In addition to mapping controls and technical mitigations from traditional on-premise environments to AWS, a great deal of benefit can be achieved from applying automation to security, and in particular, integrating it with a DevOps model and culture to give “DevSecOps”. We present a set of approaches for integrating automated security testing and security-centric release control into a CI/CD pipeline and feedback loop without appreciably impacting the loop’s cycle rate in this context, and adding automated penetration testing as a further feedback stage for potential Continuous Deployment. CI/CD pipelines themselves need to be secured, so that security tooling cannot be bypassed; we also discuss mechanisms for achieving this.