Data Protection
1. Protect data at rest.
Use AWS Key Management Service (KMS) to protect data at
rest across a wide range of AWS services and your applications.
Enable default encryption for Amazon EBS volumes, and
Amazon S3 buckets.
2. Encrypt data in transit.
Enable encryption for all network traffic, including Transport
Layer Security (TLS) for web based network infrastructure you
control using AWS Certificate Manager to manage and provision
certificates.
3. Use mechanisms to keep people away from data.
Keep all users away from directly accessing sensitive data and
systems. For example, provide an Amazon QuickSight dashboard to
business users instead of direct access to a database, and perform
actions at a distance using AWS Systems Manager automation
documents and Run Command.
3
Incident Response
1. Ensure you have an incident response (IR) plan.
Begin your IR plan by building runbooks to respond to
unexpected events in your workload. For details, see the AWS
Security Incident Response Guide.
2. Make sure that someone is notified to take action
on critical findings.
Begin with GuardDuty findings. Turn on GuardDuty and ensure
that someone with the ability to take action receives the
notifications. Automatically creating trouble tickets is the best
way to ensure that GuardDuty findings are integrated with your
operational processes.
3. Practice responding to events.
Simulate and practice incident response by running regular
game days, incorporating the lessons learned into your incident
management plans, and continuously improving them.
Notices
Customers are responsible for making their own independent assessment of the information in this document.
This document: (a) is for informational purposes only, (b) represents current AWS product offerings and practices,
which are subject to change without notice, and (c) does not create any commitments or assurances from
AWS and its affiliates, suppliers or licensors. AWS products or services are provided "as is" without warranties,
representations, or conditions of any kind, whether express or implied. The responsibilities and liabilities of AWS
to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any
agreement between AWS and its customers.
© 2022 Amazon Web Services, Inc. or its affiliates. All rights reserved.
For more best practices, see the Security
Pillar of the Well-Architected Framework and
Security Documentation.
3
