The document discusses the AWS Well-Architected Framework and how it describes best practices for designing workloads in the cloud across various pillars including security. It then provides answers to several questions relating to implementing security best practices for detecting and investigating security events, protecting network resources, protecting compute resources, protecting data in transit, anticipating and responding to security incidents, and incorporating security in the application development lifecycle. For each question, it recommends relevant Fortinet security solutions that align with AWS security best practices and provides reasons for choosing Fortinet over native AWS services.

1. Yitao Cen,
Head of Product Marketing,
APAC
Alan Chen,
Technical Marketing Engineer,
APAC

2. 2
© Fortinet Inc. All Rights Reserved.
AWS Well-Architected Framework
The AWS Well-Architected Framework
describes key concepts, design principles,
and architectural best practices for designing
and running workloads in the cloud.
By answering a few foundational questions,
learn how well your architecture aligns with
cloud best practices and gain guidance for
making improvements.
Operational Excellence Pillar
Security Pillar
Reliability Pillar
Performance Efficiency Pillar
Cost Optimization Pillar
Sustainability Pillar

3. 3
© Fortinet Inc. All Rights Reserved.
The security pillar describes how to take advantage of cloud technologies to protect data, systems,
and assets in a way that can improve your security posture.
Security Pillar
Security
Foundations
SEC01. How do you
securely operate
your workload?
Identity & Access
Management
SEC02. How do
you manage
authentication for
people and
machines?
SEC03. How do
you manage
permissions for
people and
machines?
Detection
SEC04. How do
you detect and
investigate
security events?
Infrastructure
Protection
SEC05. How do
you protect your
network
resources?
SEC06. How do
you protect your
compute
resources?
Data Protection
SEC07. How do you
classify your data?
SEC08. How do you
protect your data at
rest?
SEC09. How do
you protect your
data in transit?
Incident
Response
SEC10. How do
you anticipate,
respond to, and
recover from
incidents?
Application
Security
SEC11. How do
you incorporate
and validate the
security
properties of
applications
throughout the
design,
development, and
deployment
lifecycle?
https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html

4. 4
© Fortinet Inc. All Rights Reserved.
• Q: How do you detect and investigate security events?
• A: Capture and analyze events from logs and metrics to
gain visibility. Take action on security events and
potential threats to help secure your workload.
• Best Practices:
FortiSIEM and FortiSOAR are ideal choice for satisfying SEC04
best practices.
FortiSIEM support below AWS services integration for centralized
logging and analysis:
• AWS Cloud Trail, AWS Cloud Watch, AWS ELB, AWS Kinesis, AWS RDS,
AWS Security Hub, AWS SQS, AWS S3.
With FortiSOAR implement, you are able to define the most flexible
playbook for automate incident response.
Why Chose Fortinet Solution rather than AWS native services?
• FortiSIEM and FortiSOAR are designed to be the backbone of your
security operations team, delivering capabilities ranging from automatically
building your inventory of assets to applying cutting edge behavioral
analytics to rapidly detect and respond to threats.
• Out-of-box reports are easy for continuous compliance, as well as
visualized threat hunting makes security operation more efficiency.
• Self-learning asset inventory, real-time analytics, streamlined investigation
are all ready-to-use features for offloading security operation team efforts
compare with all DIY using AWS services.
• Industry-leading threat intelligence and deep fabric integration makes you
always up-to-date on detection and automate response across your entire
IT landscape.
Security Pillar - Detection
SEC04
SEC04-BP01 Configure service and application logging
SEC04-BP02 Analyze logs, findings, and metrics centrally
SEC04-BP03 Automate response to events
SEC04-BP04 Implement actionable security events

5. 5
© Fortinet Inc. All Rights Reserved.
• Q: How do you protect your network resources?
• A: Any workload that has some form of network
connectivity, whether it’s the internet or a private
network, requires multiple layers of defense to help
protect from external and internal network-based threats.
• Best Practices:
FortiGate and FortiWeb are ideal choice for satisfying SEC05 best
practices, to protect network traffic, Web based traffic and API
traffic, as well as ensure traffic are all intended.
FortiGate is able to deliver:
• Network segmentation at VPC level
• Site-to-Site VPN and Client-to-Site VPN capabilities
• Traffic/Policy analysis
• Secure data access by integrate with S3 endpoint.
• Traffic inspection via Intrusion Prevention System, Anti-Virus, URL/DNS
Filtering
• Automated incident response
FortiWeb is able to deliver:
• Industry top tier Web and API security
• Anti-Virus for mitigating file upload attack
Why Chose Fortinet Solution rather than AWS native services?
• User friendly management console with Machine Learning based threat
protection.
• Flexible and Cloud native deployment for minimizing influence on existing
architecture.
• The best TCO offering: the only NGFW support AWS Graviton instance.
• Easy to forecast security cost with simple pricing model.
Security Pillar - Infrastructure Protection
SEC05
SEC05-BP01 Create network layers
SEC05-BP02 Control traffic at all layers
SEC05-BP03 Automate network protection
SEC05-BP04 Implement inspection and protection

