Strengthening your organization’s security posture with the AWS Security Improvement Program

11 minute read
Content level: Intermediate
8

This article explains the purpose, value, and workflow of AWS Security Improvement Program (SIP). It also includes a sample of best practice checks that you can implement. SIP is currently available to AWS Enterprise Support and AWS Enterprise On-Ramp customers, under a non-disclosure agreement (NDA).

What’s the purpose of SIP?

SIP is a proactive engagement that AWS built to help customers measure and improve their AWS security posture. [1]

The program leverages a framework that’s designed around AWS security best practices, and provides prescriptive guidance for long-term security improvement strategies. It includes over 300 best practices across five security pillars, as shown in the following image:

Enter image description here

To date, over 1,300 customers have used SIP to identify risks and improve the overall cloud security posture of their organizations.

Do I incur charges for SIP?

SIP is included as an AWS Enterprise Support proactive engagement. It comprises a security posture baseline and continued engagement with your assigned Technical Account Manager (TAM) or TAM team.

SIP is also included as a proactive engagement for AWS Enterprise On-Ramp customers on an annual basis.

What’s the value of SIP engagement for my organization?

Based on past engagements, SIP is a low-effort, high-yield return for your organization. Chief Information Security Officers (CISOs) have reported that SIP yields improvement for their cloud security posture and provides essential education to their teams on security best practices.

A customer InfoSec leader who completed SIP summarized the value as follows:

“I have very positive feedback. This engagement has helped us strengthen our security stance and adopt a NIST framework. SIP included resources to evaluate and implement best practices, some of which our team had not previously considered.”

SIP raises your awareness of cloud security risks in the industry and saves you time by focusing on the greatest risks. Your team works with a SIP Champion to identify and prioritize the risks that pose the largest threat to your workloads, customers, and industry. SIP engagements share best practices that help you strengthen your cloud workloads and adhere to security best practices.

Deliverables from a SIP engagement include the following features:

  • An executive summary deck provides weighted scores and a breakdown of the results for you and your organization’s leadership to prioritize next steps. The deck shares the following information:
    • A weighted score and potential future score based on risk resolution
    • Security successes
    • Targeted insight into most important risks
  • A priority action plan provides your SecOps, DevOps, and other teams the necessary tactical ownership and focus to remediate findings from SIP. This deliverable shares the following information:
    • Risks identified during SIP engagement
    • Detailed guidance to review and implement security best practices
    • A template to assign and track risk reduction efforts
  • A sample incident response runbook provides your incident response teams with a template to respond to security events in the cloud.

The SIP deliverables provide both strategic guidance and tactical actionable items, as shown in the following images:

Enter image description here

Enter image description here

After a SIP assessment, based on your support plan, you can leverage additional engagements to further strengthen your organization’s security posture. Additional engagements might include workshops, specialist sessions, and deep dives into the security of your workloads. If you’re an Enterprise Support customer and want to learn more about TAM engagements, see Accelerating customer outcomes with AWS Enterprise Support. If you’re an Enterprise On-Ramp customer, then contact your TAM team for next steps.

How is SIP engagement conducted?

SIP includes a specialist-led security best practices assessment that’s similar to the AWS Well-Architected Review. Your TAM team will assign a SIP Champion who will work with your organization to identify key security stakeholders and schedule time with your team. Together, the team will work through all the best practices, while documenting your use cases, identifying gaps, and providing proactive guidance, as shown in the following example:

Enter image description here

SIP Champions and TAMs guide your team through the best practices to identify and prioritize the areas of greatest risk to your organization, as shown in the diagram of the SIP phases:

Enter image description here

Engagements are typically completed in under 10 hours of your team’s time.

What security best practices can my organization apply today?

The following seven best practices can help your organization adopt security frameworks and address real-world security threats. These examples are derived from SIP’s 300+ best practices across five security pillars. To learn more about each of these best practices, see the respective public documentation.

Do you have a defined multi-account strategy that assures centralized governance and defined security boundaries across all of your AWS accounts in accordance with organizational requirements?

Severity: High

AWS Organizations is integrated with other AWS services. That way, you can define central configurations, security mechanisms, audit requirements, and resource sharing across your organization's accounts. AWS Organizations is available at no additional cost to all AWS customers. Audit, monitor, and secure your environment to make sure that compliance and regulatory requirements are met.

You can use AWS Organizations to define a multi-account strategy and centralized governance.

  • Create separate security, logging, and other accounts based on your organization's use case so that you can apply security policies across accounts from a dedicated account.
  • Manage policies and governance across multiple accounts.

For more information, see How to use AWS Organizations to simplify security at enormous scale.

Have you applied AWS SRA, the prescriptive guidance to design, implement, and manage services so that they align with AWS best practices?

Severity: Informational

AWS Security Reference Architecture (AWS SRA) is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment. You can use AWS SRA to help your organization design, implement, and manage AWS services so that they align with AWS best practices. The guidance is deeply informed by our collective experiences with AWS enterprise customers.

