Security Pillar AWS Well-Architected Framework
Latest updated version 2025
Abstract and introduction
The AWS Well-Architected Framework helps you understand trade-offs for
decisions you make while building workloads on AWS. By using the
Framework, you will learn current architectural best practices for designing
and operating reliable, secure, efficient, cost-effective, and sustainable
workloads in the cloud. It provides a way for you to consistently measure
your workload against best practices and identify areas for improvement. We
believe that having well-architected workloads greatly increases the
likelihood of business success.
The framework is based on six pillars:
Operational Excellence
Security
Reliability
Performance Efficiency
Cost Optimization
Sustainability
This paper focuses on the security pillar. This will help you meet your
business and regulatory requirements by following current AWS
recommendations. It’s intended for those in technology roles, such as chief
technology officers (CTOs), chief information security officers (CSOs/CISOs),
architects, developers, and operations team members.
After reading this paper, you will understand AWS current recommendations
and strategies to use when designing cloud architectures with security in
mind. This paper doesn’t provide implementation details or architectural
patterns but does include references to appropriate resources for this
information. By adopting the practices in this paper, you can build
architectures that protect your data and systems, control access, and
respond automatically to security events.
,. Security foundations
The security pillar describes how to take advantage of cloud technologies to
protect data, systems, and assets in a way that can improve your security
posture. This paper provides in-depth, best-practice guidance for architecting
secure workloads on AWS.
Design principles
In the cloud, there are a number of principles that can help you strengthen
your workload security:
Implement a strong identity foundation: Implement the principle
of least privilege and enforce separation of duties with appropriate
authorization for each interaction with your AWS resources. Centralize
identity management, and aim to eliminate reliance on long-term static
credentials.
Maintain traceability: Monitor, alert, and audit actions and changes
to your environment in real time. Integrate log and metric collection
with systems to automatically investigate and take action.
Apply security at all layers: Apply a defense in depth approach with
multiple security controls. Apply to all layers (for example, edge of
network, VPC, load balancing, every instance and compute service,
operating system, application, and code).
Automate security best practices: Automated software-based
security mechanisms improve your ability to securely scale more
rapidly and cost-effectively. Create secure architectures, including the
implementation of controls that are defined and managed as code in
version-controlled templates.
Protect data in transit and at rest: Classify your data into
sensitivity levels and use mechanisms, such as encryption,
tokenization, and access control where appropriate.
Keep people away from data: Use mechanisms and tools to reduce
or eliminate the need for direct access or manual processing of data.
This reduces the risk of mishandling or modification and human error
when handling sensitive data.
, Prepare for security events: Prepare for an incident by having
incident management and investigation policy and processes that align
to your organizational requirements. Run incident response simulations
and use tools with automation to increase your speed for detection,
investigation, and recovery.
Definition
Security in the cloud is composed of seven areas:
Security foundations
Identity and access management
Detection
Infrastructure protection
Data protection
Incident response
Application security
Shared responsibility
Security and Compliance is a shared responsibility between AWS and the
customer. This shared model can help relieve the customer’s operational
burden as AWS operates, manages, and controls the components from the
host operating system and virtualization layer down to the physical security
of the facilities in which the service operates. The customer assumes
responsibility and management of the guest operating system (including
updates and security patches), and other associated application software in
addition to the configuration of the AWS provided security group firewall.
Customers should carefully consider the services they choose as their
responsibilities vary depending on the services used, the integration of those
services into their IT environment, and applicable laws and regulations. The
nature of this shared responsibility also provides the flexibility and customer
control that permits the deployment. As shown in the following chart, this
differentiation of responsibility is commonly referred to as Security “of” the
Cloud versus Security “in” the Cloud.
AWS responsibility “Security of the Cloud” – AWS is responsible for
protecting the infrastructure that runs all of the services offered in the AWS
Cloud. This infrastructure is composed of the hardware, software,
networking, and facilities that run AWS Cloud services.
