Enhance application security and catch security vulnerabilities through integrated security automation
This Guidance shows how to build a strong application security capability on AWS. Application security helps you address application-level threats, like unauthorized access and privilege escalation. By using the AWS security services in this Guidance, you can log application security, protect and manage your resources, and detect anomalous behavior in client interactions with your application.
Please note: [Disclaimer]
Architecture Diagram
[text]
Step 1
Within AWS Organizations, enable Amazon GuardDuty, Amazon Inspector, AWS Security Hub, Amazon Macie, and Amazon Detective for your home and operational AWS Regions.
Step 2
Set up GuardDuty for threat monitoring and Amazon Inspector for automated vulnerability scanning of Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Elastic Container Registry (Amazon ECR) images, and AWS Lambda functions.
Step 3
Configure Security Hub in your home and operational Regions to centralize security incidents within your AWS environment and maintain compliance with industry standards and best practices.
Step 4
Enable and configure Macie in your home and operational Regions to identify sensitive data.
Step 5
Enable and configure Detective in your home and operational Regions to streamline security analysis and conduct efficient security investigations.
Step 6
Provide security teams with least privilege access to security services and the AWS environment using a federated solution. Review AWS Identity and Access Management (IAM) access using IAM Access Analyzer. Forward findings to Security Hub.
Step 7
Use AWS Certificate Manager to provision and manage SSL or TLS certificates. Use AWS Key Management Service (AWS KMS) to manage keys associated with application resources.
Step 8
Use AWS Secrets Manager to securely store and manage credentials such as database logins, API keys, and other secrets.
Step 9
Send application security logs to a centralized log storage bucket for compliance retention and analysis.
Step 1
Within AWS Organizations, enable Amazon GuardDuty, Amazon Inspector, AWS Security Hub, Amazon Macie, and Amazon Detective for your home and operational AWS Regions.
Step 2
Set up GuardDuty for threat monitoring and Amazon Inspector for automated vulnerability scanning of Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Elastic Container Registry (Amazon ECR) images, and AWS Lambda functions.
Step 3
Configure Security Hub in your home and operational Regions to centralize security incidents within your AWS environment and maintain compliance with industry standards and best practices.
Step 4
Enable and configure Macie in your home and operational Regions to identify sensitive data.
Step 5
Enable and configure Detective in your home and operational Regions to streamline security analysis and conduct efficient security investigations.
Step 6
Provide security teams with least privilege access to security services and the AWS environment using a federated solution. Review AWS Identity and Access Management (IAM) access using IAM Access Analyzer. Forward findings to Security Hub.
Step 7
Use AWS Certificate Manager to provision and manage SSL or TLS certificates. Use AWS Key Management Service (AWS KMS) to manage keys associated with application resources.
Step 8
Use AWS Secrets Manager to securely store and manage credentials such as database logins, API keys, and other secrets.
Step 9
Send application security logs to a centralized log storage bucket for compliance retention and analysis.
Additional Considerations
Application Security describes the security measures used at the application level to protect data or code within the app from being stolen or hijacked. It includes security concerns during application development and design, but it also includes methods and procedures to safeguard apps after they are launched. Application security should be applied at all stages of development, including design, development, and deployment.
Application Security not only emphasizes preventing vulnerabilities and threats in software applications but also stresses the importance of constant monitoring and updating to address new challenges and threats as they emerge. Regular security assessments, including code reviews, penetration testing, and the use of automated security tools, play a crucial role in identifying and mitigating potential security issues before they can be exploited.
Related Content
- Stakeholders: Security (primary), Central IT, Operations
- For additional information on this capability, read the whitepaper.
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.