidance
+ Plan regular reviews: Create a calendar of review activities that includes compliance requirements, evaluation of new AWS security features and services, and staying up-to-date with industry news.
+ Discover AWS services and features: Discover the security features that are available for the services that you are using, and review new features as they are released.
+ [AWS security blog](https://aws.amazon.com/blogs/security/)
+ [AWS security bulletins ](https://aws.amazon.com/security/security-bulletins/)
+ [AWS service documentation ](https://aws.amazon.com/documentation/)
+ Define AWS service on-boarding process: Define processes for onboarding of new AWS services. Include how you evaluate new AWS services for functionality, and the compliance requirements for your workload.
+ Test new services and features: Test new services and features as they are released in a non-production environment that closely replicates your production one.
+ Implement other defense mechanisms: Implement automated mechanisms to defend your workload, explore the options available.
+ [Remediating non-compliant AWS resources by AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/remediation.html)
## Resources
**Related videos:**
+ [Security Best Practices the Well-Architected Way ](https://youtu.be/u6BCVkXkPnM)