6. 6
© Fortinet Inc. All Rights Reserved.
• Q: How do you protect your compute resources?
• A: Compute resources in your workload require multiple
layers of defense to help protect from external and
internal threats. Compute resources include EC2
instances, containers, AWS Lambda functions,
database services, IoT devices, and more.
• Best Practices:
In SEC06, AWS suggests to protect the entire workload, including
AWS instances, services and IoT devices. Then security practices
should cover below assets: Host, Workload, Code, Supply Chain,
API.
Fortinet can support security testing in source code, container, web
and API, as well as protecting IoT devices to cover BP01,02,04,05:
• Static or source code testing via FortiDevSec
• Container scanning and IAC scanning via FortiDevSec
• Advanced Web/API Vulnerability testing with Fuzzing via FortiDAST
• Automate compute protection via FortiWeb for Web/API and FortiGate for
EC2/containers and IoT devices
• Secure remote access dedicated for System Operation via FortiPAM
Privilige Access Management
Why Chose Fortinet Solution rather than AWS native services?
• The Easy-to-use and comprehensive portal where users can log in and
view all the issues across all their applications and all the different scan
types.
• Seamless integration with in Fortinet portfolio. Easy to see correlated
results and perform automated protection.
• Noise reduction via intelligently correlates across multiple scan results and
manipulates the risk ratings accordingly.
Security Pillar - Incident Response
SEC06
SEC06-BP01 Perform vulnerability management
SEC06-BP02 Reduce attack surface
SEC06-BP03 Implement managed services
SEC06-BP04 Automate compute protection
SEC06-BP05 Enable people to perform actions at a distance
SEC06-BP06 Validate software integrity

7. 7
© Fortinet Inc. All Rights Reserved.
• Q: How do you protect your data in transit?
• A: Protect your data in transit by implementing multiple
controls to reduce the risk of unauthorized access or
loss.
• Best Practices:
In this part, FortiGate can fit in some use cases.
FortiGate is able to deliver:
• Encryption in transit via IPSEC VPN in network-to-network scenario
• Integrate with AWS GuardDuty for automate block unintended data access
Why Chose Fortinet Solution rather than AWS native services?
• User friendly management console, with flexible and cloud native
deployment for minimizing influence on existing architecture.
• High performance to support scale IPSEV VPN tunnels and volume data
transit.
• The best TCO offering: the only NGFW support AWS Graviton instance.
Security Pillar - Data Protection
SEC09
SEC09-BP01 Implement secure key and certificate management
SEC09-BP02 Enforce encryption in transit
SEC09-BP03 Automate detection of unintended data access
SEC09-BP04 Authenticate network communications

8. 8
© Fortinet Inc. All Rights Reserved.
• Q: How do you anticipate, respond to, and recover from
incidents?
• A: Preparation is critical to timely and effective
investigation, response to, and recovery from security
incidents to help minimize disruption to your
organization.
• Best Practices:
Fortinet Cloud Consulting Services and Security Advisory Services
which include incident readiness, playbook and response process
improvement will help customers to apply all best practices in this
chapter.
Fortinet Cloud Consulting services and Security Advisory Services
can help customer on:
• developing incident management plans
• Prepare forensic capabilities
• Automate containment via playbook and Fortinet Security Fabric
With Fortinet professional services, and Tabletop Exercise services,
customer can apply pre-provision access and pre-deploy tools, as
well as run game days aka simulations.
Why choose Fortinet?
• Fortinet is the 20+ year leader in security industry, the
consultants and engineers have expertise in incident readiness
and response.
• Most of security vendors are only good at security instead of
cloud, Fortinet has rich resources on cloud architect and security
consultant and service delivery engineers.
Security Pillar - Incident Response
SEC10
SEC10-BP01 Identify key personnel and external resources
SEC10-BP02 Develop incident management plans
SEC10-BP03 Prepare forensic capabilities
SEC10-BP04 Automate containment capability
SEC10-BP05 Pre-provision access
SEC10-BP06 Pre-deploy tools
SEC10-BP07 Run game days

9. 9
© Fortinet Inc. All Rights Reserved.
• Q: How do you incorporate and validate the security properties of
applications throughout the design, development, and deployment lifecycle?
• A: Training people, testing using automation, understanding dependencies,
and validating the security properties of tools and applications help to
reduce the likelihood of security issues in production workloads.
• Best Practices:
Customer should focus on securing DevOps which also means the
DevSecOps life cycle, covering the Software Development Life
Cycle.
In this chapter, Fortinet can help on BP02, 03 and 07 via
FortiDevSec and FortiDAST with Static and Dynamic scanning
integration with CI/CD pipeline.
FortiDevSec:
• orchestrates and automates continuous application security testing for
developers and DevOps directly into the application CI/CD DevOps
lifecycle.
• It offers comprehensive application scanning, including scanning source
code, open-source/ third party libraries, secret, container images, IaC files
and live web application URLs.
• includes all the above types of scanning to provide comprehensive
vulnerability management. DAST scanning alone is provided through
FortiDAST, but FortiDevSec is seamlessly integrated into and includes
FortiDAST.
Why choose Fortinet?
• The Easy-to-use and comprehensive portal where users can log in and
view all the issues across all their applications and all the different scan
types.
• Scanners get set up automatically. Unified configuration for all your scans
with no need for siloed plugins
• Noise reduction via intelligently correlates across multiple scan results and
manipulates the risk ratings accordingly.
Security Pillar - Application Security
SEC11
SEC11-BP01 Train for application security
SEC11-BP02 Automate testing throughout the development and release lifecycle
SEC11-BP03 Perform regular penetration testing
SEC11-BP04 Manual code reviews
SEC11-BP05 Centralize services for packages and dependencies
SEC11-BP06 Deploy software programmatically
SEC11-BP07 Regularly assess security properties of the pipelines
SEC11-BP08 Build a program that embeds security ownership in workload teams