AWS offers several security services that are specifically designed to protect workloads and applications.
These services operates on various levels of fields like authorization, network protection, data encryption and compliance. They are essential for maintaining the integrity and confidentiality of applications running in the cloud.
Amazon GuardDuty
AWS GuardDuty is a sophisticated threat detection service that utilizes machine learning and threat intelligence feeds to oversee AWS resources, including EC2 instances, S3 buckets, accounts and APIs. It automatically detects threats and generates alerts enhancing the security of your AWS environment.
Efficiently safeguards workloads in multiple account environments, either independently or in conjunction with AWS Organizations.
Allows integration with services like AWS Lambda for automated response and AWS Security Hub for centralized security management
Amazon GuardDuty key use cases include:
Unauthorized access detection
Recognizes potentially compromised AWS credentials through unusual access patterns or location (IP address)
Monitoring AWS environment
Regular monitoring and assessment of the AWS environment to ensure compliance with internal policies and best practices.
Scans for behavior resembling known attack patterns, including communication with malicious IPs or domains, botnet-like activities and port scanning.
Malware Detection
Detects malware on EC2 instances and container workloads by scanning attached storage volumes for threats like trojans, rootkits, and crypto miners.
Flags instances involved in botnet activity or communicating with command-and-control servers.
Data theft prevention
Helps identify large or abnormal data transfers which might indicate attempts by attackers to steal data.
Detecting Cryptojacking
Identifies unauthorized use of AWS resources for cryptocurrency mining.
Investigation and Forensics
Provides detailed security alerts for forensic analysis to understand the nature and origin of security breaches.
AWS WAF
AWS WAF is a versatile manual web application firewall that secures web applications and APIs against threats like SQL injection and cross-site scripting by enabling customizable rules based on IP addresses, HTTP headers, and URIs.
It integrates seamlessly with AWS services such as CloudFront and API Gateway, offering detailed insights through metrics and logging, and allows for tailored security policies to effectively manage web requests.
AWS WAF key use cases include:
Web Application and API protection
Shields applications and APIs on Amazon CloudFront, ALB, API Gateway, and AppSync from attacks like SQL injection, cross-site scripting (XSS), and file inclusion.
Restricts API access with WAF rules, API keys, and throttling to prevent excessive traffic from the same source (DDoS protection).
Identifies and blocks automated web bot requests.
Traffic Filtering Rules
Enables rule creation for allowing, blocking, or counting requests based on IP addresses, HTTP headers, URI strings, and HTTP body contents.
Geographical and IP range blocking
Allows or blocks traffic based on geographic locations traffic from specific countries or IP ranges to mitigate threats from known bad actors.
Port and Protocol Enforcement
Enforces security policies by allowing traffic only on designated ports and supported protocols.
Real-Time Monitoring and Logging
Monitors web requests for anomalies and potential attacks, with integrations for automated responses via CloudWatch and Lambda.
AWS Shield
AWS Shield is a managed DDoS protection service from AWS, designed to protect applications on resources such as EC2, ELB, CloudFront, and Route 53. It offers two tiers: Standard and Advanced
Shield Standard, included with AWS services at no extra cost, provides basic defense against common DDoS attacks such as SYN/UDP floods.
Shield Advanced, a paid option, offers enhanced protection against more complex attacks, including layer 7 attacks, with features like real-time attack visibility, automated mitigation, and cost protection against increased usage during attacks. It also includes 24/7 support from the AWS DDoS Response Team and integrates with AWS WAF for added application layer security.
AWS Shield key use cases include:
Web Application and API Protection
Shields applications and APIs on AWS services like CloudFront, ALB, and Global Accelerator against volumetric and sophisticated layer 7 DDoS attacks.
Safeguard for TCP/UDP Applications
Protects TCP and UDP based applications on EC2 from attacks that could overwhelm network resources.
Gaming Server and Intensive workload defense
Secures gaming servers and high-demand workloads on EC2 from traffic-heavy attacks aimed at disrupting service.
24/7 DDoS Response Team Access
Offers round-the-clock access to a DDoS response team with Shield Advanced for proactive threat response.
Real-time Traffic Monitoring
Includes continuous traffic surveillance for immediate detection and mitigation of DDoS threats.
Multi-layered Protection Strategy
Integrates with AWS WAF and Global Accelerator, providing comprehensive defense against both network and application layer attacks.
DDoS Cost Protection
Shield Advanced includes financial safeguards to help manage unexpected costs from traffic spikes during major attacks.
