Best Practices (Security)

The following best practices translate the WAF-SEC controls into concrete, actionable implementation guidance. Each best practice contains:

Context and problem description
Technical implementation steps
Terraform examples (compliant and non-compliant)
Anti-patterns
Metrics for measuring success

Overview of Security Best Practices

Best Practice	Title	Description	Related Controls
BP-IAM	Identity & Access Management	IAM strategy, role hierarchy, MFA enforcement, service accounts via IRSA	WAF-SEC-010, WAF-SEC-020
BP-ENC	Encryption Strategy	Encryption strategy, KMS hierarchy, envelope encryption, TLS configuration	WAF-SEC-030, WAF-SEC-040
BP-NET	Network Security & Segmentation	VPC design, security groups, NACLs, VPC flow logs, PrivateLink	WAF-SEC-050
BP-ZT	Zero Trust Architecture	Identity-first security, 5 pillars of Zero Trust, mTLS, continuous authentication	WAF-SEC-020, WAF-SEC-040, WAF-SEC-050
BP-SEC	Secrets Management	AWS Secrets Manager vs. Vault, secret rotation, dynamic secrets, CI/CD integration	WAF-SEC-060
BP-VM	Vulnerability & Patch Management	Container scanning, AMI patching, dependency scanning, CVE prioritization, patch SLAs	WAF-SEC-070

Best Practice

Title

Description

Related Controls

BP-IAM

Identity & Access Management

IAM strategy, role hierarchy, MFA enforcement, service accounts via IRSA

WAF-SEC-010, WAF-SEC-020

BP-ENC

Encryption Strategy

Encryption strategy, KMS hierarchy, envelope encryption, TLS configuration

WAF-SEC-030, WAF-SEC-040

BP-NET

Network Security & Segmentation

VPC design, security groups, NACLs, VPC flow logs, PrivateLink

WAF-SEC-050

BP-ZT

Zero Trust Architecture

Identity-first security, 5 pillars of Zero Trust, mTLS, continuous authentication

WAF-SEC-020, WAF-SEC-040, WAF-SEC-050

BP-SEC

Secrets Management

AWS Secrets Manager vs. Vault, secret rotation, dynamic secrets, CI/CD integration

WAF-SEC-060

BP-VM

Vulnerability & Patch Management

Container scanning, AMI patching, dependency scanning, CVE prioritization, patch SLAs

WAF-SEC-070

An additional best practice for security monitoring and incident response is described in detail in the Security Event Pipeline and WAF-SEC-080.

Where to Start?

For organizations that are new to cloud security:

Immediately (Day 1): IAM Best Practice – Without a solid IAM foundation, everything else is useless
This week: Secrets Management – Hardcoded credentials are an immediate risk
This month: Network Security – Set up network segmentation
This quarter: Encryption Strategy – Introduce CMK for sensitive data
Longer term: Zero Trust – Maturity-level-dependent transformation

Relationship to Controls

WAF-SEC Control	Best Practice
WAF-SEC-010 IAM Baseline	BP-IAM: Identity & Access Management
WAF-SEC-020 Least Privilege	BP-IAM: Identity & Access Management
WAF-SEC-030 Encryption at Rest	BP-ENC: Encryption Strategy
WAF-SEC-040 TLS Enforcement	BP-ENC: Encryption Strategy
WAF-SEC-050 Network Segmentation	BP-NET: Network Security
WAF-SEC-060 Secrets Management	BP-SEC: Secrets Management
WAF-SEC-070 Vulnerability Management	BP-VM: Vulnerability Management
WAF-SEC-080 Security Monitoring	Pattern 5: Security Event Pipeline
WAF-SEC-090 Policy-as-Code	Pattern 6: Policy-as-Code Gateway
WAF-SEC-100 Incident Response	WAF-SEC-100 Detail Page

WAF-SEC Control

Best Practice

WAF-SEC-010 IAM Baseline

BP-IAM: Identity & Access Management

WAF-SEC-020 Least Privilege

BP-IAM: Identity & Access Management

WAF-SEC-030 Encryption at Rest

BP-ENC: Encryption Strategy

WAF-SEC-040 TLS Enforcement

BP-ENC: Encryption Strategy

WAF-SEC-050 Network Segmentation

BP-NET: Network Security