AWS Security Services in a Nutshell
These services are designed to secure your applications, data, and infrastructure with battle tested configurable services.
They make it easy to manage users, roles, permissions and ensure compliance with various industry regulations and security best practices.
The Nutshell View
The cheatsheet above provides a quick overview on the security, identity and compliance related services.
We have grouped these services into different usage categories to provide a high level understanding of the kinds of sevices avaible under each group and how can we utilize them for our needs.
The table below provides a brief description on each of these services.
2. Brief Descriptions, Features & Usages of the Security Services
| AWS Services | Objective | Sample Use Cases |
|---|---|---|
| Identity and access management (IAM) | ||
| AWS Identity and Access Management (IAM) | IAM provides fine-grained access control across all of AWS. IAM allows you to create users, groups, and roles, and to assign permissions to those users, groups, and roles to ensure least privilege. | 1. User-Level Access Control: You can assign specific roles, groups and policies to individual IAM users. 2. Resource-Level Access Control: You can create resource policies that specify which actions are allowed or denied on particular AWS resources, such as S3 buckets, DynamoDB tables, or EC2 instances. 3. Supports Temporary Access: You can grant temporary access to users or services, which is useful for scenarios like cross-account access, providing temporary permissions to external users, or enabling time-limited access for applications. 4. Multi-Factor Authentication (MFA): IAM allows you to enforce an additional layer of security by enabling multi-factor authentication. |
| AWS IAM Identity Center | Centrally manage IAM users and their access across multiple AWS accounts and applications. It provides a unified platform for managing IAM users, groups, and roles across multiple AWS accounts, SAML-enabled cloud applications (such as Salesforce, Microsoft 365, and Box), and custom-built in-house applications. | 1. Centralized User Access: Centralizes the user access with SSO capabbilities. 2. Policy Reusability: Allows us to create and manage permission sets, which are reusable across multiple accounts and applications. 3. Simplifies Integration with Identity Providers: It eliminates the need to configure identity providers separately for each AWS account. This integration streamlines the process of onboarding and offboarding users. 4. Automatic Account Provisioning: When new users are added to specific groups in the connected identity provider, it can automatically create and provision accounts for them, reducing the manual effort required to set up user access in multiple accounts. |
| Directory Services | ||
| AWS Directory Service | AWS Directory Service includes the following directory types to choose from: 1. AWS Managed Microsoft AD 2. Amazon Cognito 3. Simple AD 4. AD Connector | |
| AWS Managed Microsoft AD | It's a Microsoft Active Directory, managed by AWS. - It supports a wide range of Saas applications, AWS managed applications and services. - It also enables us to migrate ADActive Directory–aware applications to the AWS Cloud. | Key features include : - Managing users and groups, group policies - Providing single sign-on to applications and services - Support for multi-factor authentication. |
| Amazon Cognito | Simple to integrate sign-up & sign-in service. Cognito User Pools: 1. It's an identity store that can scale upto millions of users. 2. Supports sign-up & sign-in through direct registrations as well as from social identity provider like Google, Facebook, Twitter etc. Cognito Identity Pools: 1. Provides temporary credentials to access AWS resources for both sign-in and anonymous users. | - You can use it to integrate a secure and scalable user management and authentication process for your web and mobile application. - Amazon Cognito supports encryption and multi-factor authentication (MFA) capabilities. |
| Simple AD | Simple AD is a standalone managed directory that is powered by a Samba 4 Active Directory Compatible Server. - Simple AD provides a subset of AWS Managed Microsoft AD features, including the ability to manage user accounts and group memberships, create and apply group policies, securely connect to Amazon EC2 instances, and provide Kerberos-based single sign-on (SSO). - Simple AD does not support features such as multi-factor authentication (MFA), trust relationships with other domains, group managed service accounts etc. | It is available in two sizes. Small- Supports up to 500 users. Large- Supports up to 5,000 users. |
