I'd like information about Security by Design
Security By Design

Security by Design (SbD) is a security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. Instead of relying on auditing security retroactively, SbD provides security control built in throughout the AWS IT management process. By utilizing Security by Design CloudFormation templates, security and compliance in the cloud can be made more efficient and expansive.

SbD encompasses a four-phase approach for security and compliance at scale across multiple industries, standards, and security criteria. AWS SbD can be utilized when designing security and compliance capabilities for all phases of security by allowing the customer to design everything within the AWS customer environment: permissions, logging, trust relationships, encryption enforcement, mandating approved machine images, and more. SbD enables customers to automate the front end structure of an AWS account, reliably coding security and compliance into AWS accounts, making non-compliance of IT controls a thing of the past.

SbD outlines the control responsibilities, the automation of security baselines, the configuration of security and the customer audit of controls for AWS customer infrastructure, operating systems, services and applications running in AWS. This standardized, automated, prescriptive and repeatable design can be deployed for common use cases, security standards and audit requirements across multiple industries and workloads.

AWS recommends building in security and compliance into your AWS account by following a four-phase approach:

Phase 1 – Understand your requirements. Outline your policies, then document the controls you inherit from AWS. Next, document the controls you own and operate in your AWS environment, and decide on what security rules you want to enforce within your AWS IT environment.

Phase 2 – Build a “secure environment” that fits your requirements and implementation. Define the configuration you require in the form of AWS configuration values, such as encryption requirements (forcing server side encryption for S3 objects), permissions to resources (which roles apply to certain environments), which compute images are authorized (based on hardened images of servers you have authorized), and what kind of logging needs to be enabled (such as enforcing the use of CloudTrail on applicable resources). As AWS provides a mature set of configuration options (with new services being released all the time), templates will be available for aligning your environment to security controls. These security templates (in the form of AWS CloudFormation Templates) provide a more comprehensive rule set that can be systematically enforced. AWS has developed templates that provide security rules conforming to multiple security frameworks. For more information, please visit our "Introduction to Security by Design" Whitepaper.

More help to create this “secure environment” is available from AWS experienced architects, AWS Professional Services, and partner IT transformation leaders. These teams can work alongside your staff and audit teams to focus on and help implement high-quality secure customer environments in support of 3rd party audits.

Phase 3 – Enforce the use of the templates. Enable Service Catalog, and enforce the use of your template in the catalog. This is the step which enforces the use of your “secure environment” in new environments that are being created, and prevents anyone from creating an environment that doesn’t adhere to your “secure environment” security rules. This effectively operationalizes the remaining customer account security configurations of controls in preparation for audit readiness.

Phase 4 – Perform validation activities. Deploying AWS through Service Catalog and the “secure environment” templates helps create an audit-ready environment. The rules you defined in your template can be used as an audit guide. AWS Config allows you to capture the current state of any environment, which can then be compared with your “secure environment” rules. This provides audit evidence gathering capabilities through secure “read access” permissions along with unique scripts, which enable audit automation for evidence collection. Customers will be able to convert traditional manual administrative controls to technically enforced controls with assurance that, if designed and scoped properly, the controls are operating 100 percent at any point in time, versus traditional audit sampling methods or point-in-time reviews.

This technical audit can be augmented by pre-audit guidance, such as support and training for customer auditors to ensure audit personnel understand the unique audit automation capabilities the AWS cloud provides.

AWS Security
AWS Cloud Security by Design

AWS Impact of SbD

The SbD approach is meant to achieve the following:

• Creation of forcing functions that cannot be overridden by the users who aren’t allowed to modify those functions.
• Establishing reliable operation of controls.
• Enabling continuous and real-time auditing.
• The technical scripting of your governance policy.

The result is an automated environment enabling the security assurance, governance, security, and compliance capabilities of your environment. Customers can now execute reliable implementation of what was previously written in policies, standards and regulations. Additionally, customers can create enforceable security and compliance, which in turn creates a functional reliable governance model for AWS customer environments.


Be familiar with the concepts in the Security by Design Whitepaper.

Take the self-paced training on "Auditing your AWS Architecture". That provides exposure to the features and interfaces of AWS, particularly around configuration options that are available to auditors and security control owners.

Be familiar with additional relevant resources available to you:
a. Amazon Web Services: Overview of Security Processes
b. Introduction to Auditing the Use of AWS Whitepaper
c. Federal Financial Institutions Examination Council (FFIEC) - Audit Guide
d. SEC - Cybersecurity Initiative Audit Guide
e. CJIS Security Policy Audit Guide


Security By Design Resources


Contact Us