As discussed in the previous section, AWS has multiple cloud-native AWS services and most of them have SDKs, APIs that make it easier to integrate them with other applications and processes. Another key theme we just discussed is DevOps, which is basically a combination of cultural philosophies, practices, and tools that increase an organization's ability to deliver applications and services at high velocity. Now, if applications are being rapidly delivered at a high velocity to various environments and security organization's policy-related checks that are not integrated in those processes, then it can create a nightmare for the organization, wherein some controls might be left unattended for being exploited. As a result, having security woven into DevOps is a must and it's also called DevSecOps (or SecDevOps).

The core way to achieve this is to treat the security components and services in an infrastructure-as-code fashion and integrate them with the existing DevOps practices. As an example, if the Corporate Security team of an organization has defined standards around how VPCs should be set up for any environment, which NACL rules should be applied and how IAM users and their policies should be created, then those should be documented in CloudFormation templates, which the application teams just refer to and reuse by applying the capability of nested CloudFormation stacks. This way, the security team focuses on creating and updating the security and networking components that lie in their area of responsibility and the application team focuses on the code, the testing process, and deployment across the fleet of servers as per the environment.

Other than infrastructure provisioning aspects, this practice can be taken to the next level by also involving security checks along the entire software development pipeline, by including tests for areas such as the following:

• Ensuring that code analysis tools are integrated and security-related findings are addressed before pushing to production
• Enabling audit logs, including services such as AWS CloudTrail logging, apart from standard application logging
• Running various security tests, including virus/malware scans and penetration testing, which might be required for compliance-sensitive workloads
• Checking databases and various other static configuration and binary files, and that PHI/PII data (such as credit card numbers, social security numbers, and health records) is either encrypted or obfuscated and not available in plain text for any possible exploits

Many customers also make use of custom logic and applications to automate various stages of the preceding pipeline using AWS Lambda. These functions can not just be executed proactively, but also can be triggered by various reactive means such as event triggers from sources such as CloudWatch monitoring, CloudWatch Events, and SNS alerts.

A couple of other services that help in an effective DevSecOps implementation are AWS Config and Amazon Inspector. AWS Config can help assess, audit, and evaluate the configurations of your AWS resources, whereas using Amazon Inspector you can automatically assesses applications for vulnerabilities or deviations from best practices, thereby providing the base rules and frameworks out of the box, which can be augmented with your custom policies and checks using Amazon Lambda-based definitions.