Full Report
Discover how Deloitte’s CCMS, powered by Wiz, enhances AWS cloud security with automated workflows, democratized risk management, and streamlined remediation to protect modern cloud environments.
Analysis Summary
# Best Practices: Cloud Security Posture Management and Remediation in AWS Environments
## Overview
These practices focus on enhancing the cybersecurity posture within Amazon Web Services (AWS) environments by leveraging automated deployment, unified visibility, and collaborative risk remediation, specifically utilizing a framework combining managed services (like Deloitte's CCMS) with agentless cloud security platforms (like Wiz). The goal is to achieve continuous compliance, minimize alert fatigue, and empower development teams to own security within their workflows.
## Key Recommendations
### Immediate Actions
1. **Automate AWS Security Landing Zone Deployment:** Immediately initiate the automated deployment of the defined AWS Security Landing Zone structure, ensuring foundational AWS native security tools are enabled and configured correctly across the organization.
2. **Establish Agentless Visibility Infrastructure:** Deploy the agentless cloud security platform (Wiz) to gain immediate, comprehensive visibility across all existing AWS accounts without requiring agent installation, providing insights within hours.
3. **Integrate Organizational Unit (OU) Onboarding:** Automate the onboarding process of the entire AWS organization into the cloud security platform to ensure continuous governance enforcement from the organizational level down.
### Short-term Improvements (1-3 months)
1. **Implement Team-Specific Project Segmentation:** Automatically create dedicated security projects within the cloud security platform for each corresponding cloud workload account, mirroring the organizational structure.
2. **Integrate Identity for Access Control:** Configure Security Assertion Markup Language (SAML) integration to assign appropriate role-based access to application teams for their dedicated security projects.
3. **Democratize Risk Remediation:** Empower non-security practitioners by providing them direct, tailored access to the cloud security platform's GUI to review and remediate identified issues within their respective projects.
### Long-term Strategy (3+ months)
1. **Establish Automated Alert Triaging Workflows:** Design workflows where initial alerts are directed to the owning application teams for self-remediation. Only unresolved issues after a defined threshold should be escalated centrally.
2. **Integrate Security Findings with SIEM:** Configure automated, aggregated feeds of consolidated security issues (vulnerabilities likely to cause breaches) to the Security Information and Event Management (SIEM) system, prioritizing aggregation to reduce alert volume and SIEM costs.
3. **Enforce Continuous Compliance Monitoring:** Mandate 24x7 support and monitoring (either internal or managed) focused on continuous compliance checks against industry standards for all deployed AWS services and operating systems.
4. **Leverage Predictive Analytics:** Implement and utilize cyber predictive analytics capabilities to foresee and proactively mitigate potential high-impact threats before exploitation occurs.
## Implementation Guidance
### For Small Organizations
- Prioritize the **agentless** deployment mechanism for speed of initial insight and minimal operational overhead.
- Focus initial automation efforts heavily on getting the **AWS Security Landing Zone** established correctly, as this provides necessary foundational guardrails.
- Leverage centralized oversight initially, allowing non-security staff to only take on remediation tasks after security teams have validated their access permissions.
### For Medium Organizations
- Fully implement the **Wiz Secured AWS Landing Zone** structure, dedicating a separate project/assignment for each major workload account to maintain manageable scope boundaries.
- Establish clear Service Level Objectives (SLOs) for remediation based on the automated alerting structure; define when an issue moves from being the application team's responsibility to the central security team's.
- Focus on integrating the security platform with existing ticketing systems to streamline the low-level remediation workflow for application teams.
### For Large Enterprises
- Use **asset correlation** capabilities extensively to map risks across complex, interconnected cloud assets, reducing cognitive load for security staff.
- Ensure the remediation workflow strongly supports a **shift-left** strategy, embedding security validation tools directly into CI/CD pipelines where appropriate, augmenting the GUI/console-based remediation.
- Maintain rigorous, centrally managed **industry-aligned controls** deployed automatically, while allowing delegated project owners granular control over non-critical findings within their sandboxes.
## Configuration Examples
*Specific configurations were not detailed in the text, but the following architectural configuration is implied:*
| Component | Configuration Best Practice |
| :--- | :--- |
| **AWS Environment** | Utilize AWS Organizations for centralized multi-account governance. |
| **Cloud Security Platform (Wiz)** | Create a dedicated `Wiz Project` mapped directly to each individual production/development AWS Account ID or Workload OU. |
| **Access Management** | Configure role-based access via **SAML integration**; grant application teams `remediation contributor` roles within their specific Wiz Projects only. |
| **Alerting Pipeline** | Configure automated rules to suppress low-severity findings internally while forwarding aggregated, high-risk vulnerability data to the central SIEM queue for operator triage. |
| **Remediation Flow** | Application team members access findings in the Wiz GUI, resolve the underlying issue in their AWS account, and confirm resolution directly in the platform. |
## Compliance Alignment
The documented approach aligns with principles derived from:
* **NIST Cybersecurity Framework (CSF):** Strong emphasis on **Identify** (Visibility), **Protect** (Guardrails/Controls), and **Detect/Respond** (Automated workflows, SIEM integration).
* **ISO 27001/27017:** Focus on establishing access control (SAML integration) and deploying documented security policies (Industry-aligned controls).
* **CIS Benchmarks for AWS:** The foundational deployment of the "AWS Landing Zone" inherently enforces many core CIS hardening standards.
## Common Pitfalls to Avoid
1. **Ignoring Agentless Context:** Do not treat agentless findings as inherently less actionable; high-severity cloud posture risks identified agentlessly are often critical.
2. **Alert Overload (SIEM Noise):** Avoid sending every raw finding directly to the SIEM. The process requires pre-triaging and aggregation by the security platform to reduce noise for the central security team.
3. **Centralizing Remediation:** Do not mandate that the central security team remediate every vulnerability. This negates the benefit of democratizing security by overwhelming experts and delaying fixes for application teams.
4. **Stale Platform:** Relying solely on manual checks; utilize the platform’s self-updating nature to ensure protection evolves automatically with new AWS service releases.
## Resources
- **Security Framework:** Referenced alignment with industry standards for control deployment.
- **Cloud Security Platform:** Wiz (for agentless visibility and workload protection).
- **Foundational Setup:** AWS Security Landing Zone documentation (for initial AWS environment hardening).
- **Managed Service Context:** Deloitte's ConvergeSECURITY/CCMS offerings (representing managed detection, response, and compliance support).