| | | | | | --- | --- | --- | --- | * * * **Long Range Planning Content:** [[_TOC_]] * * * Mission Statement ================= The security perspective goal is to help customers structure the selection and implementation of controls that are right for the organization. The directive, preventive, detective, and responsive components of the AWS Cloud Adoption Framework (CAF) security perspective organize the principles that will help drive the transformation of your organization’s security culture Objective ========= The security perspective provides a recommended initial configuration for the following: * IAM model * Logging and monitoring model * Infrastructure security * Data protection * Incident response Outcome ======= * Customer has a defined IAM model and has provisioned IAM resources * Customer has a defined logging source model and has implemented logging * Customer has a defined centralized logging model and has implemented the solution * Customer has a defined data protection model and has implemented data protection controls * Customer has a defined infrastructure security model and has implemented infrastructure security controls * Customer has a defined incident response plan for their AWS infrastructure Key Milestones ============== * Define account-wide AWS baselines * Implement account-wide AWS baselines * Define per-account IAM roles and policies * Implement per-account IAM roles and policies * Define account federation mechanism * Implement account federation mechanism * Define networking security patterns (security groups, VPNs, etc.) * Implement security controls to enforce networking security patterns (security groups, VPNs, etc.) * Establish data protection (encryption, access controls) controls * Implement security controls to enforce data protection (encryption, access controls) requirements * Define the security controls that warrant detection * Implement detection controls * Define the security controls that warrant responsive action * Implement responsive controls * Define account-specific infrastructure automation baselines and mechanism (CloudFormation, Service Catalog, automated) * Implement security baselines * Establish incident response playbook Risks ===== * Customer does not have existing security policies, standards, and guidelines. * Customer does not have data classification policy or has not labeled workloads with such * Logging capabilities could merit additional attention Decisions ========= * Decision on Root and IAM Users management * Decision on Multi-Account User Authentication Policy * Decision on Encryption At Rest Strategy * Decision on Encryption In Transit Strategy * Decision on Secrets Management * Decision on Certificate Management * Decision on IDS/IPS Strategy * Decision on Monitoring Services * Decision on Logging Sources and Retention Period * Decision on Preventative Security Controls * Decision on Detective Security Controls * * * **Deliverables Content:** * * * **AWS Cloud Adoption Framework (CAF) Security Perspective** **MRP Security Workstream Activity Map** **MRP Security Workstream Example Journey** **MRP Security Workstream Delivery Team** **Attachments:**