Improve the Security of your Cloud Environment with a AWS Well-Architected Review

Blog home

Improved security for your data

CirrusHQ is an Amazon Web Services (AWS) Advanced Consulting and Solution Provider partner, which means we work with AWS clients to ensure their investment in AWS, the world’s most comprehensive and broadly adopted cloud platform, is optimised and delivers all it should.

AWS currently offers hundreds of fully featured services from a host of global data centres, allowing clients to leverage AWS to lower their costs, become more agile and innovate faster.

But these Cloud environments need monitoring to ensure they remain optimised, which is where well-architected reviews (WAR) come in. We have explained a WAR and what is included and the main benefit accrued, cost optimisation .

When undertaking a WAR, the benefits are achieved through remediation actions that are highlighted when ensuring architectural best practices are followed, across five key areas or pillars, which are:

  • Operational excellence  
  • Security  
  • Reliability  
  • Performance efficiency  
  • Cost optimisation   

These pillars include unique design principles which give rise to important benefits when we have remediated the issues found during the WAR process. From our research of reviews undertaken by CirrusHQ, the second most important benefit delivered to our clients, is the answer to the question; ‘How do you protect your data at rest?’.


Security in the AWS Cloud

The Security pillar is critical to address the challenging environment all organisations find themselves working within and includes the ability to protect data, systems and assets to leverage cloud technologies to improve security.

There are seven design principles for security in the AWS cloud:

#1 Implement a strong identity foundation: The principle of least privilege should be used and duties separated, with appropriate authorisation for interactions with your AWS resources.

#2 Enable traceability: Monitor, alert and audit actions and changes to your environment in real time, whilst integrating log and metric collection to automate investigations and take actions.

#3 Apply security at all layers: Utilise defence in depth, with multiple security controls and apply to all layers, such as edge of network, VPC, load balancing, every instance and compute service, etc. 

#4 Automate security best practices: Automated software-based security will improve your ability to scale securely, quickly and cost-effectively, whilst creating secure architectures.

#5 Protect data in transit and at rest: Classify your data into sensitivity levels and use mechanisms, such as encryption, tokenisation and access control where appropriate.

#6 Keep people away from data: Reduce or eliminate the need for direct access or manual processing of sensitive data to reduce the risk of mishandling or modification and human error.

#7 Prepare for security events: Be prepared with incident management and investigation policies and processes that match your needs, then run incident response simulations.


Data risks uncovered through well architected reviews (WAR)

The security best practice looks at the security of your data while it is stored in AWS, in areas such as databases, operating system drives and S3 (Amazon Simple Storage Service), a service offered by AWS that provides object storage through a web service interface.

There are a number of risks our WARs have highlighted, starting with the fact that unencrypted data is at risk of access from external malicious actors. Secondly, if not stored securely, leaked encryption keys can allow unauthorised access to this data. Finally, users with too wide permissions may have unauthorised access to data and encryption or allow keys or data to be leaked accidentally.


Security best practice

Best practice specifies that this data should be encrypted to stop malicious users from accessing it without permission, and this protection should be enabled by default and automated where possible to avoid any missed areas. 

Also, keys used for encryption should be securely stored and only users who need access for their role, should be allowed to access the encryption keys and data.

It is worth covering a few of the most common security remediations CirrusHQ has carried out, following a WAR:

  • Enabling Encryption on all data at rest within AWS. Covering these areas and more:
    • S3
    • RDS Databases
    • EBS Storage
    • EFS Storage
  • Securing encryption keys in KMS, both amazon managed and customer-managed
  • CloudHSM Hardware Security for keys
  • Enforce Least Privilege Access
  • Automation of encryption of data
  • Enabling users to get the results they need without direct access to data using dashboards and other mechanisms to keep people away from the raw data

It is also worth remembering that AWS recommend you conduct a WAR every 12-18 months, to evaluate your AWS architectures and identify any issues.

Our AWS Certified Solutions Architects and Well-Architected Ambassadors leverage their expertise to undertake a deep-dive review into the performance of your existing AWS workloads. We then recommend how these workloads can be re-architected so that they adhere to best practices and meet your business goals.

From a review this we develop an action plan with you, to carry out recommended remediations.  Once a plan is agreed we will also assist you in applying for $5000 of AWS service credits from AWS (T&Cs apply)  to offset against the costs of CirrusHQ carrying out the improvement or remediation work.


Are you ready for WAR?  

We have looked at the reason for a WAR, the likely remediations under the security pillar and now we’ll cover the likely benefits, most of which would come under the heading ‘keeping your data safe, keeping your organisation secure’. 

The benefits delivered following remediation actions include:

  • Secure data in transit and while at rest in AWS 
  • Decreasing the likelihood of data leakage
  • Secure Keys for encryption to reduce risk of unauthorised access of your data
  • Providing users with the tools they need to do their job while still securing your data

In the current climate, when the news carries stories of hacking, ransomware and data theft on an almost daily basis, security has to be in your top three priorities. As an AWS client, you can work with CirrusHQ to minimise the risks to your data, with AWS helping pay towards keeping you safe – what’s not to like? 

Check back regularly to read valuable insights that will help you get more from your AWS Cloud environment, some of which will be technical in approach and some such as this one, with a focus on the likely business benefits of getting a WAR started.



CirrusHQ have identified and remediated thousands of high risks for organisations, to improve cost, application performance, and reduce security risks in their AWS environment. From a review we develop an action plan with you, to carry out recommended remediations.  Once a plan is agreed we will also assist you in applying for $5000 of AWS service credits from AWS (T&Cs apply)  to offset against the costs of CirrusHQ carrying out the improvement or remediation work..

Optimise your Cloud with an in-depth review of your infrastructure to accelerate your Cloud journey – Contact us.