Implement managed services

PostedNovember 28, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Using managed services like Amazon RDS, AWS Lambda, and Amazon ECS is crucial for enhancing the security of compute resources. These services help reduce the complexity of security maintenance tasks by automating essential functions, allowing organizations to focus on more strategic security measures.

Best Practices

Utilize Managed Database Services

Use Amazon RDS for relational database management to automate routine tasks like backups, patching, and scaling. This reduces the attack surface as AWS maintains the underlying infrastructure security and provides built-in encryption options.
Implement Amazon DynamoDB for NoSQL databases with integrated security features such as IAM roles and fine-grained access control.
Always enable encryption at rest and in transit for all database services to protect sensitive data from unauthorized access.

Leverage Serverless Architecture with AWS Lambda

Adopt AWS Lambda for compute tasks to eliminate the need to manage server instances. This reduces the risk of server vulnerabilities and allows for automatic scaling based on demand.
Ensure proper IAM permissions are set for Lambda functions to limit access to only the required resources and services, minimizing potential exposure.
Use AWS Secrets Manager or Parameter Store to manage sensitive information such as API keys or database credentials securely.

Implement Container Security Best Practices

Utilize Amazon ECS or Amazon EKS for container orchestration, which include built-in security features such as IAM integration, network segmentation, and orchestration control.
Regularly scan container images for known vulnerabilities and ensure that only trusted images are used, using services like Amazon ECR’s image scanning feature.
Implement network policies in EKS to control traffic flow between containers, enforcing least privilege access within your containerized applications.

Questions to ask your team

Are you leveraging AWS managed services for your compute resources?
How often do you evaluate the security posture of the managed services you are using?
Do you have a clear understanding of the shared responsibility model for the managed services deployed?
Are you regularly reviewing the security features and compliance certifications of services like Amazon RDS, AWS Lambda, and Amazon ECS?
Have you implemented proper access controls and monitoring for your managed services?
Are you using AWS Identity and Access Management (IAM) roles to restrict permissions for resources managed by services like Lambda and RDS?

Who should be doing this?

Cloud Security Architect

Design and implement security frameworks for managed services deployment.
Ensure compliance with security standards and best practices.
Evaluate and select appropriate managed services based on security requirements.

DevOps Engineer

Integrate managed services like Amazon RDS and AWS Lambda into CI/CD pipelines.
Monitor and audit the security of deployed managed services.
Collaborate with development teams to ensure secure coding practices.

Database Administrator

Manage database security settings and user permissions in Amazon RDS.
Perform regular security assessments and vulnerability scans on managed databases.
Oversee automated backup and patch management processes.

Security Analyst

Conduct threat assessments focusing on compute resources.
Analyze security incidents and recommend improvements for managed services security.
Stay updated on security trends impacting managed services.

What evidence shows this is happening in your organization?

Managed Services Security Checklist: A comprehensive checklist that outlines security considerations and best practices for using managed services like Amazon RDS, AWS Lambda, and Amazon ECS. It includes items to verify during deployment and maintenance to ensure security hygiene.
Incident Response Plan for Managed Services: A detailed incident response plan that covers specific scenarios related to managed services. This plan defines roles, responsibilities, and procedures for responding to security incidents involving services like RDS and Lambda.
Security Automation Playbook: A playbook that describes how to implement automation for security tasks using managed services. It includes scripts, workflows, and integrations to automate vulnerability assessments and compliance checks.
Dashboard for Managed Services Monitoring: An operational dashboard providing real-time insights into the security posture of managed services in use. It includes metrics related to access logs, security alerts, and compliance status for services like Amazon RDS and ECS.
Training Guide for Managed Services Security Best Practices: A training guide designed for teams to ensure they understand security best practices when utilizing managed services. This guide covers topics such as secure coding for Lambda functions and database encryption for RDS.

Cloud Services

AWS

Amazon RDS: Automates database management tasks, such as backups, patching, and scaling, reducing the operational burden and allowing focus on application security.
AWS Lambda: Eliminates the need to manage server infrastructure, allowing developers to focus on writing secure code without worrying about underlying server vulnerabilities.
Amazon ECS: A managed container orchestration service that simplifies the deployment and management of containers while enhancing security through built-in features and integrations.

Azure

Azure SQL Database: A fully managed database service that includes automated backups, patching, and scalability, enabling better security management.
Azure Functions: A serverless compute service that allows developers to run event-driven code without managing servers, improving security through reduced attack surfaces.
Azure Kubernetes Service (AKS): A managed Kubernetes service that simplifies the deployment and management of containerized applications with integrated security features.

Google Cloud Platform

Cloud SQL: A fully managed database service that automates administrative tasks like backups and patching, helping to reduce security maintenance efforts.
Cloud Functions: A serverless execution environment that allows you to run code in response to events without the need for server management, enhancing security through simplicity.
Google Kubernetes Engine (GKE): A managed Kubernetes service that provides secure container orchestration, helping to minimize operational complexity and enhance security controls.

Question: How do you protect your compute resources?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals