15 min.

AWS security services with appropriate use cases

Comprehensive overview of AWS security services for workloads and applications

AWS offers several security services that are specifically designed to protect workloads and applications.


These services operates on various levels of fields like authorization, network protection, data encryption and compliance. They are essential for maintaining the integrity and confidentiality of applications running in the cloud.



Amazon GuardDuty


AWS GuardDuty is a sophisticated threat detection service that utilizes machine learning and threat intelligence feeds to oversee AWS resources, including EC2 instances, S3 buckets, accounts and APIs. It automatically detects threats and generates alerts enhancing the security of your AWS environment. 


Efficiently safeguards workloads in multiple account  environments, either independently or in conjunction with AWS Organizations.


Allows integration with services like AWS Lambda for automated response and AWS Security Hub for centralized security management



Amazon GuardDuty key use cases include:


Unauthorized access detection 


Recognizes potentially compromised AWS credentials through unusual access patterns or location (IP address)



Monitoring AWS environment


Regular monitoring and assessment of the AWS environment to ensure compliance with internal policies and best practices.


Scans for behavior resembling known attack patterns, including communication with malicious IPs or domains, botnet-like activities and port scanning.



Malware Detection


Detects malware on EC2 instances and container workloads by scanning attached storage volumes for threats like trojans, rootkits, and crypto miners.


Flags instances involved in botnet activity or communicating with command-and-control servers.



Data theft prevention


Helps identify large or abnormal data transfers which might indicate attempts by attackers to steal data.


Detecting Cryptojacking


Identifies unauthorized use of AWS resources for cryptocurrency mining.



Investigation and Forensics


Provides detailed security alerts for forensic analysis to understand the nature and origin of security breaches.





AWS WAF is a versatile manual web application firewall that secures web applications and APIs against threats like SQL injection and cross-site scripting by enabling customizable rules based on IP addresses, HTTP headers, and URIs.


It integrates seamlessly with AWS services such as CloudFront and API Gateway, offering detailed insights through metrics and logging, and allows for tailored security policies to effectively manage web requests.



AWS WAF key use cases include:


Web Application and API protection


Shields applications and APIs on Amazon CloudFront, ALB, API Gateway, and AppSync from attacks like SQL injection, cross-site scripting (XSS), and file inclusion.


Restricts API access with WAF rules, API keys, and throttling to prevent excessive traffic from the same source (DDoS protection).


Identifies and blocks automated web bot requests.



Traffic Filtering Rules


Enables rule creation for allowing, blocking, or counting requests based on IP addresses, HTTP headers, URI strings, and HTTP body contents.



Geographical and IP range blocking


Allows or blocks traffic based on geographic locations traffic from specific countries or IP ranges to mitigate threats from known bad actors.



Port and Protocol Enforcement


Enforces security policies by allowing traffic only on designated ports and supported protocols.



Real-Time Monitoring and Logging


Monitors web requests for anomalies and potential attacks, with integrations for automated responses via CloudWatch and Lambda.



AWS Shield


AWS Shield is a managed DDoS protection service from AWS, designed to protect applications on resources such as EC2, ELB, CloudFront, and Route 53. It offers two tiers: Standard and Advanced


Shield Standard, included with AWS services at no extra cost, provides basic defense against common DDoS attacks such as SYN/UDP floods


Shield Advanced, a paid option, offers enhanced protection against more complex attacks, including layer 7 attacks, with features like real-time attack visibility, automated mitigation, and cost protection against increased usage during attacks. It also includes 24/7 support from the AWS DDoS Response Team and integrates with AWS WAF for added application layer security.



AWS Shield key use cases include:


Web Application and API Protection


Shields applications and APIs on AWS services like CloudFront, ALB, and Global Accelerator against volumetric and sophisticated layer 7 DDoS attacks.



Safeguard for TCP/UDP Applications


Protects TCP and UDP based applications on EC2 from attacks that could overwhelm network resources.



Gaming Server and Intensive workload defense


Secures gaming servers and high-demand workloads on EC2 from traffic-heavy attacks aimed at disrupting service.



24/7 DDoS Response Team Access


Offers round-the-clock access to a DDoS response team with Shield Advanced for proactive threat response.



Real-time Traffic Monitoring


Includes continuous traffic surveillance for immediate detection and mitigation of DDoS threats.



Multi-layered Protection Strategy


Integrates with AWS WAF and Global Accelerator, providing comprehensive defense against both network and application layer attacks.



DDoS Cost Protection


Shield Advanced includes financial safeguards to help manage unexpected costs from traffic spikes during major attacks.



Compliance and Security Assurance


Assists in meeting cybersecurity regulatory requirements, especially for public-facing resources.



Some key differences related to AWS WAF:


AWS WAF focuses only on layer 7 application layer attacks and exploits, while AWS Shield protects against both layer 3-4 and layer 7 attacks.


AWS WAF rules are configured by the customer to allow, block or monitor specific traffic patterns. AWS Shield provides automatic detection and mitigation of DDoS attacks.



AWS Network Firewall


AWS Network Firewall is a managed service from Amazon Web Services (AWS) that provides easy-to-deploy network protection for Amazon Virtual Private Clouds (VPCs). 


It's setup with minimal effort and scales automatically with network traffic, eliminating the need for infrastructure management. This service offers extensive customization and control over the traffic to and from a VPC, ensuring robust security within the AWS environment.


AWS Network Firewall key use cases include:


Traffic Filtering


Controls and monitors traffic in and out of VPC subnets based on security policies.



Blocking Malicious Traffic


Filters harmful traffic using threat intelligence feeds to identify bad IP addresses or domains.



Unified Policy Enforcement


AWS Firewall Manager enforces security policies across multiple VPCs and accounts.



Secure Traffic Management


Inspects and filters traffic between VPCs, internet gateways, AWS Direct Connect, and VPNs.



Application Protection


Screens inbound internet traffic for threats and applies ACL rules and traffic pattern analysis.



Compliance and Data Leak Prevention


Filters unapproved outbound traffic to meet compliance and prevent data leaks.



Intrusion Prevention and Detection


Monitors network traffic to identify and block unauthorized access and cyber threats.



Web Filtering


Restricts access to specific websites and services in line with company policies



Network Traffic Segmentation


Segregates traffic for different organizational parts, like separating development from production.



Protection Against Attacks


Guards against SQL injection, cross-site scripting, and other common attacks.



Centralized Security Management


Simplifies management of network security across various VPCs.



Customizable Rules


Allows creation of tailored rules for specific security needs.



Enhanced Monitoring and Logging


Integrates with Amazon CloudWatch for in-depth traffic analysis and security auditing.



Amazon Inspector


Amazon Inspector is an AWS service offering automated security assessments to enhance the security and compliance of applications on AWS. It continuously scans infrastructure and workloads for vulnerabilities, software misconfigurations, and network exposures, ensuring adherence to best practices.



Amazon Inspector key use cases include:


Vulnerability Management


Scans EC2 instances, Lambda functions, and container images to detect vulnerabilities and misconfigurations.



DevOps Integration


Automates security scans within build/test processes via the Inspector API, enhancing early issue detection.



Compliance Auditing


Regularly checks AWS resources against compliance standards and best practices



Continuous Monitoring


Monitors system behavior and configurations over time for comprehensive resource visibility.



Centralized Management


Consolidates findings in the AWS console or integrates with services like Security Hub for a unified security view.



Prioritization of Remediation


Applies attributes to findings for tracking status and severity, aiding in efficient resolution of critical issues.



Risk Assessment


Evaluates and prioritizes risks from identified vulnerabilities for targeted remediation.



Network Exposure Analysis


Assesses AWS resource network exposure to prevent unintended external access.



Amazon Cognito


Amazon Cognito, an AWS service, streamlines user sign-up, sign-in, and access management for web and mobile apps. It combines a user directory, authentication server, and an authorization service, supporting OAuth 2.0 tokens and AWS credentials. Cognito facilitates user authentication and authorization from its own user directory, enterprise directories, and external identity providers like Google, Apple and Facebook.



Amazon Cognito key use cases include:


Scalable User Directory


It provides a scalable and secure user directory to handle applications with millions of users.


