Contents
- The Security Pillar explained
- The 7 design principles
- Shared Responsibility Model revisited
- IAM: least privilege principles
- Detection: GuardDuty, Security Hub, Macie
- Response: IR runbooks, backup, recovery
- Compliance: SOC 2, HIPAA, PCI on AWS
- Next step
- Frequently asked questions
- Is the AWS Well-Architected Framework free to use?
- How often should we review our workloads against the Security Pillar?
- Do we need all AWS native security services or can we use third-party tools?
- How much does it cost to fully implement the Security Pillar?
- What is the difference between Security Hub and GuardDuty?
- Can we achieve SOC 2 on AWS without a dedicated security team?
Most AWS security incidents we see in LATAM subsidiaries of US multinationals are not caused by sophisticated attackers. They are caused by over-permissive IAM roles, public S3 buckets, and detection gaps that let an intruder operate undetected for weeks. The AWS Well-Architected Framework's Security Pillar exists precisely to close those gaps with a repeatable method, not with ad-hoc fixes after an audit finding.
This guide breaks down the Security Pillar the way a CISO or cloud architect needs it: what it actually requires, how the Shared Responsibility Model has shifted with managed services, and which native AWS services map to each control. The goal is to give you a working checklist you can take into your next architecture review, not a theoretical overview.
If you are still planning your move to AWS, we recommend reading our complete guide to cloud migration first, since several Security Pillar decisions (account structure, network topology, encryption) are much cheaper to make before workloads land in production.
The Security Pillar explained
The Security Pillar is one of six pillars in the AWS Well-Architected Framework. It defines how to protect data, systems, and assets while delivering business value through risk assessments and mitigation strategies. In practice, it is organized into seven domains: security foundations, identity and access management, detection, infrastructure protection, data protection, incident response, and application security (the last one was formalized more recently).
The pillar is not a certification and it is not a compliance framework. It is a design review mechanism. AWS publishes the full Security Pillar whitepaper with questions your architecture should answer, and the Well-Architected Tool (free in the AWS console) lets you score any workload against those questions. A typical first review surfaces between 15 and 30 high-risk issues in a workload that was never assessed before [VERIFY: AWS WA Tool average findings per first review, AWS re:Invent sessions].
The value is not the score. The value is converting each finding into a backlog item with an owner, which is how security stops being an afterthought and becomes part of the delivery cadence.
The 7 design principles
AWS condenses the Security Pillar into seven design principles that should guide every architecture decision:
- Implement a strong identity foundation. Centralize identity, enforce least privilege, and eliminate long-lived credentials.
- Maintain traceability. Log, monitor, and audit every action. Integrate logs with alerts and automated responses.
- Apply security at all layers. Defense in depth across edge, VPC, subnet, load balancer, instance, OS, application, and code.
- Automate security best practices. Use infrastructure as code so controls are versioned and repeatable.
- Protect data in transit and at rest. Classify data, encrypt by default, and restrict access based on sensitivity.
- Keep people away from data. Reduce direct human access to production data using tooling and automation.
- Prepare for security events. Have incident response runbooks, tested recovery procedures, and simulations.
These principles are not aspirational. Every AWS native security service maps to at least one of them, and every audit finding you will ever receive can be traced back to violating one.
Shared Responsibility Model revisited
The Shared Responsibility Model is usually summarized as "AWS secures the cloud, you secure what is in the cloud." That summary is incomplete in 2026 because the boundary moves depending on the service model.
| Service type | AWS responsibility | Customer responsibility |
|---|---|---|
| IaaS (EC2, VPC) | Hypervisor, physical, network fabric | OS patching, apps, IAM, data, network config |
| Container (EKS, ECS) | Control plane, worker node AMI base | Pod security, images, IAM roles for service accounts |
| Serverless (Lambda, Fargate) | Runtime, OS, scaling | Code, IAM, data, event source config |
| Managed DB (RDS, Aurora) | DB engine patching, backups infra | Schema, query access, encryption keys, network |
The mistake we see most often is assuming that because a service is "managed," IAM and network boundaries are also managed. They are not. A Lambda function with an over-permissive execution role is still your problem, not AWS's. For context on how these attack patterns play out, our article on the most frequent web attacks documents several cases that started with a misconfigured IAM policy.
IAM: least privilege principles
Identity is the new perimeter in AWS. If your IAM policies are loose, nothing else you do matters. A working least-privilege model in AWS has four layers:
- AWS Organizations with Service Control Policies (SCPs) to set guardrails across accounts (for example, deny creation of IAM users, enforce regions, require encryption).
- IAM Identity Center (formerly SSO) as the single entry point for humans, integrated with your corporate IdP. No IAM users for employees.
- IAM Roles with scoped policies for workloads, granted via resource-based policies or role assumption, never via access keys embedded in code.
- Permission boundaries and session policies to limit what developers can grant when they create roles.
Practical rules that pay off quickly: enable IAM Access Analyzer in every account, rotate any remaining access keys every 90 days, block public access at the S3 account level, and require MFA for any role that can modify IAM or KMS. Tools like iamlive and AWS Access Analyzer's policy generation feature let you build policies from observed CloudTrail activity instead of guessing.
