AWS Security Speciality Cert Part 4: Management and Security Governance

We've finally arrived at the grand finale of our four-part series on the AWS Security Specialty SCS-C02 certification! After reviewing the first five domains of this deep-dive certification, we'll wrap it up today with domain six: Management and Security Governance. 

Let's jump right into this domain and explore how AWS empowers you to centrally manage your accounts and security, keep your resources in compliance, and some of the security standards AWS provides.

Centrally Managing AWS Accounts

As your AWS usage increases, you will undoubtedly end up with multiple accounts. In fact, it's recommended that you keep separate business groups and environments (prod, test, etc.) logically segmented using individual accounts. 

This introduces a large amount of complexity; how do you manage these multiple accounts and keep your security controls consistent?

The core tool for answering this challenge is AWS Organizations. It creates a sort of family tree structure. The main account at the top is the management one, from which you can do different things to manage all the others. This has a few advantages, like streamlining the creation of new accounts to inherit a common set of security controls. You can also consolidate your billing in the management account, with one source of truth for all your payments and invoices.

The main feature of Organizations when it comes to security, however, is the use of service control policies (SCPs). These policies let you create consistency across all your accounts. 

Want to prevent users from creating new EC2 instances? Create and apply an SCP that says just that, using a syntax very similar to IAM policies. One important caveat is that SCP policies take precedence over IAM policies. If users have an IAM policy that allows EC2 creation, but the SCP says deny, the SCP wins. SCPs are guardrails to broadly enforce security controls across all your accounts at scale.

One step above SCPs for creating consistent security compliance is AWS Control Tower. This service creates an automated "landing zone," basically a prebuilt multi-account environment built on Organizations. When deployed, Control Tower uses templates to create accounts, identity management, standardized logging infrastructure, and service accounts, all configured already using AWS's security best practices. It is built to make security easier using powerful automation.

Deployment Strategies

One theme we've seen so far in this domain is consistency. All the best security controls in the world aren't very effective if you miss things and leave gaps in your defenses. This is true for the applications you run as well. Consistency in deploying resources and code is essential to smooth operations, and AWS has some services to help.

The main one, CloudFormation, lets you define your AWS infrastructure using template files. This infrastructure-as-code approach is very similar to other tools like Ansible and Terraform. Codifying your infrastructure ensures consistent deployments, reduces manual errors, and allows for version control. This also enables better security and enforcing of the controls you need across all services.

With automation comes the power of tagging resources in AWS. Tags are key-value pairs that you assign to resources based on any attribute you wish, like environment, owner, sensitivity, etc. Then you can automate things based on tags, like applying specific policies to only appropriate resources or scheduling non-prod resources to shut down nightly. Tags are a versatile way to keep management simple, and can be integrated into your CloudFormation templates.

Evaluating Compliance

Saying you prioritize security is one thing; actually knowing that it's done right is another. Thankfully, AWS has several services devoted to monitoring account compliance to ensure order.

The first, AWS Config, tracks and monitors changes in your account over time. Think of it as CloudTrail, but instead of every API call, it groups those calls to see a timeline of how a specific resource changed over time. It has Config Rules, which you can use to check specific details on resources for compliance. 

For example, one pre-built rule checks all your S3 buckets for public access enabled. If the rule is enabled, it will list all the buckets set as public and therefore out of compliance. This could then trigger automation using Lambda to change the buckets so they are not public, forcing the environment into compliance without getting an admin involved.

The next compliance service is Security Hub. This dashboard aggregates findings from various other services, like GuardDuty and AWS Config Rules, giving you a single view of the security across your entire account. It can also perform its own automated compliance checks using standard frameworks like the CIS AWS Foundations Benchmark. Security Hub helps prioritize your work by showing a high-level view of your entire account. Combine it with AWS Organizations to see the security status of all your accounts at once!

Trusted Advisor is the final compliance service we'll explore. It examines your account and makes suggestions based on AWS's best practices. This tool is not just a security tool; it also makes recommendations based on cost optimization, performance, and fault tolerance. It provides specific guidance to help you comply with best practices, holistically improving many facets of your accounts.

Risk Management and Governance Frameworks

AWS has strong opinions about the best way to build on their services and how security should work. One document they publish is the AWS Well-Architected Framework. This extensive doc is a comprehensive overview of best practices around the pillars of operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability. It's essential reading for anyone building on AWS.

The next is the Shared Responsibility Model. This doc outlines what AWS is responsible for (running the hardware, securing the facilities, powering the networks, etc.) and what you are responsible for (writing secure code, properly configuring security, updating OSes, etc.). With this knowledge, there are no surprises about where AWS's responsibilities stop and yours begin.

Final Thoughts

The Management and Security Governance domain is fairly broad. Hopefully, this article gave you a good start on understanding what's involved. Our extensive training on the entire cert will get you the rest of the way there, with extensive coverage of all certification topics. 

If you're tackling this exam, best of luck with your studies! And as we wrap up this four-part series, thank you for joining us on our journey through the AWS Security Specialist Certification. 

Need help preparing for the AWS Certified Security? Sign up for a free 7-day trial of CBT Nuggets.