Latest updated version 2025
Abstract and introduction
The AWS Well-Architected Framework helps you understand trade-offs for
decisions you make while building workloads on AWS. By using the
Framework, you will learn current architectural best practices for designing
and operating reliable, secure, efficient, cost-effective, and sustainable
workloads in the cloud. It provides a way for you to consistently measure
your workload against best practices and identify areas for improvement. We
believe that having well-architected workloads greatly increases the
likelihood of business success.
The framework is based on six pillars:
Operational Excellence
Security
Reliability
Performance Efficiency
Cost Optimization
Sustainability
This paper focuses on the security pillar. This will help you meet your
business and regulatory requirements by following current AWS
recommendations. It’s intended for those in technology roles, such as chief
technology officers (CTOs), chief information security officers (CSOs/CISOs),
architects, developers, and operations team members.
After reading this paper, you will understand AWS current recommendations
and strategies to use when designing cloud architectures with security in
mind. This paper doesn’t provide implementation details or architectural
patterns but does include references to appropriate resources for this
information. By adopting the practices in this paper, you can build
architectures that protect your data and systems, control access, and
respond automatically to security events.
,. Security foundations
The security pillar describes how to take advantage of cloud technologies to
protect data, systems, and assets in a way that can improve your security
posture. This paper provides in-depth, best-practice guidance for architecting
secure workloads on AWS.
Design principles
In the cloud, there are a number of principles that can help you strengthen
your workload security:
Implement a strong identity foundation: Implement the principle
of least privilege and enforce separation of duties with appropriate
authorization for each interaction with your AWS resources. Centralize
identity management, and aim to eliminate reliance on long-term static
credentials.
Maintain traceability: Monitor, alert, and audit actions and changes
to your environment in real time. Integrate log and metric collection
with systems to automatically investigate and take action.
Apply security at all layers: Apply a defense in depth approach with
multiple security controls. Apply to all layers (for example, edge of
network, VPC, load balancing, every instance and compute service,
operating system, application, and code).
Automate security best practices: Automated software-based
security mechanisms improve your ability to securely scale more
rapidly and cost-effectively. Create secure architectures, including the
implementation of controls that are defined and managed as code in
version-controlled templates.
Protect data in transit and at rest: Classify your data into
sensitivity levels and use mechanisms, such as encryption,
tokenization, and access control where appropriate.
Keep people away from data: Use mechanisms and tools to reduce
or eliminate the need for direct access or manual processing of data.
This reduces the risk of mishandling or modification and human error
when handling sensitive data.
, Prepare for security events: Prepare for an incident by having
incident management and investigation policy and processes that align
to your organizational requirements. Run incident response simulations
and use tools with automation to increase your speed for detection,
investigation, and recovery.
Definition
Security in the cloud is composed of seven areas:
Security foundations
Identity and access management
Detection
Infrastructure protection
Data protection
Incident response
Application security
Shared responsibility
Security and Compliance is a shared responsibility between AWS and the
customer. This shared model can help relieve the customer’s operational
burden as AWS operates, manages, and controls the components from the
host operating system and virtualization layer down to the physical security
of the facilities in which the service operates. The customer assumes
responsibility and management of the guest operating system (including
updates and security patches), and other associated application software in
addition to the configuration of the AWS provided security group firewall.
Customers should carefully consider the services they choose as their
responsibilities vary depending on the services used, the integration of those
services into their IT environment, and applicable laws and regulations. The
nature of this shared responsibility also provides the flexibility and customer
control that permits the deployment. As shown in the following chart, this
differentiation of responsibility is commonly referred to as Security “of” the
Cloud versus Security “in” the Cloud.
AWS responsibility “Security of the Cloud” – AWS is responsible for
protecting the infrastructure that runs all of the services offered in the AWS
Cloud. This infrastructure is composed of the hardware, software,
networking, and facilities that run AWS Cloud services.