| AD Connector | Simplifies the connection of compatible AWS services to on-premise AD AD Connector is a proxy service that provides an easy way to connect compatible AWS applications, such as Amazon WorkSpaces, Amazon QuickSight, and Amazon EC2 for Windows Server instances, to your existing on-premises Microsoft Active Directory. | With AD Connector , you can simply add one service account to your Active Directory. AD Connector also eliminates the need of directory synchronization or the cost and complexity of hosting a federation infrastructure. |
| Amazon Verified Permissions | AWS Verified Permissions allows you to externalizing authorization and centralizing policy management and administration. It uses Cedar, a security-first open-source policy language, to define policy-based access controls using roles and attributes for more granular, context-aware access control. | 1. Verified Permissions helps you build applications faster and also supports governance and compliance. 2. Security and audit teams can better analyze and audit who has access to what within applications. |
| Network Security & Firewall | ||
| AWS Web Application Firewall (WAF) | AWS WAF allows you to create a centralized set of rules that you can deploy across multiple websites. You can configure rules that allow, block, or monitor (count) web requests based on specific conditions. These conditions may include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting. | 1. Create rules to prevent malicious bots and attacks like SQL injection from affecting web applications. 2. Create custom rules to allow or deny requests based on specific conditions, enhancing app security. |
| AWS Firewall Manager | AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organization. AWS Firewall Manager is integrated with AWS Organizations so you can enable AWS WAF rules, AWS Shield Advanced protections, VPC security groups, AWS Network Firewalls, and Amazon Route 53 Resolver DNS Firewall rules across multiple AWS accounts and resources from a single place. | 1. Define and enforce security policies across multiple applications using AWS WAF. 2. As new applications are created, Firewall Manager makes it easy to bring new applications and resources into compliance by enforcing a common set of security rules. |
| AWS Network Firewall | AWS Network Firewall is a managed service that allows you to centrally configure and deploy essential network firewall rules for all of your Amazon Virtual Private Clouds (VPCs) and accounts. AWS Network Firewall has a highly flexible rules engine, so you can build custom firewall rules to protect your unique workloads. AWS Network Firewall supports thousands of rules, and the rules can be based on domain, port, protocol, IP addresses, and pattern matching. | 1. Control inbound and outbound traffic to and from VPCs using custom network firewall rules. 2. AWS Network Firewall also offers web filtering that can stop traffic to known-bad URLs and monitor fully qualified domain names. |
| Intrusion Detection & Protection | ||
| AWS Shield | Protects you applications from distributed denial of service (DDoS) attacks. There are two tiers of AWS Shield: Standard and Advanced. | The DDoS attacks, if not handled well may result into outages and customer dissatisfaction. AWS Shield provides dynamic detection and automatic inline mitigations that minimize application downtime and latency. |
| Amazon Detective | Let's figure out what went wrong? Simplifies the analysis, investigation, and identification of the root cause of potential security issues or suspicious activities. It automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations. | 1. Analyze and correlate security event data to identify potential security threats. 2. Perform forensic analysis to understand the scope and impact of a security incident. |
| Amazon GuardDuty | Is anything fishy happening anywhere? A threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. GuardDuty delivers detailed and actionable alerts that are designed to be integrated with existing event management and workflow systems for detection and remedial steps. GuardDuty combines machine learning, anomaly detection, network monitoring, and malicious file discovery, using both AWS and industry-leading third-party sources. | 1. Detect unauthorized access to Amazon S3 buckets and generate alerts for investigation. 2. Identify unusual API activity in AWS services and respond to potential security breaches. 3. Detect malicious files on Amazon EBS volumes attached to Amazon EC2\ECS workloads. |
| Certificates, Secrets & Encryption Key Management | ||
| AWS Certificate Manager | AWS Certificate Manager (ACM) makes it easy for you to centrally manage your SSL/TLS certificates from the AWS Management Console, AWS CLI, or ACM APIs. You can also audit the use of each certificate by reviewing your AWS CloudTrail logs. | 1. Securely enable HTTPS for a web application by requesting and managing SSL/TLS certificates. 2. Automatically renew expiring SSL/TLS certificates to maintain application security. |