For more information, see AWS Security Reference Architecture.

Do you have centralized logging turned on across multiple accounts or a separate monitoring and logging account?

Severity: Medium

A key component of enterprise multi-account environments is logging. Centralized logging provides a single point of access to all salient logs generated across accounts and AWS Regions and is critical for auditing, security, and compliance. Organizations can use centralized logging solution to collect, analyze, and display logs on AWS across multiple accounts and AWS Regions.

It’s a best practice to have a centralized logging and monitoring account to help you identify all monitoring, logging, and security analysis at a single place. You can collect all logs centrally and automatically analyze them to detect anomalies and indicators of malicious activity or compromise.

For more information, see Stream Amazon CloudWatch Logs to a centralized account for audit and analysis.

Do you receive notifications when unauthorized API calls are made?

Severity: High

AWS CloudTrail records API calls that are used within an AWS account, including calls made from the AWS Management Console, SDKs, AWS Command Line Interface (AWS CLI), and other AWS services. Amazon CloudWatch can perform a real-time analysis of CloudTrail logs and invoke event-based alerts. Create a metric filter and alarm to monitor API calls that are made with insufficient permissions or are otherwise unauthorized.

Create a CloudWatch metric filter alarm that’s invoked when an unauthorized API call is made for filter pattern:

pattern: '{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }'

For more information, see Creating CloudWatch alarms for CloudTrail events.

Do you have controls that configure Auto Scaling Groups to use IMDSv2 for launched Amazon EC2 instances?

Severity: High

The Instance Metadata Service (IMDS) provides data about your instance that you can use to configure or manage the running instance. Version 2 of the IMDS (IMDSv2) adds new protections that weren't available in version 1 of IMDS to protect your EC2 instances.

It’s a best practice to use IMDSv2 on an instance when you launch it. You can also create an AWS Identity and Access Management (IAM) policy that prevents users from launching new instances, unless they require IMDSv2 on the new instance.

For more information, see Configure the instance metadata options.

Do you check whether the GitHub or Bitbucket source repository URL contains either PATs or a username and password?

Severity: Critical

Don’t store or transmit authentication credentials in clear text or let them appear in the repository URL. This might expose your credentials to unintended data exposure and unauthorized access.

Use OAuth to grant authorization for accessing GitHub or Bitbucket repositories. If you use personal access tokens (PATs) or a username and password, then you might expose your credentials to unintended data exposure and unauthorized access.

For more information, see Managing your personal access tokens on the GitHub website.

Do you perform chaos engineering in your AWS environment to simulate security events and incident response?

Severity: High

You can use security controls and best practices to secure your AWS accounts. In addition, you need mechanisms to test security and incident responses within your AWS environments to protect your resources against known security events.

You can use AWS CloudSaga to test security controls and alerts within your AWS environment. This tool uses alerts that are generated based on security events that the AWS Customer Incident Response Team (CIRT) notices.

For more information, see Simulate cloud security events with AWS CloudSaga on the GitHub website.

You can choose to adhere to some security best practices through a different mechanism. For example, you might choose to use a third-party detection and notification tool to receive notifications when unauthorized API calls are made.

Conclusion

SIP is a powerful tool to help improve your organization’s security posture. If you’re an Enterprise Support or Enterprise On-Ramp customer, contact your TAM team to schedule a SIP.

If you aren’t an existing Enterprise Support or Enterprise On-Ramp customer, contact your Account Manager to find out how this engagement can provide value to your organization. To learn more, see AWS Enterprise Support and AWS Enterprise On-Ramp.

Footnote

[1] SIP provides a guided review of security best practices in alignment with leading security standard organizations, such as National Institute for Standards and Technology (NIST) and Center for Internet Security (CIS). SIP also incorporates best practices from internal AWS Security Specialists and the AWS Well-Architected Framework’s security pillar. SIP Champions review over 300 best practices for Enterprise Support customers, and 90 best practices for Enterprise On-Ramp customers. AWS built these best practices and insights while working with organizations across the world.


About the authors

Enter image description here

Scott Sundby (Author)

Scott is a SIP Champion who’s passionate about customers’ cloud security. Scott has led organizations through digital transformation, cloud adoption, and risk management for two decades. In his free time, Scott enjoys mountain biking with his wife and kids.

Enter image description here

Michael Steinmetz (Author)

Michael is a core member of SIP. Before joining AWS, Michael spent more than 20 years in Department of Defense IT Security. He strives to improve security processes and responses with automation.

Enter image description here

James McDuffie (Contributor)

James has more than 20 years of experience in software development. He’s an active member of the AWS Security community, and he works closely with AWS customers to help them solve complex security challenges at scale.

Enter image description here

Vinit Fichadia (Contributor)

In 2021-2022, Vinit created SIP to improve customers’ security posture. He has 16 years of experience in delivering cloud enterprise solutions to customers. Vinit spends his free time with his family and travels along with their dog, Laddu.