User Pool Authentication


Allows direct sign-in or federation through third-party identity providers (IdPs) like Facebook, Google, and enterprise directories.



Token Management


Manages tokens from social sign-ins and federated IdPs, with a user directory for all members.



Access to AWS Services


Users can obtain temporary AWS credentials to access services like Amazon S3 and DynamoDB, supporting both authenticated and guest users.



Server-Side Resource Access


Use tokens from user pool sign-ins to control access to server-side resources, with group-based permission management.



API Gateway Integration


Authenticate user access to APIs via API Gateway, validating tokens and controlling permissions with user pool groups.



AWS Service Access via Identity Pools


Exchange user pool tokens for temporary access to various AWS services.



Third-Party IdP Integration


Access AWS services using tokens from third-party IdPs via identity pools.



Guest User Access


Cognito allows for the creation of temporary, limited-privilege credentials for guest users, enabling unauthenticated access with controlled permissions.



AWS AppSync Access (GraphQL API)


Use tokens for AWS AppSync resource access, with options for both user pool and IAM credentials authentication.



Amazon Detective


Amazon Detective is an AWS service that streamlines the analysis and investigation of security incidents in your AWS environment, aiding in quickly identifying their root causes. 


This service is tailored for efficiently uncovering and addressing suspicious activities or security findings within AWS.



Amazon Detective key use cases include:


Security Incident Analysis


Quickly determines the root cause and scope of incidents, like unauthorized access or malware infections, by analyzing findings from services like GuardDuty and Security Hub.



Compliance Monitoring


Aids in adhering to regulations like PCI DSS, offering visibility into user activities and detecting non-compliant behaviors.



Threat Hunting


Empowers security teams to proactively search for threats or suspicious behaviors using analytical graphs and activity data.



Cloud Infrastructure Troubleshooting


Diagnoses issues with AWS resources, such as EC2 or Lambda functions, by examining related events and interactions.



Cloud Usage Optimization


Identifies unused resources and abnormal traffic patterns to optimize AWS costs.



Fraud Detection


Uses machine learning and traffic pattern visualization to detect fraudulent activities on websites and apps.



User Behavior Analysis


Analyzes user activities to detect anomalies, helping identify insider threats or compromised accounts.



Network Activity Monitoring


Monitors and analyzes network traffic to identify threats like port scanning or data exfiltration.



Integration with AWS Security Services


Complements other AWS security services for a more comprehensive security overview.



Forensic Analysis


Aids in forensic investigations post-security breach by tracing actions and changes in the environment.



AWS Certificate Manager


AWS Certificate Manager (ACM) is an Amazon Web Services tool that streamlines the handling of SSL/TLS certificates for AWS services and internal resources. It automates key tasks such as issuing, renewing, and revoking certificates, facilitating their deployment for services like Elastic Load Balancing, Amazon CloudFront, and API Gateway. ACM is designed to secure network communications and verify website identities on the internet.



AWS Certificate Manager key use cases include:


HTTPS for AWS Services


Enables SSL/TLS certificates for AWS services supporting HTTPS, such as Elastic Load Balancing, Amazon CloudFront, and Amazon API Gateway.



Securing Custom Domains


Provides certificates for HTTPS on custom domains within AWS, including websites on S3 or applications behind Load Balancers.



Automated Certificate Renewals


Manages automatic renewals of certificates to ensure continuous, secure access without manual intervention.



Centralized Certificate Management


Offers a single console for managing all ACM certificates, both self-issued and third-party imports.



AWS Service Integrations


Simplifies provisioning of certificates to AWS services like load balancers and API Gateway.



Web Application Security


Secures web applications and websites hosted on AWS services with SSL/TLS certificates.



Private CA Management


Facilitates the creation and management of a private Certificate Authority for internal applications and resources.



Internal Communication Security


Ensures secure data-in-transit within AWS, between microservices, and applications to databases.



Compliance and Trust Enhancement


Helps meet compliance standards and boosts user trust by enabling SSL/TLS.



Load Balancer Security


Secures communication between Elastic Load Balancing and clients.



API Endpoint Security


Provides secure, encrypted API communications on Amazon API Gateway.



Content Delivery Encryption


Works with Amazon CloudFront to encrypt content delivery to end-users.



