Security Cloud Privacy Tech
Security in the AWS Well-Architected Framework

Security in the AWS Well-Architected Framework

Security is one of the five pillars of the AWS Well-Architected Framework. The framework describes the principles and techniques required to make informed trade-offs when you’re building in the AWS Cloud.

I’ve taught thousands of builders how to build better using the framework on the A Cloud Guru platform. Be sure to check out my course, “Mastering The Well-Architected Framework

This ๐Ÿ‘‡ Twitter thread dives deeper into the Security pillar of the framework…

Tweet 1/12 ๐Ÿ‘‡ Next tweet

yesterday, we took a look at the Operational Excellence pillar of the @awscloud Well-Architected Framework

today, my personal favourite, the Security Pillar

๐Ÿงตโ˜๏ธ #cloud #devops

Tweet 2/12 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

this thread is available unrolled at

…and yesterdays is up at

๐Ÿงตโ˜๏ธ #cloud #devops

Tweet 3/12 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

one of the reasons I โค๏ธ the Well-Architected Framework so much is that it presents #security in CONTEXT

it’s not an isolated activity but one that must be considers next to the other four pillars. you need to find a balance here…the framework helps

๐Ÿงตโ˜๏ธ #cloud #devops

Tweet 4/12 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

there are formal definitions of the various types of security (cyber, information, physical, & operational) but I like the catch all:

To make sure that your systems work as intended and ONLY as intended

๐Ÿงตโ˜๏ธ #cloud #devops

Tweet 5/12 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

... it's ๐Ÿ‘† simple to understand in that context. all of these processes and controls we put in place are there to make sure that things work the way to expect and ONLY that way

that covers everything from attacks to mistakes. also, it’s more positive

๐Ÿงตโ˜๏ธ #cloud #devops

Tweet 6/12 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

...I cannot stand the conflict/FUD oriented view of security. yes there are malicious actors out there but security is so much more than that

besides, if you’re only ever trying to STOP things, you won’t see the other advantages, like building reslience

๐Ÿงตโ˜๏ธ #cloud #devops

Tweet 7/12 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

so, the Framework does use a formal definition (my rant aside). it states that security is, "the ability to protect data, systems, and assets to take advantage of cloud technologies."

yawn ๐Ÿ˜ด

๐Ÿงตโ˜๏ธ #cloud #devops

Tweet 8/12 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

this pillar is broken down into five areas:
  • identity & access
  • detective controls
  • infrastructure protection
  • data protection
  • incident response

๐Ÿงตโ˜๏ธ #cloud #devops

Tweet 9/12 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

in simple terms, those areas end up being:
  • identity & access == who can do what, when?

  • detective controls == is this normal?

  • infrastructure protection == boundaries & chokepoints

๐Ÿงตโ˜๏ธ #cloud #devops

Tweet 10/12 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

  • data protection == classification, management, & encryption

  • incident response == ๐Ÿ’ฉ+fan, time to contain & restore

๐Ÿงตโ˜๏ธ #cloud #devops

Tweet 11/12 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

like every pillar, this one has some key principles:
  • identities have the least amount of privileges required
  • know who did what, when
  • security is a part of everything
  • automate all tasks
  • encrypt at rest & in transit
  • prepare for the worst

๐Ÿงตโ˜๏ธ #cloud #devops

Tweet 12/12 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

you can read the whole Security pillar here:

there’s a lot more in that document and in the references. but, like anything in the framework, Gamedays and practice will help you understand these concepts the best

/๐Ÿงตโ˜๏ธ #cloud #devops

More Content