Implement controls

Appendix A: Detailed Advice and Guidance of the Good Practice Guide describes in detail both the security controls that AWS customers should require of a cloud provider and the controls that they should implement when consuming that provider’s services – AWS, in this case. These follow the structure of the NCSC’s 14 Cyber-Security Principles, examining each in turn and detailing provider requirements under the heading The Cloud Provider should: and customer responsibilities under The Service User should:. For the remainder of this whitepaper, the AWS customer is synonymous with the Service User. The guidance in the Good Practice Guide recognises the concept of the Shared Responsibility Model for security in the cloud, which apportions responsibility for the security of element of the cloud and its use to the party most appropriate to manage it. In summary, AWS is responsible for the security of the cloud, while customers are responsible for security in the cloud.

This section provides prescriptive guidance on how to make concrete the required controls in AWS, specifically. It is intended to be read in conjunction with the companion AWS whitepaper Using AWS in the Context of NCSC UK’s Cloud Security Principles (which explains how AWS fulfils its responsibility for the security of the cloud) and document “Security Controls Mapping - Health and Social Care Cloud Security” (derived directly from the guidance, and obtainable on request. To request the document, contact Compliance Support).