Amazon Macie


Amazon Macie is a data security and privacy service from AWS that employs machine learning and pattern matching to identify, classify, and safeguard sensitive data within AWS.



Amazon Macie key use cases include:


Sensitive Data Discovery


Automatically scans S3 bucket contents to detect and classify sensitive data, such as personal information and credit card numbers.



S3 Bucket Monitoring


Monitors S3 buckets for changes in access control or configurations that might lead to data leaks, generating findings for review and remediation.



Data Inventory and Visibility


Provides a centralized view of all data in S3 across multiple accounts, aiding in compliance and sensitive data management.



Automated Data Protection


Integrates with services like Amazon S3 Block Public Access to automatically protect sensitive data in S3 buckets from public exposure.



Custom Scans and Policy Enforcement


Conducts targeted or recurring scans of S3 buckets to detect policy violations and custom identifiers set by users, enhancing security posture.



AWS Security Hub


AWS Security Hub is an AWS service that centralizes security and compliance monitoring, consolidating alerts and findings from AWS accounts, services, and third-party solutions into a unified view of security posture across AWS environments.



AWS Security Hub key use cases include:


Centralized Security Management


Manages security across AWS environments by collecting data from AWS services like GuardDuty, Inspector, Macie, and third-party tools.



Threat and Vulnerability Visibility


Provides a unified view of threats and vulnerabilities, consolidating findings in one place.



Prioritization of Security Issues


Standardizes and prioritizes findings to highlight high-risk security issues and compliance violations.



Compliance Monitoring


Continuously assesses compliance with standards like CIS benchmarks and PCI-DSS, offering clear compliance status insights.



Automated Remediation


Features automation rules and Amazon EventBridge integration for efficient remediation across multiple accounts.



Operational Integration


Integrates with services like Systems Manager for combined investigation and resolution of security and operational issues.



Automated Security Checks


Proactively identifies potential security issues through automated checks against industry standards.



Incident Investigation and Response


Aids in investigating security incidents and automates responses to threats.



Anomaly Detection and Alerts


Detects and alerts on unusual activities, assisting in early threat detection.



Cross-Account Security


Provides a consolidated security view across multiple AWS accounts, ideal for complex organizational structures.



Third-Party Security Integration


Extends capabilities by integrating with a range of third-party security solutions.



Continuous Security Assessment


Ensures ongoing effectiveness of security measures through continuous assessment.



Custom Insights and Dashboards


Offers customizable insights and dashboards for focused security monitoring.



AWS Key Management Service


AWS Key Management Service (KMS) is a secure and resilient AWS service that simplifies the creation and management of encryption keys used for data encryption.



AWS Key Management Service key use cases include:


AWS Data Encryption in transit and at rest


Enables encrypting data moving between applications, services, and devices.


Provides encryption for data stored in AWS services like S3, EBS, and Redshift using customer-managed keys and KMS-managed keys.



Data in Transit Encryption


 with KMS-managed keys.



Digital Signature


Facilitates digital signing of code, documents, or assets to ensure authenticity and detect tampering.



Message Authentication


Supports strong message authentication and integrity verification using HMACs and CMACs.



Compliance with Regulations


Meets compliance requirements using FIPS 140-2 validated HSMs and auditing key usage via AWS CloudTrail.



Encryption Workflow Management


Manages encryption workflows programmatically through KMS APIs or SDKs, including key generation, encryption, decryption, and rotation.



Access Control


Controls who can access encrypted data by managing key usage permissions.



Multi-Region Encryption


Ensures consistent encryption practices across multiple AWS regions through key replication.



AWS Service Integration


Seamlessly integrates with AWS services for efficient encryption and decryption.



Secure Key Storage


Safely stores encryption keys using AWS CloudHSM-integrated FIPS 140-2 validated HSMs.



Custom Key Management


Allows organizations to create and manage their own encryption keys for specific needs.



AWS Resource Access Manager (RAM)


AWS Resource Access Manager (RAM) is an AWS service that facilitates the secure and easy sharing of AWS resources across different AWS accounts within an organization, streamlining resource sharing and management.



