AWS has 5 areas which map back to NIST: IAM, Detection, Infrastructure, Data Protection, Incident Response.
Centralize identities using either AWS Single Sign-On or a third-party provider to avoid routinely creating IAM users or using long-term access keys—this approach makes it easier to manage multiple AWS accounts and federated applications. Multiple AWS accounts allow you to separate data and resources, and enable the use of Service Control Policies to implement guardrails. AWS Control Tower can help you easily set up and govern a multi-account AWS environment.
Where you cannot use temporary credentials, like tokens from AWS Security Token Service, store your secrets like database passwords using AWS Secrets Manager which handles encryption, rotation, and access control.
In addition to your application logs, enable logging at the service level, such as Amazon VPC Flow Logs and Amazon S3, CloudTrail, and Elastic Load Balancer access logging, to gain visibility into events. Configure logs to flow to a central account, and protect them from manipulation or deletion.
6.1 Enable AWS Config to track the history of resources, and Config Managed Rules to automatically alert or remediate on undesired changes. For all your sources of logs and events, from AWS CloudTrail, to Amazon GuardDuty and your application logs, configure alerts for high priority events and investigate.
Use AWS Systems Manager Patch Manager to automate the patching process of all systems and code for which you are responsible, including your OS, applications, and code dependencies.Implement distributed denial-of-service (DDoS) protection for your internet facing resources.
Use security groups for controlling inbound and outbound traffic, and automatically apply rules for both security groups and WAFs using AWS Firewall Manager. Group different resources into different subnets to create routing layers, for example database resources do not need a route to the internet.
Enable encryption for all network traffic, including Transport Layer Security (TLS) for web based network infrastructure you control using AWS Certificate Manager to manage and provision certificates.
Keep all users away from directly accessing sensitive data and systems. For example, provide an Amazon QuickSight dashboard to business users instead of direct access to a database, and perform actions at a distance using AWS Systems Manager automation documents and Run Command.
Build Runbooks to outline how the firm will respond to a 'disaster' or event which disrupts the business. Implement daily backups of key images, data sources. Have a pilot light or similar DR plan. Consider a 2nd DR plan which uses another Cloud Platform. Costs, skills, and RTO (recovery time objective ie. get the application back online), and RPO (recovery point objective or date of the data backup), are key issues (see AWS Security Incident Response Guide.).
Begin with GuardDuty findings. Turn on GuardDuty and ensure that someone with the ability to take action receives the notifications. Automatically creating trouble tickets is the best way to ensure that GuardDuty findings are integrated with your operational processes.
Simulate and practice incident response by running regular game days, incorporating the lessons learned into your incident management plans, and continuously improving them.
1-Security models and postures vary by firm, industry and even type of application. Security best practices are helped by using the AWS WAR approach; but will need significant additions to provide best of breed security models.
2-Functional and non-Functional standards, including xls checklists, still need to be developed and used consistently across teams in addition to the AWS checklist.
3-Part of Security is integrated testing (unit, code, integration, network, DDoS etc); along with monitoring, alerting and reporting. Security is therefore tightly related to governance, cost control and environmental management.
4-Security is best achieved through standards and common approaches, including least privilege. An example is all ports are closed on deployment. If you need port 22 open for SSH access that has to be identified in the High Level Design and signed off by Security and templated (automated) for deployment.