Compliance and Security Assurance
Assists in meeting cybersecurity regulatory requirements, especially for public-facing resources.
Some key differences related to AWS WAF:
AWS WAF focuses only on layer 7 application layer attacks and exploits, while AWS Shield protects against both layer 3-4 and layer 7 attacks.
AWS WAF rules are configured by the customer to allow, block or monitor specific traffic patterns. AWS Shield provides automatic detection and mitigation of DDoS attacks.
AWS Network Firewall
AWS Network Firewall is a managed service from Amazon Web Services (AWS) that provides easy-to-deploy network protection for Amazon Virtual Private Clouds (VPCs).
It's setup with minimal effort and scales automatically with network traffic, eliminating the need for infrastructure management. This service offers extensive customization and control over the traffic to and from a VPC, ensuring robust security within the AWS environment.
AWS Network Firewall key use cases include:
Traffic Filtering
Controls and monitors traffic in and out of VPC subnets based on security policies.
Blocking Malicious Traffic
Filters harmful traffic using threat intelligence feeds to identify bad IP addresses or domains.
Unified Policy Enforcement
AWS Firewall Manager enforces security policies across multiple VPCs and accounts.
Secure Traffic Management
Inspects and filters traffic between VPCs, internet gateways, AWS Direct Connect, and VPNs.
Application Protection
Screens inbound internet traffic for threats and applies ACL rules and traffic pattern analysis.
Compliance and Data Leak Prevention
Filters unapproved outbound traffic to meet compliance and prevent data leaks.
Intrusion Prevention and Detection
Monitors network traffic to identify and block unauthorized access and cyber threats.
Web Filtering
Restricts access to specific websites and services in line with company policies
Network Traffic Segmentation
Segregates traffic for different organizational parts, like separating development from production.
Protection Against Attacks
Guards against SQL injection, cross-site scripting, and other common attacks.
Centralized Security Management
Simplifies management of network security across various VPCs.
Customizable Rules
Allows creation of tailored rules for specific security needs.
Enhanced Monitoring and Logging
Integrates with Amazon CloudWatch for in-depth traffic analysis and security auditing.
Amazon Inspector
Amazon Inspector is an AWS service offering automated security assessments to enhance the security and compliance of applications on AWS. It continuously scans infrastructure and workloads for vulnerabilities, software misconfigurations, and network exposures, ensuring adherence to best practices.
Amazon Inspector key use cases include:
Vulnerability Management
Scans EC2 instances, Lambda functions, and container images to detect vulnerabilities and misconfigurations.
DevOps Integration
Automates security scans within build/test processes via the Inspector API, enhancing early issue detection.
Compliance Auditing
Regularly checks AWS resources against compliance standards and best practices
Continuous Monitoring
Monitors system behavior and configurations over time for comprehensive resource visibility.
Centralized Management
Consolidates findings in the AWS console or integrates with services like Security Hub for a unified security view.
Prioritization of Remediation
Applies attributes to findings for tracking status and severity, aiding in efficient resolution of critical issues.
Risk Assessment
Evaluates and prioritizes risks from identified vulnerabilities for targeted remediation.
Network Exposure Analysis
Assesses AWS resource network exposure to prevent unintended external access.
Amazon Cognito
Amazon Cognito, an AWS service, streamlines user sign-up, sign-in, and access management for web and mobile apps. It combines a user directory, authentication server, and an authorization service, supporting OAuth 2.0 tokens and AWS credentials. Cognito facilitates user authentication and authorization from its own user directory, enterprise directories, and external identity providers like Google, Apple and Facebook.
Amazon Cognito key use cases include:
Scalable User Directory
It provides a scalable and secure user directory to handle applications with millions of users.
User Pool Authentication
Allows direct sign-in or federation through third-party identity providers (IdPs) like Facebook, Google, and enterprise directories.
Token Management
Manages tokens from social sign-ins and federated IdPs, with a user directory for all members.
Access to AWS Services
Users can obtain temporary AWS credentials to access services like Amazon S3 and DynamoDB, supporting both authenticated and guest users.
Server-Side Resource Access
Use tokens from user pool sign-ins to control access to server-side resources, with group-based permission management.
API Gateway Integration
Authenticate user access to APIs via API Gateway, validating tokens and controlling permissions with user pool groups.
AWS Service Access via Identity Pools
Exchange user pool tokens for temporary access to various AWS services.
Third-Party IdP Integration
Access AWS services using tokens from third-party IdPs via identity pools.
