Skip to content
Well Architected Guide
Menu
Menu
Well Architected Pillars
Documents
Search for Well Architected Advice
Security
Securely operate your workload
Evaluate and implement new security services and features regularly
Automate testing and validation of security controls in pipelines
Identify and prioritize risks using a threat model
Keep up-to-date with security recommendations
Keep up-to-date with security threats
Identify and validate control objectives
Secure account root user and properties
Separate workloads using accounts
Manage identities for people and machines
Leverage user groups and attributes
Audit and rotate credentials periodically
Rely on a centralized identity provider
Store and use secrets securely
Use temporary credentials
Use strong sign-in mechanisms
Manage permissions for people and machines
Analyze public and cross-account access
Manage access based on life cycle
Share resources securely with a third party
Reduce permissions continuously
Share resources securely within your organization
Establish emergency access process
Define permission guardrails for your organization
Grant least privilege access
Define access requirements
Detect and investigate security events
Implement actionable security events
Automate response to events
Analyze logs, findings, and metrics centrally
Configure service and application logging
Protect your network resources
Implement inspection and protection
Automate network protection
Control traffic at all layers
Create network layers
Protect your compute resources
Validate software integrity
Enable people to perform actions at a distance
Automate compute protection
Implement managed services
Reduce attack surface
Perform vulnerability management
Classify your data
Define data lifecycle management
Automate identification and classification
Define data protection controls
Identify the data within your workload
Protect your data at rest
Use mechanisms to keep people away from data
Enforce access control
Automate data at rest protection
Enforce encryption at rest
Implement secure key management
Protect your data in transit
Authenticate network communications
Automate detection of unintended data access
Enforce encryption in transit
Implement secure key and certificate management
Anticipate, respond to, and recover from incidents
Pre-deploy tools
Establish a framework for learning from incidents
Run simulations
Pre-provision access
Develop and test security incident response playbooks
Prepare forensic capabilities
Develop incident management plans
Identify key personnel and external resources
Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle
Build a program that embeds security ownership in workload teams
Centralize services for packages and dependencies
Manual code reviews
Automate testing throughout the development and release lifecycle
Train for application security
Regularly assess security properties of the pipelines
Deploy software programmatically
Perform regular penetration testing
Main
Security
Category - Security
Securely operate your workload
Evaluate and implement new security services and features regularly
Automate testing and validation of security controls in pipelines
Identify and prioritize risks using a threat model
Keep up-to-date with security recommendations
Keep up-to-date with security threats
Identify and validate control objectives
Secure account root user and properties
Separate workloads using accounts
Manage identities for people and machines
Leverage user groups and attributes
Audit and rotate credentials periodically
Rely on a centralized identity provider
Store and use secrets securely
Use temporary credentials
Use strong sign-in mechanisms
Manage permissions for people and machines
Analyze public and cross-account access
Manage access based on life cycle
Share resources securely with a third party
Reduce permissions continuously
Share resources securely within your organization
Establish emergency access process
Define permission guardrails for your organization
Grant least privilege access
Define access requirements
Detect and investigate security events
Implement actionable security events
Automate response to events
Analyze logs, findings, and metrics centrally
Configure service and application logging
Protect your network resources
Implement inspection and protection
Automate network protection
Control traffic at all layers
Create network layers
Protect your compute resources
Validate software integrity
Enable people to perform actions at a distance
Automate compute protection
Implement managed services
Reduce attack surface
Perform vulnerability management
Classify your data
Define data lifecycle management
Automate identification and classification
Define data protection controls
Identify the data within your workload
Protect your data at rest
Use mechanisms to keep people away from data
Enforce access control
Automate data at rest protection
Enforce encryption at rest
Implement secure key management
Protect your data in transit
Authenticate network communications
Automate detection of unintended data access
Enforce encryption in transit
Implement secure key and certificate management
Anticipate, respond to, and recover from incidents
Pre-deploy tools
Establish a framework for learning from incidents
Run simulations
Pre-provision access
Develop and test security incident response playbooks
Prepare forensic capabilities
Develop incident management plans
Identify key personnel and external resources
Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle
Build a program that embeds security ownership in workload teams
Centralize services for packages and dependencies
Manual code reviews
Automate testing throughout the development and release lifecycle
Train for application security
Regularly assess security properties of the pipelines
Deploy software programmatically
Perform regular penetration testing