The AWS WAF Security Pillars – Incident Response – SCS-C02 Study Guide

The AWS WAF Security Pillars

For constructing or reviewing AWS accounts that are secure, highly available, and efficient, AWS has developed a framework that incorporates foundational best practices with regard to six pillars—the WAF. The pillars of the WAF consist of the following items:

  • Operational excellence
  • Security
  • Reliability
  • Performance efficiency
  • Cost optimization
  • Sustainability

This framework helps you transition and migrate solutions into the AWS cloud based on best practices and recommendations.

If you are not yet familiar with the AWS WAF, it is suggested that you review its contents.

This chapter will highlight some of the areas of the security pillar whitepaper written for the WAF (https://packt.link/pg1da) that are of specific relevance to IR, both on how you set up your accounts from a preparation standpoint and the stated goals of IR in the whitepaper.

WAF Security – Security Foundations

The first part of the WAF security pillar discusses the security foundations that should be part of every account. These are baseline best practices to help an account’s security posture and mitigate the chances of a security incident. If an incident were to occur and these foundations were already put in place, then the essential tools would be there for items such as detection and isolation, which will be discussed later in this chapter.

The seven security foundation principles are as follows:

  • Implement a strong identity foundation: Use the principle of least privilege when crafting IAM policies. Also, segregate user and group roles by the permissions needed to perform their job functions.
  • Enable traceability: You can observe when changes are happening on your account with the appropriate level of logging turned on, monitoring available, and alerts sent out when something out of the ordinary happens.
  • Apply security at all layers: A layered defense approach means that you have security controls starting at the boundary (edge nodes and moving on to the virtual private cloud (VPC)) and then moving inwards, protecting your load balancers, instances, and ultimately, your data.
  • Automate security best practices: Have your architecture implemented as infrastructure as code (IaC) to rapidly recover any changes in your environment. Also, put in place automated processes to respond to security events.
  • Protect data in transit and at rest: Any data previously classified as sensitive needs the appropriate level of protection, including encryption and access control.
  • Keep people away from data: Use tools that minimize the need for people to access the data directly; you can control who and what gets access, decreasing the opportunities for data loss and corruption.
  • Prepare for security events: Having security policies and processes in place before a security event occurs is necessary in today’s world as any systems that are initiated are instantly subject to attack from sources worldwide.

Not all of these foundational principles apply to the concept of IR. However, they do apply to the concepts of securing your AWS account and looking and parsing through the questions of the Security Specialty Certification. Knowing these foundational guidelines and when they are or are not being applied in the exam questions can help you decipher some of the answers on the exam.

Out of the seven security foundations we defined, the following three are the most important for IR: enable traceability, automate security best practices, and prepare for security events.

Now that you have examined the security foundations of the WAF, you can dive deeper into how you can prepare for security events by creating a forensic AWS account.