Security Services Blog

AWS Security Start Right/Run Well Program

Resources to help secure your workloads and applications in the cloud

The HAQM Web Services (AWS) Security Start Right/Run Well program provides operationalization references to enable customers to efficiently deploy native AWS security services following best practices. These references are structured along three tracks – Self-Service, Guided, and Managed – to provide operationalization options that best match your organization’s resource capacity and expertise, operations design, and implementation timing considerations.

The Self-Service track curates native security service configuration and operation resources that builders and/or administrators can follow and implement. The Guided track links to options to augment your team’s capacity and cloud skills by engaging AWS experts or partners in short-term engagements. Meanwhile, the Managed track guides customers to AWS and vetted partner resources that can support outsourced operations.

References are organized by security domain with the corresponding Self-service, Guided, and Managed track guidance provided for that domain and its related native AWS security services.

Note: This document should in no way be considered comprehensive of all available operational resources.

Intended audience: This guide is best suited for resources tasked with activating, configuring, and operating native AWS security services.

Operationalization Enablement Tracks

Self-Service Track

Security guidance resource providing step-by-step guidance on how to configure security services in line with best practices.

Prerequisite: Available resources with cloud expertise.

Ideal for: Organizations that have in-house cloud operations resources who can follow prescriptive guidance.

Guided Track

Specialized skills and experience from AWS Professional Services or partners to lend AWS expertise via short-term engagements.

Prerequisite: Statement of Work.

Ideal for: Organizations that need to fill skills gaps through workshops and consultation with experts.

Managed Track

Service configuration and operation by AWS or partners.

Prerequisite: Statement of Work / Master Service Agreements.

Ideal for: Organizations that want to reduce their operational overhead and focus on their business applications.

References

Data protection
Detection and Incident response
Identity and access management
Network and application protection

Data protection

AWS Security Service	Self-Service		Guided		Managed
AWS Security Service	Start Right	Run Well	APN Offerings	AWS Offerings	AWS Managed Services	Managed Security Service Providers (MSSPs)
Data Protection	Activation Days: Data Encryption Github Samples: AWS Data Protection Prescriptive Guidance: Creating an enterprise encryption strategy for data at rest Workshop: Security Services Resiliency and Disaster Rocovery		AWS Security Competency Partners > Data Protection	AWS Professional Services AWS Support AWS IQ	AWS Managed Services	MSSP
AWS Certificate Manager	General Security	Best Practices Security Blog Posts How to deploy public ACM certificates across multiple AWS accounts and Regions using AWS CloudFormation StackSets How to monitor expirations of imported certificates in AWS Certificate Manager (ACM) How to use AWS Certificate Manager with AWS CloudFormation Github Samples: Certificate rotation
AWS Private Certificate Authority	General Security	Best Practices Security Blog Posts Choosing the right certificate revocation method in ACM Private CA How to use ACM Private CA for enabling mTLS in AWS App Mesh TLS enabled Kubernetes clusters with ACM Private CA and HAQM EKS Github Samples: DIY Code signing using AWS ACM Private CA and AWS KMS Workshop: ACM Private CA Workshop
AWS CloudHSM	General Security	Best Practices Security Blog Posts CloudHSM best practices to maximize performance and avoid common configuration pitfalls Integrate CloudHSM PKCS #11 Library 5.0 with serverless workloads How to implement a hybrid PKI solution on AWS Security of CloudHSM Backups Github Samples: JCE Examples Github Samples: PKCS Examples Github Samples: Lambda Examples Github Samples: CloudFormation Templates Workshop: CloudHSM Workshop
AWS Key Management Service (KMS)	General Security	Best Practices Security Blog Posts Demystifying KMS keys operations, bring your own key (BYOK), custom key store, and ciphertext portability Encrypt global data client side with AWS KMS multi Region keys Github Samples: DIY Code signing using AWS ACM Private CA and AWS KMS Workshop: Scaling your encryption at rest capabilities with AWS KMS
HAQM Macie	General Security	Security Blog Posts Best practices for setting up HAQM Macie with AWS Organizations Use Security Hub custom actions to remediate S3 resources based on Macie discovery results Large Scale Macie Implementation (BBVA) Correlate IAM Access Analyzer findings with HAQM Macie Detecting sensitive data in DynamoDB with Macie GitHub Samples: Macie Findings to Slack Github Samples: Performing analytics on HAQM Macie classification job results Workshop: Data Discovery and Classification with HAQM Macie
AWS Secrets Manager	General Security	Security Blog Posts How to use AWS Secrets & Configuration Provider with your Kubernetes Secrets Store CSI driver How to replicate secrets in AWS Secrets Manager to multiple Regions How to configure rotation windows for secrets stored in AWS Secrets Manager GitHub Samples: Secrets Manager Rotation Lambdas GitHub Samples: Secrets Manager SSH Key Rotation Workshop: Store, retrieve and manage sensitive credentials in AWS Secrets Manager

