AWS Architecture Center
AWS Well-Architected

Security Capabilities

It's important to create a secure, high-performing, and resilient foundation for your cloud environment. The Security capabilities help you design and implement security policies and controls across different levels to protect your resources from external or internal vulnerabilities and threats. These capabilities can also help you ensure confidentiality, availability, integrity, and usability, while providing priorities and advice to assist with remediation.

  • The Identity Management & Access Control (IMAC) capability helps you build and monitor permissions in your environment. Use this capability to structure access to your resources within defined isolated groups following the principal of least privilege (PoLP). This capability will help your team develop a framework to manage your environment and provide access to your services.

    Scenarios

    • CF2 – S1: Identity management
    • CF2 – S4: Identity operations
    • CF2 – S7: Permissions management
    Read the whitepaper
    Implement the capability

  • The Encryption and Key Management capability enables you to implement a key management strategy. This includes the ability to encrypt data at rest and in transit, provide least privileged access to keys, report on anomalies, and rotate keys based on requirements.

    Scenarios

    • CF20 – S1: Key storage
    • CF20 – S2: Key lifecycle management
    • CF20 – S3: Key access control
    • CF20 – S4: Encryption and decryption of data at rest
    • CF20 – S5: Encryption and decryption of data in transit
    • CF20 – S6: Key auditing and monitoring
    Read the whitepaper

  • The Secrets Management capability enables you to manage secrets such as passwords, access keys, other API keys, X.509, or SSH private keys. This capability includes storage, access control, access logging, revocation, and rotation aspects for managing secrets.

    Scenarios

    • CF21 - S1: Secrets storage
    • CF21 - S2: Secrets access control
    • CF21 - S3: Secrets auditing and monitoring
    • CF21 - S4: Secrets lifecycle management
    Read the whitepaper

  • The Data Isolation capability enables you to limit access to data at rest and in transit so that data is only accessible to appropriate and authorized entities. This capability also includes the ability to detect misuse and/or unauthorized access, leak, and theft of data.

    Scenarios

    • CF10 - S1: Data classification
    • CF10 - S2: Data access control
    • CF10 - S3: Data segmentation
    • CF10 - S4: Data lifecycle
    • CF10 - S5: Data residency
    Read the whitepaper

  • The Security Incident Response capability enables you to effectively respond to a security incident based on decisions specified in policy. The response involves characterizing the nature of the incident and making changes (which may involve activities including restoration of operational status, identification and remediation of root cause, and gathering evidence pursuant to civil or criminal prosecution).

    Scenarios

    • CF3 - S1: Incident preparation
    • CF3 - S2: Detection and notification
    • CF3 - S3: Containment and analysis
    • CF3 - S4: Incident recovery
    • CF3 - S5: Post incident actions
    Read the whitepaper
    Implement the capability

  • Vulnerability & Threat Management is the ability to identify vulnerabilities that can affect the availability, performance, or security of the environment. Using this capability, you can assess the impact and scope of vulnerabilities and threats, and address/remediate them.

    Scenarios

    • CF6 - S1: Assess and identify vulnerabilities
    • CF6 - S2: Classify and prioritize vulnerabilities
    • CF6 - S3: Respond to vulnerabilities
    • CF6 - S4: Report on vulnerabilities
    • CF6 - S5: Improve process
    Read the whitepaper

  • The Application Security capability enables the protection of application software, and the detection of anomalous behavior in the context of the applications’ interactions with customers. Threats to be addressed include unauthorized access, privilege escalation, and other application-level threats typically characterized in threat frameworks.

    Scenarios

    • CF9 - S1: Authentication and access controls
    • CF9 - S2: Application encryption
    • CF9 - S3: Application security testing
    • CF9 - S4: Application logging and monitoring
    Read the whitepaper
    Implement the capability

Was this page helpful?

 Feedback