| AWS Key Management Service (KMS) | Centralized management(generation, storage, and auditing) of encryption keys for data protection. You use these keys to encrypt or digitally sign data within your own applications or control the encryption of data across AWS services(e.g. for encrypting secrets inside Secrets Manager). | 1. Use KMS keys for encrypting data stored in Amazon S3 buckets to ensure data-at-rest security. 2. Use KMS for managing and rotating encryption keys for securing sensitive data in Amazon RDS databases. |
| AWS Secrets Manager | Securely store and manage sensitive information, such as database credentials. You can configure automatic rotation for the secrets. you can automatically replicate your secrets to multiple AWS Regions to meet your unique disaster recovery and cross-regional redundancy requirements. | 1. Store database credentials and API keys securely, allowing applications to access them when needed. 2. AWS Secrets Manager can automatically generate new credentials and update your application with minimal downtime. This enhances the security and compliance. |
| AWS CloudHSM | Hardware security module(HSM) for key storage and management. AWS monitors the health and network availability of your HSMs; you control the HSMs and the generation and use of your encryption keys. AWS KMS is a multi-tenant and managed by you and AWS whereas CloudHSM is a single tenant and controlled by you. | 1. Generate, store, and manage encryption keys for sensitive data in a secure hardware module. 2. Securely manage cryptographic operations required for compliance and security-sensitive applications. |
| Compliance | ||
| AWS Security Hub | "Let's monitor and improve the security posture" Security Hub is cloud security posture management (CSPM) service that conducts automated security checks aligned to different industry and regulatory frameworks. It is used by security and compliance professionals and by DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. | 1. Aggregate security findings from AWS(AWS GuardDuty, Inspector, Maice etc) and partner service for better threat detection. 2. Streamline security compliance and incident response processes using integration with AWS EventBridge and other integrations. |
| Amazon Macie | Should we secure this data? A data security service that discovers sensitive data using machine learning and pattern matching for the data stored in S3 buckets. Provides visibility into data security risks, and enables you to automate protection against those risks. | 1. Automatically identify and classify sensitive data in Amazon S3 buckets to ensure compliance. 2. Automatically detects a large and growing list of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers. |
| Amazon Inspector | "Are there any security loop hole ?" Amazon Inspector is a vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. | 1. Evaluate the security posture of a web application and identify vulnerabilities in the code. 2. Perform security assessments of EC2 instances to ensure compliance with security best practices. |
| AWS Audit Manager | We are ever ready for audits with evidences. AWS Audit Manager helps you continuously audit your AWS usage and automates evidence collection to make it easier to assess if your policies, procedures, and activities, also known as controls, are operating effectively. AWS Audit Manager provides prebuilt frameworks that include mappings of AWS resources to control requirements for well-known industry standards and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS). | 1. It simplifies your risk assessment and compliance with regulations and industry standards. 2. Generate audit evidence and reports to demonstrate compliance to auditors. |
| AWS Artifact | Does this AWS Sevice meet our compliance needs ? AWS Artifact provides customers with easy access to compliance documentation, such as reports, attestations, and agreements, which demonstrate how AWS services meet security and regulatory standards. This helps customers understand the security controls in place and aids in their own compliance efforts. | 1. Organizations can use these documents to demonstrate that their use of AWS aligns with specific compliance standards, such as PCI DSS, ISO 27001, HIPAA, and others. 2. Customers can review the compliance documentation available in AWS Artifact for their due diligence when considering the use of AWS services in highly regulated fields like banking, healthcare records management systems etc. |
| Other Security Services | ||
| Amazon Security Lake | Centralized repository for security event data. | 1. Store and analyze security logs from various AWS services for proactive threat detection. 2. Correlate and investigate security incidents by aggregating event data from different sources. |
| AWS Resource Access Manager | Securely share AWS resources across multiple accounts within your Organization and with IAM roles and IAM users for supported resource types. | 1. Share Amazon VPCs and subnets between AWS accounts to facilitate application connectivity. 2. Collaborate with partners by sharing AWS resources securely and selectively. |