Last year I released my “AWS Security Maturity Roadmap” to help companies understand many of the security improvements they could make in their AWS environments and to lay these out in a series of stages to help them plan and priorize these improvements. This became very popular and has been used as guidance for many companies. Since then, AWS has released new functionality that should be used. Some of these features change how easy certain steps are, or their importance, which has led me to adjust how I’ve prioritized things. My own beliefs have also changed too as I’ve received feedback from people about my guide, or seen the ease and impact of certain steps. For these reasons, I’ve updated this Roadmap for 2020.
- Added the newsletters CloudSecList by Marco Lancini and tl;dr sec by Clint Gibler as valuable news sources.
- Added S3 replication policies as part of the backup strategy. That feature is not new, but something important I should have mentioned.
- Moved turning on GuardDuty to an earlier stage, as the new delegated admin concept makes this much easier to enable organization wide. Also added the new Access Analyzer service, and mentioned Macie due to the improved cost of that service.
- Moved real-time monitoring from Stage 4 to a later stage as I’ve realized this is a bigger ask for many companies than other steps.
- Moved Honeytokens to an earlier stage, because of how easy they are to deploy and the value they provide.
- Removed reference to AdRoll’s Hologram in Stage 5 “Secure IAM Access”, due to difficulty in deploying this.
- Moved Apply SCPs to an earlier stage, and added enforcing the new IMDSv2 there.
- Moved network architecture changes to a later stage due to the architectural difficulties in making those changes.
- Having a tagging strategy has been added, both due to the importance of knowing what resources belong to who, and the release of Tag Policies.
- As a result of these changes a new stage has been added and stages have been renamed.