AWS Resource Access Manager key use cases include:



Cross-Account Resource Sharing


Shares AWS resources like VPCs, subnets, and security groups across multiple accounts within an organization, reducing duplication and simplifying permission management.



Cross-Account Access to Resources


Enables access to resources such as S3 buckets across accounts using IAM roles and users.



Streamlined Access Management


Manages access to resources needed by multiple accounts through resource groups and attached policies.



Integration with AWS Organizations


Facilitates resource sharing within organizational units (OUs) or specific accounts in an organization.



Compliance and Centralized Permissions Management


Manages permissions centrally for shared resources and audits access via AWS CloudTrail for compliance.



Programmatic Cross-Account Access Management


Utilizes AWS CLI or SDKs for creating, attaching, and detaching permissions to shared resources.



AWS Secerets Manager


AWS Secrets Manager is an AWS service that securely stores, manages, and retrieves secrets like tokens, passwords, certificates, API keys, and database credentials, offering tight access control without the need for extensive infrastructure investment and maintenance.



AWS Secerets Manager key use cases include:


Centralized Secrets Storage


Store sensitive data centrally, including database credentials, API keys, and passwords, to avoid hardcoding secrets in code.



Automated Rotation


Automatically rotate secrets, such as database credentials, on a schedule to enhance security without code changes.



Dynamic Secret Retrieval


Allow applications to retrieve secrets dynamically at runtime, simplifying secret management.



Integration with AWS Services


Securely provide secrets to services like RDS, Redshift, and ECS, enabling automatic credential rotation.



Access Control


Control access to secrets using IAM policies, ensuring only authorized users and applications can access them.



Encryption at Rest


Encrypt secrets at rest using customer-managed keys in AWS Key Management Service (KMS) for added security.



Auditing Access


Audit access to secrets through integration with services like AWS CloudTrail, ensuring compliance.



Centralized Secret Management


Centrally manage secrets for applications and services, simplifying access control and tracking.



Application Credential Management


Provide credentials to applications at runtime to avoid hard-coding sensitive data.



Disaster Recovery


Replicate secrets across AWS regions to support disaster recovery and high availability.



Secure Configuration Management


Manage configuration data securely for applications and IT resources, especially in automated deployment and CI/CD scenarios.





What is Amazon GuardDuty? - Amazon GuardDuty

Security in Amazon GuardDuty - Amazon GuardDuty

Managing multiple accounts in Amazon GuardDuty - Amazon GuardDuty

Managing GuardDuty accounts by invitation - Amazon GuardDuty

AWS WAF - Amazon Web Services (AWS)

FAQs - AWS WAF - Amazon Web Services (AWS)

What is Amazon Detective? - Amazon Detective

How Amazon Detective is used for investigation - Amazon Detective

Amazon Detective FAQs

What is Amazon Inspector? - Amazon Inspector

What is Amazon Inspector Classic? - Amazon Inspector Classic

What is AWS Network Firewall? - AWS Network Firewall

AWS Network Firewall FAQs – Managed Network Security Service – Amazon Web Services

AQs - AWS Shield - Amazon Web Services (AWS)

AWS Shield Advanced overview - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

FAQs - AWS WAF - Amazon Web Services (AWS)

What is Amazon Cognito? - Amazon Cognito

FAQs | Amazon Cognito | Amazon Web Services (AWS)

What is Amazon Macie? - Amazon Macie

Sensitive Data Discovery– Amazon Macie FAQs – Amazon Web Services

What Is AWS Certificate Manager? - AWS Certificate Manager

AWS Certificate Manager Documentation

What is AWS Security Hub? - AWS Security Hub

Cloud Security Posture Management – AWS Security Hub FAQs – Amazon Web Services

AWS Key Management Service Documentation

AWS Key Management Service - AWS Key Management Service

AWS KMS use cases - AWS Key Management Service

What is AWS Resource Access Manager? - AWS Resource Access Manager

Resource Management Account - AWS Resource Access Manager - AWS

AWS Resource Access Manager and AWS Organizations - AWS Organizations

What is AWS Secrets Manager? - AWS Secrets Manager

AWS services that use AWS Secrets Manager secrets - AWS Secrets Manager