|CAF Category||Phase 1: Quick Wins||Phase 2: Foundational||Phase 3: Efficient||Phase 4: Optimized|
|Security governance||Assign Security contacts Select the region(s)||Identify security and regulatory requirements Cloud Security Training Plan||Perform threat modeling||Forming a Chaos Engineering team (Resilience) Sharing security work and responsibility|
|Security assurance||Automate alignment with best practices using AWS Security Hub||Configuration monitoring with AWS Config||Create your reports for compliance (such as PCI-DSS)|
|Identity and access management||Multi-Factor Authentication Avoid using Root and audit it Access and role analysis with IAM Access Analyzer||Centralized user repository Organization Policies - SCPs||Privilege review (Least Privilege) Tagging strategy Customer IAM: security of your customers||Context-based access control IAM Policy Generation Pipeline|
|Threat detection||Threat Detection with Amazon GuardDuty Audit API calls with AWS CloudTrail Remediate security findings found by AWS Trusted Advisor Billing alarms for anomaly detection||Investigate most Amazon GuardDuty findings||Integration with SIEM/SOAR Network Flows analysis (VPC Flow Logs)||Amazon Fraud Detector Integration with additional intelligence feeds|
|Vulnerability management||Manage vulnerabilities in your infrastructure and perform pentesting Manage vulnerabilities in your applications||Security Champions in Development|
|Infrastructure protection||Limit access using Security Groups||Manage your instances with Fleet Manager Network segmentation - Public/Private Networks (VPCs) Multi-account management with AWS Control Tower||Image Generation Pipeline Anti-Malware/EDR Outbound Traffic Control Use abstract services||Process standardization with Service Catalog|
|Data protection||Amazon S3 Block Public Access Analyze data security posture with Amazon Macie||Data Encryption - AWS KMS Backups Discover sensitive data with Amazon Macie||Encryption in transit|
|Application security||AWS WAF with managed rules||Involve security teams in development No secrets in your code - AWS Secrets Manager||WAF with custom rules Shield Advanced: Advanced DDoS Mitigation||DevSecOps Forming a Red Team (Attacker's Point of View)|
|Incident response||Act on Amazon GuardDuty findings||Define incident response playbooks - TableTop Exercises Redundancy using multiple Availability Zones||Automate critical and most frequently run Playbooks Automate deviation correction in configurations Using infrastructure as code (CloudFormation, CDK)||Automate most playbooks Amazon Detective: Root cause analysis Forming a Blue Team (Incident Response) Multi-region disaster recovery automation|
– This model is not part of AWS official documentation. It’s a set of opinionated prescriptive guidance built by a team of AWS Security specialists and validated through dozens of peer reviews (not a formal process).
– It is currently being used by over 100 AWS Solutions Architects to improve the security posture of their customers and had over 40.000 unique users in the last 12 months.
– Please review the Introduction section to understand the prioritization criteria, as it does not follow the typical approach.
– This document does not intend to replace Well-Architected or CAF, it’s intended to help with prioritization and simplify learning.