Detection: GuardDuty, Security Hub, Macie
Detection in AWS is a layered stack. Each service covers a specific surface, and they are designed to feed into each other:
- Amazon GuardDuty continuously analyzes CloudTrail, VPC Flow Logs, DNS logs, EKS audit logs, and S3 data events for threats (crypto mining, credential exfiltration, reconnaissance). Enable it organization-wide from the management account.
- AWS Security Hub aggregates findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Config, and third-party tools. It scores compliance against CIS AWS Foundations, PCI DSS, NIST 800-53, and AWS FSBP.
- Amazon Macie discovers and classifies sensitive data (PII, PHI, credentials) in S3. Critical before you try to certify HIPAA or handle customer PII.
- AWS Config records resource configuration changes and evaluates them against rules. Essential for audit evidence.
- Amazon Inspector scans EC2, ECR images, and Lambda functions for CVEs and network reachability issues.
The failure mode here is turning everything on and ignoring the findings. A mature setup routes Security Hub findings to a SIEM (or to a dedicated security account) and has SLAs per severity, typically 24 hours for critical and 7 days for high [VERIFY: common SLA benchmarks per AWS Security Reference Architecture].
Response: IR runbooks, backup, recovery
Detection without response is theater. The Security Pillar requires documented incident response runbooks for the scenarios most likely to hit your workloads: compromised IAM credentials, exposed S3 data, ransomware on EC2, and compromised CI/CD pipelines.
A usable runbook specifies: who declares the incident, which AWS APIs to call to contain it (revoke sessions with aws iam delete-access-key, quarantine an EC2 instance by replacing its security group, isolate an account via SCP), how to preserve forensic evidence (EBS snapshots, CloudTrail export), and how to communicate with legal and customers.
Recovery depends on backups that attackers cannot reach. In AWS this means AWS Backup with vault lock in a separate account, cross-region replication for critical S3 buckets, and periodic restoration drills. Untested backups are not backups. For the cost side of running detection, recovery, and multi-region replication, see our notes on FinOps and AWS cost optimization, since security spend is often 8–15% of a mature AWS bill.
Compliance: SOC 2, HIPAA, PCI on AWS
AWS itself is certified against virtually every major framework, and AWS Artifact gives you the attestation reports. Your responsibility is to prove that your workloads, on top of AWS, meet the framework's controls.
- SOC 2 Type II. Focus on access controls (IAM Identity Center + CloudTrail), change management (IaC + Config), and monitoring (Security Hub + GuardDuty). Expect a 6 to 12 month observation window.
- HIPAA. Sign the BAA with AWS, restrict PHI to HIPAA-eligible services, encrypt everything with customer-managed KMS keys, and use Macie for discovery.
- PCI DSS. Segment the cardholder data environment into its own account/VPC, use AWS WAF and Shield, enable full CloudTrail and VPC Flow Logs retention (at least one year), and run quarterly ASV scans.
Security Hub's compliance standards automate roughly 60–70% of the technical evidence collection for these frameworks [VERIFY: AWS Security Hub coverage percentages per framework, AWS documentation]. The rest is policies, training, and process. For a broader view of the regulatory landscape, our 2026 enterprise cybersecurity guide covers how these frameworks interact with regional requirements.
Next step
If your AWS environment has never been formally reviewed against the Security Pillar, the highest-leverage action is a focused assessment covering IAM, detection, and incident response. Contact us to book a 30-minute diagnostic and walk out with a prioritized list of findings and owners.
Frequently asked questions
Is the AWS Well-Architected Framework free to use?
Yes. The Well-Architected Tool is available at no cost in the AWS console, and the Security Pillar whitepaper is publicly available. AWS Partners can also conduct formal reviews that may qualify you for remediation credits.
How often should we review our workloads against the Security Pillar?
At minimum once a year, and always before a major release, a new compliance certification, or after a security incident. High-change environments benefit from quarterly reviews focused on a single pillar rotation.
Do we need all AWS native security services or can we use third-party tools?
GuardDuty, CloudTrail, Config, and IAM Access Analyzer are effectively mandatory because they cover telemetry no third party can replicate at the same depth. Security Hub, Inspector, and Macie can be replaced by equivalent third-party tools if they are already part of your stack, as long as findings are centralized.
How much does it cost to fully implement the Security Pillar?
For a mid-size AWS footprint (20–50 accounts), expect native security services to represent 8–15% of your monthly AWS bill, with GuardDuty and CloudTrail being the largest line items. The one-time implementation effort is typically 3–6 months with a dedicated team.
What is the difference between Security Hub and GuardDuty?
GuardDuty is a threat detection service that analyzes logs and generates findings about suspicious activity. Security Hub is an aggregator that consolidates findings from GuardDuty and many other sources, scores them against compliance frameworks, and provides a single pane of glass. You need both.
Can we achieve SOC 2 on AWS without a dedicated security team?
Technically yes for a small workload, but in practice you will need at least a part-time security engineer plus a compliance advisor. AWS automates much of the technical evidence, but policies, vendor management, and audit coordination still require human ownership.
Need to strengthen your platform security?
Schedule a free assessment with our team.
Talk to an expert