Help Center/ Well-Architected Framework/ Well-Architected Framework and Practices/ Security Pillar/ Questions and Checklists
Updated on 2025-05-22 GMT+08:00
View PDF
Share

Questions and Checklists

Question

Checklist/Best Practice

SEC01 How do we develop the overall cloud security governance policies?
  1. Set up a security management team.
  2. Establish a security baseline.
  3. Sort assets and compile a list.
  4. Separate workloads.
  5. Perform threat modeling analysis.
  6. Identify and verify security measures.

SEC02 How do we manage the identity authentication of human-machine interfaces and machine-machine interfaces?
  1. Account protection
  2. Secure login mechanism
  3. Security management and use of credentials
  4. Integrated identity management

SEC03 How do we manage the permissions of human and machine?
  1. Define permission access requirements.
  2. Assign appropriate permissions as needed.
  3. Regularly review the permissions.
  4. Securely share resources.

SEC04 How do we design network security?
  1. Divide a network into zones.
  2. Control network traffic access.
  3. Minimize network access permissions.

SEC05 How do we design the operating environment security?
  1. Cloud service security configuration
  2. Vulnerability management
  3. Reduce the attack surface.
  4. Key security management
  5. Certificate security management
  6. Use managed cloud services.

SEC06 How do we design application security?
  1. Use open-source software in a secure and regulation-compliant manner.
  2. Establish secure coding specifications.
  3. Implement white-box code review.
  4. Apply secure application configuration.
  5. Perform penetration testing.

SEC07 How do we design data security?
  1. Identify data within workloads.
  2. Data protection control
  3. Data operation monitoring
  4. Static data encryption
  5. Transmitted data encryption

SEC08 How do we design data privacy protection?
  1. Specify privacy protection policies and principles.
  2. Proactively notify data subjects.
  3. Obtain data subjects' choice and consent.
  4. Ensure data collection compliance.
  5. Ensure data use, retention, and disposal compliance.
  6. Ensure the compliance of personal data disclosure to third parties.
  7. Data subjects have the right to access their privacy data.

SEC09 How do we implement security awareness and threat detection?
  1. Manage logs in a standardized manner.
  2. Security event recording and analysis
  3. Perform security audit.
  4. Security posture awareness

SEC10 How do we respond to security incidents?
  1. Establish a security response team.
  2. Develop an incident response plan.
  3. Automatically respond to security incidents.
  4. Perform security incident drills.
  5. Establish a review mechanism.
Parent topic: Security Pillar