AWS CAF helps organizations migrating to cloud computing in their cloud adoption journey by providing best practices and guidance through this framework. It breaks down this guidance into manageable areas of focus for building cloud-based systems that can be mapped to individual units of organizations. These focus areas are known as perspectives, there are six of these. Each perspective is further broken into components.
There are three perspectives, each for business (business, people, and governance) and technology (platform, security, and operations) stakeholders as shown in the following figure:
Figure 3: AWS Cloud Adoption Framework perspectives
Each perspective is made up of responsibilities owned by one or more stakeholders known as CAF capabilities. These capabilities are standards, skills, and processes that define what is owned and/or managed by these stakeholders for their organizations cloud adoption journey. You would map these capabilities with roles within your organizations and identify gaps in your existing stakeholder, standards, skills, and processing towards your cloud journey.
The security perspective provides guidance for aligning organizational requirements relating to security control, resilience, and compliance for all workloads developed and deployed in AWS cloud. It lists out processes and skills required for stakeholders to ensure and manage security in cloud. It helps you select security controls and structure them as per your organization's requirements to transform the security culture in your organization.
The security perspective has capabilities that target the following roles in an organization: Chief Information Security Officer, IT Security Managers, IT Security Analysts, Head of Audit and Compliance, and all resources in Auditing and Compliance roles.
The security perspective consists of the following four components.
This component provides guidance to all stakeholders that are either operating or implementing a security controls in your environment on planning your security approach for migrating to the AWS cloud. It includes controls, such as security operations playbook and runbooks, least privilege access, data locality, change and asset management, and so on. The directive component includes activities such as monitoring the teams through centralized phone and email distribution lists, integrating development, security, and operations team roles and responsibilities to create a culture of DevSecOps in your organizations.
This component is responsible for providing guidance for implementing a security infrastructure within your organization and with AWS. You should enable your security teams to build skills such as automation, deployment for securing your workloads in agile, dynamic, elastic, and scalable cloud environments. This component builds on identification of security controls as identified in the directive component. In this component, you learn to work with these controls, for example, you will look at your data protection policies and procedures and tweak them if required. Similarly, you will revisit your identity and access measures and infrastructure protection measures too. Consider establishing a minimum security baseline as part of this component.
This component deals with logging and monitoring to help you gain visibility into the security posture of your organization. Logging and monitoring along with events analysis, testing will give you operational agility as well as transparency for security controls you have defined and operate regularly. This component includes activities such as security testing, asset inventory, monitoring and logging, and change detection. You should consider defining your logging requirements keeping AWS native logging capabilities in mind alongside conducting vulnerability scans and penetration testing as per AWS pre-defined process.
This lesson guides you to respond to any security events for your organization by incorporating your existing security policies with AWS environment. It guides you to automate your incident response and recovery processes thereby enabling you to provide more resources toward performing forensics and root cause analysis activities for these incidents. It includes activities such as forensics, incident response, and security incident response simulations. You should consider updating and automating your school responses as per the AWS environment and validating them by running simulations.