AWS re:Invent 2025 - Cyber resilience on AWS, designing security and recovery strategies (GBL204)

Cyber Resilience on AWS: Designing Security and Recovery Strategies

Understanding the Cyber Resilience Challenge

• 65% of organizations reported a cyber attack in 2024
• 90% of cyber attacks involved an attempt to hack backup data, with 50% succeeding
• The average cost of downtime for a critical application is $500,000 to $1 million
• 3 out of 4 companies had a data-targeting outage without a data resiliency plan

The Cyber Resilience Framework

• The NIST Cybersecurity Framework defines cyber resilience as the ability to anticipate, withstand, recover from, and adapt to adverse conditions
• This involves four key elements:
  1. Anticipate: Develop observability, monitoring, and alarming mechanisms to understand and learn from signals and logs
  2. Withstand: Implement layered resilience across infrastructure, application, and data layers
  3. Recover: Establish recovery point objectives (RPOs) and recovery time objectives (RTOs) to enable fast recovery
  4. Adapt: Continuously evaluate and improve resilience posture based on testing and learnings

Protecting Critical Systems

• Implement multi-layer protection services beyond just security, including:
  • Route 53 Resolver, DNS Firewall, VPN, Network Firewall, Shield Advanced
• Build a robust data protection framework with three pillars:
  1. Security: Implement least-privileged access, network segmentation, and security groups
  2. Resilience: Establish disaster recovery, data replication, and backup strategies
  3. Governance: Classify data, manage compliance, and maintain accountability

Detecting and Responding to Threats

• Use a combination of services to understand the attack surface, detect threats, and investigate incidents:
  • Amazon Inspector, Amazon Macie, AWS Security Hub
  • Amazon GuardDuty, Amazon Detective, AWS Security Hub
• Leverage automated, integrated workflows to classify data, identify threats, and trigger self-healing remediation actions

Preparing for Recovery

• Define recovery priorities and a minimal reliable company to restore essential services first
• Implement a 3-2-1-1 data protection strategy:
  • 3 unique copies of data
  • 2 copies stored in separate accounts/regions
  • 1 copy in an immutable, air-gapped vault
  • 1 local copy for operational recovery
• Use AWS Backup and AWS Elastic Disaster Recovery to enable fast, automated recovery

Continuous Improvement

• Test recovery plans regularly through drills and simulations
• Continuously evaluate and adapt resilience strategies based on learnings
• Leverage AWS services like Resilience Hub, AWS Backup Audit Manager, and AWS DRS to simplify and automate resilience management

Key Takeaways

• Cyber resilience is about more than just security - it's about the ability to anticipate, withstand, recover, and adapt to adverse conditions
• Protecting data is not enough - organizations must also focus on data resilience and the ability to recover quickly
• Leveraging the right combination of AWS services can help automate and streamline cyber resilience strategies
• Continuous testing, evaluation, and adaptation are crucial to maintaining effective cyber resilience