AWS Security Maturity Model

CAF Category Phase 1: Quick Wins Phase 2: Foundational Phase 3: Efficient Phase 4: Optimized
Security governance Assign Security contacts Select the region(s) Identify security and regulatory requirements Cloud Security Training Plan Perform threat modeling Forming a Chaos Engineering team (Resilience) Sharing security work and responsibility
Security assurance Automate alignment with best practices using AWS Security Hub Configuration monitoring with AWS Config Create your reports for compliance (such as PCI-DSS)
Identity and access management Multi-Factor Authentication Avoid using Root and audit it Access and role analysis with IAM Access Analyzer Centralized user repository Organization Policies - SCPs Privilege review (Least Privilege) Tagging strategy Customer IAM: security of your customers Context-based access control IAM Policy Generation Pipeline
Threat detection Threat Detection with Amazon GuardDuty Audit API calls with AWS CloudTrail Remediate security findings found by AWS Trusted Advisor Billing alarms for anomaly detection Investigate most Amazon GuardDuty findings Integration with SIEM/SOAR Network Flows analysis (VPC Flow Logs) Amazon Fraud Detector Integration with additional intelligence feeds
Vulnerability management Manage vulnerabilities in your infrastructure and perform pentesting Manage vulnerabilities in your applications Security Champions in Development
Infrastructure protection Limit access using Security Groups Manage your instances with Fleet Manager Network segmentation - Public/Private Networks (VPCs) Multi-account management with AWS Control Tower Image Generation Pipeline Anti-Malware/EDR Outbound Traffic Control Use abstract services Process standardization with Service Catalog
Data protection Amazon S3 Block Public Access Analyze data security posture with Amazon Macie Data Encryption - AWS KMS Backups Discover sensitive data with Amazon Macie Encryption in transit
Application security AWS WAF with managed rules Involve security teams in development No secrets in your code - AWS Secrets Manager WAF with custom rules Shield Advanced: Advanced DDoS Mitigation DevSecOps Forming a Red Team (Attacker's Point of View)
Incident response Act on Amazon GuardDuty findings Define incident response playbooks - TableTop Exercises Redundancy using multiple Availability Zones Automate critical and most frequently run Playbooks Automate deviation correction in configurations Using infrastructure as code (CloudFormation, CDK) Automate most playbooks Amazon Detective: Root cause analysis Forming a Blue Team (Incident Response) Multi-region disaster recovery automation

– This model is not part of AWS official documentation. It’s a set of opinionated prescriptive guidance built by a team of AWS Security specialists and validated through dozens of peer reviews (not a formal process).
– It is currently being used by over 100 AWS Solutions Architects to improve the security posture of their customers and had over 40.000 unique users in the last 12 months.
– Please review the Introduction section to understand the prioritization criteria, as it does not follow the typical approach.
– This document does not intend to replace Well-Architected or CAF, it’s intended to help with prioritization and simplify learning.