AWS Well-Architected for Financial Services

Cloud is part of the new normal in the financial services industry. Higher customer expectations have raised the stakes, pushing institutions to streamline operations, lower costs, and accelerate innovation. The conversation is no longer about whether to embrace the cloud, but rather, how quickly it can be done. To address the need to provide tailored advice, AWS added the concept of AWS Well-Architected Lenses in 2017. AWS now is happy to announce Financial Services lens, the first industry specific guidance for the AWS Well-Architected Framework. This post provides an introduction of its purpose, topics covered, and common scenarios included.

In the Financial Services lens, we focus on how to design, deploy, and architect financial services industry workloads that promote the resiliency, security, and operational performance in line with risk and control objectives that firms define for themselves. This includes companies and industries that are required to meet the regulatory and compliance requirements of supervisory authorities.

While we recommend that AWS customers start with the standard AWS Well-Architected Framework as a foundation for their architecture review, the Financial Services lens provides additional best practices for the resiliency, security, and operational performance requirements of financial institutions. These best practices are based on our experience working with financial services customers globally.

The guidance inside the lens can be grouped under the following:

General Design principles to improve security, data privacy, and resiliency in the cloud

These principles include both general design principles for unlocking the true value of cloud and specific best practices for your AWS environments. For example, we have advocated for a Security by Design approach (SbD), wherein firms should implement their architectures in repeatable templates that have control objectives, security baselines, and audit capabilities baked in. The lens also provides specific guidance on how to the implement this approach, such as how to protect your compute infrastructure and protect your data with encryption.

Guardrails to confidently build and deploy financial applications on AWS

The lens provides best practices in a number of areas including Identity and Access Management (IAM), networking, secrets management, data privacy, resiliency, and performance. When taken together with the standard Well-Architected Framework, it will help accelerate migration or new development of applications on the cloud while making sure that security, risk, and compliance needs are met as well.

Techniques to build transparency and auditability into your AWS environment

With AWS, customers have access to a higher fidelity of observability in terms of what happens in their environments compared to traditional on-premise environments. The lens identifies a number of best practices to harness this capability for better business and operational outcomes. We’ve also provided additional guidance on how to gather, store, and secure evidence for audit requirements associated with cloud environments.

Recommendations for controls to help expedite adoption of new AWS services

“Allow listing” new AWS services or certifying that a new service implements all the internal security and control standards is a time-consuming process for many financial services customers. It also holds back teams from leveraging innovation in new AWS services and features. In this lens, we have discussed a number of best practices in the areas of IAM privileges, private connectivity, and encryption which should help expedite the allow listing of new services.

The Financial Services Lens whitepaper is intended to provide guidance for common industry workloads, such as:

• Financial data on the cloud
• Building data lakes for use cases such as regulatory reporting
• Artificial intelligence (AI) and machine learning (ML)
• Grid computing for risk and modeling
• Building a platform for ML and AI
• Open banking
• Digital user engagement

If any of these scenarios fits your needs, building to the principles of the Financial Services lens in the AWS Well-Architected Framework can improve security, resiliency, and operational efficiency for all financial services customers on AWS, and can also assist in meeting regulatory and compliance obligations.

Conclusion

We strive to provide you with a consistent approach to evaluate architectures and implement designs that will scale over time. AWS is committed to the maintaining the Financial Services Lens whitepaper as a living document; as the technology and regulatory landscape evolves and new AWS services come on line, we’ll update the Financial Services lens appropriately. We are also actively working towards implementing the Financial Services lens in the Well-Architected Tool, so that teams can run Well-Architected reviews against best practices included in the whitepaper.

Special thanks to the following individuals who contributed to building this resource, among many others who helped with review and implementation: Ilya Epshteyn, Misha Goussev, Som Chatterjee, James Craig, Anjana Kandalam, Roberto Silva, Chris Redmond, Pawan Agnihotri, Rahul Prabhakar, Jaswinder Hayre, Jennifer Code, Igor Kleyman, John McDonald, and John Kain.