Securing your workloads

A workload is a collection of resources and code that delivers business value, such as a customer-facing application or a backend process. As you build and deploy workloads on AWS, the controls in this section help you protect your data, limit exposure of sensitive resources, and establish secure defaults. The controls cover managing application secrets, restricting access scope, minimizing access routes to private resources, and encrypting data in transit and at rest.

This section contains the following topics:

WKLD.01 Use IAM roles for compute environment permissions
WKLD.02 Restrict credential usage scope with resource-based policies
WKLD.03 Use ephemeral secrets or a secrets management service
WKLD.04 Prevent application secrets from being exposed
WKLD.05 Detect and remediate when secrets are exposed
WKLD.06 Use AWS Systems Manager instead of SSH or RDP
WKLD.07 Enable CloudTrail data events for Amazon S3 buckets with sensitive data
WKLD.08 Encrypt Amazon EBS volumes
WKLD.09 Encrypt Amazon RDS databases
WKLD.10 Deploy private resources into private subnets
WKLD.11 Restrict network access with security groups
WKLD.12 Use VPC endpoints to access supported AWS and external services
WKLD.13 Require HTTPS for public web endpoints
WKLD.14 Use edge protection services for public endpoints
WKLD.15 Define security controls in templates and deploy them by using CI/CD practices

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

ACCT.13 Use short-lived credentials for access to your AWS resources

WKLD.01 Use IAM roles for compute environment permissions