The AWS Foundational Security Best Practices standard can help hospitals by offering a set of automated checks that can alert IT and security staff when AWS accounts and other deployed resources aren’t in line with those and other security best practices.
By developing a curated and regularly updated set of important controls, AWS can help automate adherence to those best practices.
“We looked at all of our major AWS services to come up with not only the security best practices for each of those services, but the automated security checks that can help you assess in an automated way whether you’re aligning to those security best practices,” said Kahn principal product manager at AWS Security Hub.
“We put a lot of thoughts into what these controls should be,” said Kahn, who explained that, beyond the best practices of Schmidt’s Top 10 list, AWS experts incorporated existing configuration rules, drew on other AWS technologies such as Trusted Advisor and Well-Architected Tool, and then applied them to each AWS service to “define key best practices.”
The list is reviewed monthly with security engineers and other experts across AWS, and updated with new releases of new best practices and controls, he said: “These are getting a lot of vetting before we roll them out as a blessed security best practices.
The tool traces its roots to a list of Top 10 key areas of security focus for AWS customers, developed recently by AWS Chief Information Security Officer Steve Schmidt.
- Accurate account information.
- Use multi-factor authentication.
- No hard-coding secrets.
- Limit security groups.
- Intentional data policies.
- Centralize CloudTrail logs.
- Validate IAM roles.
- Rotate keys.
- Be involved in the dev cycle.
The list was based on real-world evidence, Khan explained. “We had analysts go through all the major security incidents that our professional services and security teams had responded to based on the analysis of the root causes of those incidents,” he said.
For one of its most recent data security products, Amazon Web Services made sure to check in with one of the most trusted frameworks, the NIST Cybersecurity Framework.
Its core principles – identify, protect, detect, respond and recover – have helped AWS engineers be “sure we have coverage across those functions in terms of our security best practices,” said Ely Kahn, principal product manager at AWS Security Hub.