AWS has 5 areas which map back to NIST: IAM, Detection, Infrastructure, Data Protection, Incident Response.
Identity & Access Management
1. Secure your AWS account.
Use AWS Organizations to manage your accounts, use the root user by exception with multi-factor authentication (MFA) enabled, and configure account contacts.
2. Centralised identity provider, Account management.
Centralize identities using either AWS Single Sign-On or a third-party provider to avoid routinely creating IAM users or using long-term access keys—this approach makes it easier to manage multiple AWS accounts and federated applications.
Multiple AWS accounts allow you to separate data and resources, and enable the use of Service Control Policies to implement guardrails. AWS Control Tower can help you easily set up and govern a multi-account AWS environment.
3. Store and use secrets securely.
Where you cannot use temporary credentials, like tokens from AWS Security Token Service, store your secrets like database passwords using AWS Secrets Manager which handles encryption, rotation, and access control.
Detection
4. Enable foundational services: AWS CloudTrail, Amazon GuardDuty, and AWS Security Hub.
For all your AWS accounts configure CloudTrail to log API activity, use GuardDuty for continuous monitoring, and use AWS Security Hub for a comprehensive view of your security posture..
5. Configure service and application level logging.
In addition to your application logs, enable logging at the service level, such as Amazon VPC Flow Logs and Amazon S3, CloudTrail, and Elastic Load Balancer access logging, to gain visibility into events. Configure logs to flow to a central account, and protect them from manipulation or deletion.
6. Configure monitoring and alerts, and investigate events.
Enable AWS Config to track the history of resources, and Config Managed Rules to automatically alert or remediate on undesired changes. For all your sources of logs and events, from AWS CloudTrail, to Amazon GuardDuty and your application logs, configure alerts for high priority events and investigate.
Infrastructure Protection
7. Patch your operating system, applications, and code.
Use AWS Systems Manager Patch Manager to automate the patching process of all systems and code for which you are responsible, including your OS, applications, and code dependencies.Implement distributed denial-of-service (DDoS) protection for your internet facing resources.
Use Amazon Cloudfront, AWS WAF and AWS Shield to provide layer 7 and layer 3/layer 4 DDoS protection.
8. Control access using VPC Security Groups and sub-net layers.
Use security groups for controlling inbound and outbound traffic, and automatically apply rules for both security groups and WAFs using AWS Firewall Manager. Group different resources into different subnets to create routing layers, for example database resources do not need a route to the internet.
Data Protection
9. Protect data at rest.
Use AWS Key Management Service (KMS) to protect data at rest across a wide range of AWS services and your applications. Enable default encryption for Amazon EBS volumes, and Amazon S3 buckets.
10. Encrypt data in transit.
Enable encryption for all network traffic, including Transport Layer Security (TLS) for web based network infrastructure you control using AWS Certificate Manager to manage and provision certificates.
11. Use mechanisms to keep people away from data.
Keep all users away from directly accessing sensitive data and systems. For example, provide an Amazon QuickSight dashboard to business users instead of direct access to a database, and perform actions at a distance using AWS Systems Manager automation documents and Run Command.
Incident Response
12. Backup, DR plans.
Build Runbooks to outline how the firm will respond to a ‘disaster’ or event which disrupts the business. Implement daily backups of key images, data sources. Have a pilot light or similar DR plan. Consider a 2nd DR plan which uses another Cloud Platform. Costs, skills, and RTO (recovery time objective ie. get the application back online), and RPO (recovery point objective or date of the data backup), are key issues (see AWS Security Incident Response Guide.).
13. Make sure that someone is notified to take action on critical findings.
Begin with GuardDuty findings. Turn on GuardDuty and ensure that someone with the ability to take action receives the notifications. Automatically creating trouble tickets is the best way to ensure that GuardDuty findings are integrated with your operational processes.
14. Practice responding to events.
Simulate and practice incident response by running regular game days, incorporating the lessons learned into your incident management plans, and continuously improving them.
KTAs
1-Security models and postures vary by firm, industry and even type of application. Security best practices are helped by using the AWS WAR approach; but will need significant additions to provide best of breed security models.
2-Functional and non-Functional standards, including xls checklists, still need to be developed and used consistently across teams in addition to the AWS checklist.
3-Part of Security is integrated testing (unit, code, integration, network, DDoS etc); along with monitoring, alerting and reporting. Security is therefore tightly related to governance, cost control and environmental management.
4-Security is best achieved through standards and common approaches, including least privilege. An example is all ports are closed on deployment. If you need port 22 open for SSH access that has to be identified in the High Level Design and signed off by Security and templated (automated) for deployment.