-
Introduction
Security Challenges
Shared Responsibility
Security of the cloud
Security Services in AWS
AWS Security Frameworks
How to prioritize
Evolutive Path
1.
Quick Wins
Assign security contacts
Select the regions & block the rest
Evaluate Cloud Security Posture
Multi-Factor Authentication
Root Protection
Identity Federation
Cleanup unintended access
Detect Common Threats
Audit API calls
Billing alarms
Close risky open admin ports
Block Public Access
Analyze data security posture
Act on Critical Findings
WAF with managed rules
Evaluate Resilience
2.
Foundational
Sec & Regulatory requirements
Cloud Security Training Plan
Inventory & Config Monitoring
GuardRails - Org policies SCPs/RCPs
Use Temporary Credentials
IMDS v2
Advanced Threat Detection
Infrastructure vulnerabilities
Application Vulnerabilities
Limit Network Access
Secure EC2 Instances Management
Network segmentation (VPCs)
Multi-account management
Data Encryption at rest
Data Backups
Discover sensitive data
Security in Development
No secrets in code
Define incident response playbooks
Use multiple Availability Zones
3.
Efficient
Design your secure architecture
Use infrastructure as code
Tagging Strategy
Create your compliance reports
Least Privilege Review
CIAM: security of your customers
Custom Threat Detection - SIEM/Lake
Security Champions Program
DevSecOps: Security in the Pipeline
Golden Image Pipeline
Anti-Malware / EDR / RP
Outbound Traffic Control
Encryption in transit
Threat Modeling
Adv. WAF with Custom Rules
DDoS Mitigation (Layer 7)
Run TableTop exercises
Automate critical playbooks
Investigations - Root cause analysis
Disaster Recovery Plan
4.
Optimized
Sharing security tasks (RACI)
Automate evidence gathering
IAM Data Perimeters
IAM Pipeline
Temporary Elevated Access
Threat Intelligence
VPC Flow Logs Analysis
Vulnerability Management Team
Zero Trust Access
Using abstract services
GenAI Data protection
Red Team
Blue Team
Advanced Automations
Security Orchestration & Ticketing
Automate deviation correction
Disaster Recovery Automation
Chaos Engineering
--
Maturity Model
-
Events calendar
-
Webinars
-
Assessment Tools
-
Whitepapers, FAQ, others
Frequently Asked Questions
AWS Security Documentation
AWS Security Whitepapers
Free security services
-
Contact
-
Financial Services
Amazon Fraud Detector
PCI Compliance
Payment Cryptography
-
Survey
Clear History
© 2024 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Home
> AWS Security Maturity Model v2
AWS Security Maturity Model v2
CAF Levels
→
Start
Advance
Excel
CAF Capability
↓
Phase 1: Quick Wins
Phase 2: Foundational
Phase 3: Efficient
Phase 4: Optimized
Security governance
Assign Security contacts
Select the region(s) to use and block the rest
Identify security and regulatory requirements
Cloud Security Training Plan
Design your secure architecture
Use infrastructure as code
Tagging strategy
Sharing security work and responsibility
Security assurance
Evaluate Cloud Security Posture (CSPM)
Inventory & Configuration monitoring
Create your compliance reports
Automate Evidence Gathering
Identity and access management
Multi-Factor Authentication
Root Account Protection
Identity Federation
Cleanup unintended accesses
GuardRails: Organizational Policies with SCPs/RCPs
Use Temporary Credentials
Instance Metadata Service (IMDS) v2
Least Privilege Review
Customer IAM: security of your customers
IAM Data Perimeters
IAM Policy Generation Pipeline
Temporary Elevated Access
Threat detection
Detect Common Threats
Audit API calls
Billing alarms
Advanced Threat Detection
Custom Threat Detection capabilities (SecLake / SIEM)
Threat Intelligence
Network Flows analysis (VPC Flow Logs)
Vulnerability management
Manage infrastructure vulnerabilities
Manage application vulnerabilities
Security Champions Program
DevSecOps: Security in the Pipeline
Vulnerability Management Team
Infrastructure protection
Cleanup risky open ports
Limit Network Access
Secure EC2 Instances Management
Network segmentation (VPCs)
Multi-account management
Image Generation Pipeline
Anti-Malware / EDR / Runtime Protection
Outbound Traffic Control
Zero Trust Access
Use abstract services
Data protection
Block Public Access
Analyze data security posture
Data Encryption at rest
Backups
Discover sensitive data
Encryption in transit
GenAI Data protection
Application security
WAF with managed rules
Involve security teams in development
No secrets in code
Perform threat modeling
WAF with custom rules
Advanced DDoS Mitigation (L7)
Forming a Red Team (Attacker's Point of View)
Incident response
Act on Critical Security Findings
Define incident response playbooks
Run TableTop Exercises - Simulations
Automate Critical Playbooks
Security Investigations - Root cause analysis
Forming a Blue Team (Incident Response)
Advanced security automations
Security Orchestration & Ticketing
Automate deviation correction in configurations
Resiliency
Evaluate Resilience
Redundancy using multiple Availability Zones
Disaster Recovery Plan
Multi-region Disaster Recovery Automation
Chaos Engineering