Detection and Incident response

AWS Security Service	Self-Service		Guided		Managed
AWS Security Service	Start Right	Run Well	APN Offerings	AWS Offerings	AWS Managed Services	Managed Security Service Providers (MSSPs)
Threat Detection/Incident Response	Activation Days: Continuous Compliance, Detective Controls, Vulnerability Management, and Incident Investigation and Response Workshops: Detection and Response AWS Security Best Practices: Monitoring and Alerting		AWS Security Competency Partners > Threat Detection and Response	AWS Solution: Automated Security Response on AWS	AWS Managed Services	MSSP > Threat Detection
HAQM Detective	General Security	Adding Detective URLs for findings to Splunk Detective Multi Account Enablement Scripts Security Blog Posts Simplify setup of HAQM Detective using AWS Organization Investigate VPC Flow Logs Analyze and understand IAM role usage with HAQM Detective Rapid Security Investigation and Analysis Training: Getting Started with HAQM Detective	AWS Security Competency Partners > Threat Detection and Response	AWS Professional Services AWS Support AWS IQ
HAQM Inspector	General Security	Security Hub Integration Security Blog Posts Automate vulnerability management and remediation in AWS using HAQM Inspector and AWS Systems Manager Visualize multi account findings Workshop: Vulnerability Management with HAQM Inspector	Inspector Partners
HAQM GuardDuty	General Security	AWS Security Incident Response Guide Incident Response Playbook GuardDuty Multi Account Enablement Scripts GuardDuty Tester for triggering GuardDuty detections Managing findings Monitor GuardDuty activities in CloudTrail Security Blog Posts How Security Operation Centers can use HAQM GuardDuty to detect malicious behavior Threat Response Scenarios Automatically block suspicious DNS activity with HAQM GuardDuty and Route 53 Resolver DNS Firewall Leverage machine learning capabilities How to automate the import of third party threat intelligence feeds into HAQM GuardDuty How to Manage HAQM GuardDuty Security Findings Across Multiple Accounts Workshop: GuardDuty Workshop	GuardDuty partners
AWS Security Hub	General Security	Automation runbook with AWS Systems Manager AWS Security Hub Automated Response and Remediation 3rd Party Product Integrations AWS Security Hub Multi Account Enablement Scripts The top 7 ways to operationalize AWS Security Hub AWS Online Tech Talks Security Blog Posts Best Practices How to deploy the AWS Solution for Security Hub Automated Response and Remediation Use AWS Chatbot in Slack to remediate security findings from AWS Security Hub Use Security Hub custom actions to remediate S3 resources based on Macie discovery results Implement security monitoring across OT, IIoT and cloud with AWS Security Hub Managing Security Hub with AWS Organizations Disabling controls multi account Correlating findings into suspected incidents Automatically resolve findings associated with deleted resources Creating auto suppression rules Two way integration with ServiceNow ITSM Two way integration with Jira Building automated email summaries Workshop: Security Hub Workshop	Security Hub Partners

Identity and access management

AWS Security Service	Self-Service		Guided		Managed
AWS Security Service	Start Right	Run Well	APN Offerings	AWS Offerings	AWS Managed Services	Managed Security Service Providers (MSSPs)
Identity and access management		Organizing Your AWS Environment Using Multiple Accounts Tagging AWS resources Zero Trust on AWS Data Perimeters on AWS Workshops: Identity	AWS Security Competency Partners > Identity and Access Management
AWS Identity & Access Management (IAM)	General Security	Security Best Practices in IAM Security Blog Posts AWS Policy Generator	IAM Partners	AWS Professional Services AWS Support AWS IQ	AWS Managed Services	MSSP > Identity
AWS IAM Access Analyzer	General	Security Blog Posts Validate IAM policies in CloudFormation Templates using IAM Access Analyzer
AWS IAM Roles Anywhere	General	Security Blog Posts
AWS IAM Identity Center (successor to AWS SSO)	General Security	Security Blog Posts	AWS Security Competency Partners > Identity and Access Management
HAQM Cognito	General Security	Security Blog Posts
AWS Directory Service	General Security	Security Blog Posts Active Directory Domain Services on AWS
AWS Resource Access Manager	General Security	Security Blog Posts
AWS Organizations	General Security	Security Blog Posts Best Practices for Organizational Units with AWS Organizations Sumo Logic for AWS Organizations

Network and application protection

AWS Security Service	Self-Service		Guided		Managed
AWS Security Service	Start Right	Run Well	APN Offerings	AWS Offerings	AWS Managed Services	Managed Security Service Providers (MSSPs)
Edge Protection	Security at the Edge: Core Principles Workshops: Infrastructure Security, Implementing DDoS Resiliency , Building a DDoS resilient perimeter and enabling automatic protection at scale					AWS Perimeter Protection MSSP program
AWS Web Application Firewall (WAF)	General Security	Guidelines for Implementing WAF Monitoring Tools AWS Solutions: WAF Automation on AWS Security Blog Posts Analyzing AWS WAF Logs in HAQM CloudWatch Logs Analyze AWS WAF logs using HAQM OpenSearch Service anomaly detection built on Random Cut Forests Create a more secure LAMP stack 3 Most Important Rate Based Rules Securing Custom Origins with AWS WAF Workshop: Protect internet facing applications	WAF Partners	AWS Professional Services AWS Support AWS IQ	AWS Managed Services	MSSP
AWS Shield	General Security	AWS Best Practices for DDoS Resiliency Monitoring Tools Security Blog Posts Protect Dynamic Web Applications Video: Getting Started with Shield Advanced
AWS Network Firewall	General Security	Logging and Monitoring Security Blog Posts Deployment models for AWS Network Firewall Automatically block suspicious traffic with AWS Network Firewall and HAQM GuardDuty
AWS Firewall Manager	General Security	Monitoring Tools Working with FMS Findings AWS Solutions: Automations for AWS Firewall Manager
HAQM Route 53 Resolver DNS Firewall	General Security	Monitoring Route53 Resolver DNS Firewall rule groups with HAQM CloudWatch Security Blog Posts Automatically block suspicious DNS activity with HAQM GuardDuty and Route 53 Resolver DNS Firewall

Have Questions? Connect with an AWS Business Representative

Exploring security roles?

Apply today »

Want AWS Security updates?

AWS Security Start Right/Run Well Program

Operationalization Enablement Tracks

References

Ending Support for Internet Explorer