southwest company logo

Southwest Airlines Invests in Its Security Posture Using AWS Security Hub


Southwest Airlines (Southwest) wanted to invest in its security posture to protect the many integrated applications that keep the airline running safely and smoothly. By using cloud-native elements for gathering security insights, the airline could focus on building innovative applications instead of managing infrastructure. “We wanted to be able to provide rich security insights back to our teams so that they would be better equipped to investigate and recover from security events and perform forensic analysis after the fact,” says Will Walsh, cloud security senior manager at Southwest.

As part of its ongoing migration to Amazon Web Services (AWS), Southwest adopted AWS Security Hub, which is a cloud security posture management service and is a key part of a broader automated and scalable integration that provides users with a comprehensive view of their security alerts and security posture across AWS accounts. Using AWS Security Hub, Southwest’s security teams achieve higher visibility into the airline’s security operations and can manage both cloud-native and third-party applications with ease.

Southwest Airlines plane in hangar

Using AWS Security Hub, we now have the stronger security capabilities that we need."

Jon Barcellona
Cybersecurity Engineering Director, Southwest Airlines

Automating Security Operations in a Massive Company

Texas-based Southwest is one of the world’s largest low-cost carrier airlines, with around 54,000 employees transporting 130 million passengers per year to 101 destinations across 11 countries. The airline was one of the earliest AWS Enterprise Customers, having first started using AWS services in 2010. Previously, the airline ran in-house technology in its data centers to manage flight schedules, forecast demand, schedule maintenance, achieve dynamic pricing for mobile and web sales, and respond to irregular events such as delay-causing weather. Southwest wanted to improve flexibility and accelerate value delivery, so in 2017, it began migrating its operations to AWS. Initially, Southwest operated in the cloud while continuing to use the same security operational model that it had developed for its data centers, but it soon realized that by adopting a cloud-native approach, it could maximize its capabilities. Moving to a shared responsibility model, in which AWS manages infrastructure on Southwest’s behalf, frees up the airline’s security teams to focus on bigger priorities—including detecting, preventing, and responding to security events.

Southwest chose AWS for its high availability, resiliency, and array of tools, which the development team could use to build out its security capabilities. “Migrating to AWS was an important step in creating better delivery velocity for our security applications,” says Jon Barcellona, cybersecurity engineering director at Southwest. “Using AWS tools makes it simpler to integrate, manage, and segment our applications naturally.”

Using AWS Tools to Facilitate High Visibility for Security Teams

Southwest built a security solution that uses AWS Security Hub to manage and collect data from various security services on AWS as well as from third-party security products. Southwest also uses custom rules in AWS Config, a service for recording and evaluating the configurations of AWS resources, to manage its various AWS services. Among the services that feed into AWS Security Hub is Amazon GuardDuty, a threat detection service that continually monitors for malicious activity and unauthorized behavior. Southwest also uses Amazon Inspector, which automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. To initiate investigations, the airline uses Amazon Detective, which makes it simple to analyze, investigate, and quickly identify the root causes of potential security issues.

Southwest’s solution uses AWS Security Hub to gather events detected through Amazon GuardDuty, AWS Config, and Amazon Inspector. From there, the event information is aggregated regionally and fed to logs in Amazon CloudWatch, a monitoring and observability service. Finally, Southwest uses an adapter for Amazon CloudWatch logs to feed event information to the third-party enterprise security information and event-management solution, which aggregates data from many sources and performs event correlation with rich content to detect actionable security events. Events are continually monitored by the security operations center and are analyzed, contained, and eradicated as appropriate.

Using AWS Security Hub, various teams at Southwest—including the security operations center, threat intelligence team, incident responders, and application teams—can achieve high visibility into Southwest’s security posture. The solution reduced the time and labor required to implement over 350 automated security controls, and Southwest achieves high adherence to the associated security control objectives, which comprise its security posture. At a global level, Southwest scans over 600,000 resources across hundreds of AWS accounts each month, with 98 percent of resources passing security posture checks. Remediating the remaining 2 percent of resources is simple through AWS Security Hub. “Using AWS Security Hub, we now have the stronger security capabilities that we need,” says Barcellona.

Southwest uses AWS Security Finding Format (ASFF), a standard findings format, to build libraries that reduce the development time of future automated security controls. With a standard format in place, Southwest can implement complex test controls over multiple accounts. The airline has reduced development time for implementing new controls from 5–6 weeks to 1 week. Development ideation, production, and activation processes, which previously took years, now happen in months or even weeks. “AWS Security Hub standardized our data, almost like magic,” Walsh says. “We can now apply machine learning, artificial intelligence, and anomaly detection—things we couldn’t do before.”

Continuing to Mature the Company’s Cloud Structure

In the future, Southwest plans to simplify account management using AWS Identity and Access Management (AWS IAM), which lets users manage access to AWS resources and services securely. Southwest will use AWS IAM Access Analyzer, which identifies resources and accounts that are shared with external entities, to achieve additional visibility into the security risk of unintended access to resources and data.

By building a cloud-native security solution on AWS, Southwest has achieved the visibility, resiliency, and efficiency it needs to help keep its applications and sensitive data safe. “If our security system is not running, we’re not flying,” says Barcellona. “So having the robust security posture and capabilities we achieve on AWS is critical for us.”

Southwest Airlines Reference Architecture

About Southwest Airlines

Southwest Airlines was founded in 1967 and has become one of the world’s largest low-cost airlines, with 54,000 employees managing flights to 101 destinations in 11 countries for 130 million passengers per year.

Benefits of AWS

  • Improved visibility into its security posture
  • Built an automated, scalable security solution
  • Reduced time and labor when implementing 350+ automated security controls
  • Scans 600,000 resources with 98% compliance across 350+ security control objectives
  • Reduced implementation time for new controls from 5–6 weeks to 1 week
  • Reduced development ideation, production, and activation time from years to weeks or months
  • Applied machine learning, artificial intelligence, and anomaly detection

AWS Services Used

AWS Security Hub

AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.

Learn more »

Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

Learn more »

Amazon Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

Learn more »

Amazon Detective

Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.

Learn more »

Get Started

Organizations of all sizes across all industries are transforming their businesses and delivering on their missions every day using AWS. Contact our experts and start your own AWS journey today.