ITIL defines a capability as the \ability to carry out an activity" and indicates that capabilities are assets that can be intentionally managed and improved in pursuit of the company's mission. 'NIST Special Publication 800-53R4 states that a security capability generally results from the selection and implementation of a set of mutually reinforcing security controls. 'Forward-thinking companies like Google. Microsoft, and Amazon are delivering their cloud services such that they can be consumed by other services via an Application Programming Interface (API). This has given rise to several important concepts such as Software Defined Networking, Orchestration, and Infrastructure as Code. 'A central theme is that everything that is customized or unique has been reduced so that it can be expressed as version-controlled program code.'this allows organizations to encapsulate, inherit, abstract, and reuse their IT capabilities just like other code. 'Using selected examples from the CIS Critical Security Controls , this presentation will share some concepts, tools and practical experiences of a security engineer using the "capabilities as code" approach to improve the security of his organization's use of Amazon Web Services.