The shared responsibility approach means that developers and operators should feel equally responsible and capable of identifying and fixing security issues. This can only happen whenthe security professionals invest time and effort in making other team members aware of the security risks, identifying the right solutions, and enabling them to leverage those solutions. Automation goes a long way, so being on the constant lookout for pockets of optimization is going to help a lot. This also points back to the Awareness and Automation pillars we discussed previously.

What it means for developers

Previously, developers always focused on just application code. Security-focused feedback received from tools and automations should allow them to proactively look into new risks that are being introduced into the system. Also known as shift-left, this methodology aims to identify every security risk, ideally during the development phase itself. Automation plays a big role in defining its success; we will look at a hands-on example of this, toward the end of this chapter.

What it means for the operations team

Security is never done. After the code deployments are completed, the operations team should always keep an eye on any unexpected application patterns, logs, or behaviors. In a way, this is also linked to the observability strategy of the organization, but the core idea here is to shift right and make security an inherent part of day-to-day operational efforts.

Let’s shift gears and discuss what these security assessments look like in practice. We’ll discuss these in the context of AWS specifically.

Securing your workloads in AWS

Running workloads in self-managed on-premises data centers requires safeguarding against a variety of attack vectors, such as applications, platforms, and infrastructure. With providers such as AWS entering the game, your risk postures need to be re-evaluated. The moment you move your applications to the cloud, you transfer some of those risks to the cloud provider, and in other cases, mitigate or introduce new ones. The focus of this section will be to walk you through some practical scenariosand approaches around security in AWS. We will center our discussions around an internet-facing web application, as an example. Let’s start with the common problems software teams face at the onset of their cloud journey.

Security challenges for operating workloads in the cloud

There are two common blockers that software teams adopting AWS face, or any other cloud provider for that matter, when it comes to security.