Guest User Access
Cognito allows for the creation of temporary, limited-privilege credentials for guest users, enabling unauthenticated access with controlled permissions.
AWS AppSync Access (GraphQL API)
Use tokens for AWS AppSync resource access, with options for both user pool and IAM credentials authentication.
Amazon Detective
Amazon Detective is an AWS service that streamlines the analysis and investigation of security incidents in your AWS environment, aiding in quickly identifying their root causes.
This service is tailored for efficiently uncovering and addressing suspicious activities or security findings within AWS.
Amazon Detective key use cases include:
Security Incident Analysis
Quickly determines the root cause and scope of incidents, like unauthorized access or malware infections, by analyzing findings from services like GuardDuty and Security Hub.
Compliance Monitoring
Aids in adhering to regulations like PCI DSS, offering visibility into user activities and detecting non-compliant behaviors.
Threat Hunting
Empowers security teams to proactively search for threats or suspicious behaviors using analytical graphs and activity data.
Cloud Infrastructure Troubleshooting
Diagnoses issues with AWS resources, such as EC2 or Lambda functions, by examining related events and interactions.
Cloud Usage Optimization
Identifies unused resources and abnormal traffic patterns to optimize AWS costs.
Fraud Detection
Uses machine learning and traffic pattern visualization to detect fraudulent activities on websites and apps.
User Behavior Analysis
Analyzes user activities to detect anomalies, helping identify insider threats or compromised accounts.
Network Activity Monitoring
Monitors and analyzes network traffic to identify threats like port scanning or data exfiltration.
Integration with AWS Security Services
Complements other AWS security services for a more comprehensive security overview.
Forensic Analysis
Aids in forensic investigations post-security breach by tracing actions and changes in the environment.
AWS Certificate Manager
AWS Certificate Manager (ACM) is an Amazon Web Services tool that streamlines the handling of SSL/TLS certificates for AWS services and internal resources. It automates key tasks such as issuing, renewing, and revoking certificates, facilitating their deployment for services like Elastic Load Balancing, Amazon CloudFront, and API Gateway. ACM is designed to secure network communications and verify website identities on the internet.
AWS Certificate Manager key use cases include:
HTTPS for AWS Services
Enables SSL/TLS certificates for AWS services supporting HTTPS, such as Elastic Load Balancing, Amazon CloudFront, and Amazon API Gateway.
Securing Custom Domains
Provides certificates for HTTPS on custom domains within AWS, including websites on S3 or applications behind Load Balancers.
Automated Certificate Renewals
Manages automatic renewals of certificates to ensure continuous, secure access without manual intervention.
Centralized Certificate Management
Offers a single console for managing all ACM certificates, both self-issued and third-party imports.
AWS Service Integrations
Simplifies provisioning of certificates to AWS services like load balancers and API Gateway.
Web Application Security
Secures web applications and websites hosted on AWS services with SSL/TLS certificates.
Private CA Management
Facilitates the creation and management of a private Certificate Authority for internal applications and resources.
Internal Communication Security
Ensures secure data-in-transit within AWS, between microservices, and applications to databases.
Compliance and Trust Enhancement
Helps meet compliance standards and boosts user trust by enabling SSL/TLS.
Load Balancer Security
Secures communication between Elastic Load Balancing and clients.
API Endpoint Security
Provides secure, encrypted API communications on Amazon API Gateway.
Content Delivery Encryption
Works with Amazon CloudFront to encrypt content delivery to end-users.
Amazon Macie
Amazon Macie is a data security and privacy service from AWS that employs machine learning and pattern matching to identify, classify, and safeguard sensitive data within AWS.
Amazon Macie key use cases include:
Sensitive Data Discovery
Automatically scans S3 bucket contents to detect and classify sensitive data, such as personal information and credit card numbers.
S3 Bucket Monitoring
Monitors S3 buckets for changes in access control or configurations that might lead to data leaks, generating findings for review and remediation.
Data Inventory and Visibility
Provides a centralized view of all data in S3 across multiple accounts, aiding in compliance and sensitive data management.
Automated Data Protection
Integrates with services like Amazon S3 Block Public Access to automatically protect sensitive data in S3 buckets from public exposure.
Custom Scans and Policy Enforcement
Conducts targeted or recurring scans of S3 buckets to detect policy violations and custom identifiers set by users, enhancing security posture.
AWS Security Hub
AWS Security Hub is an AWS service that centralizes security and compliance monitoring, consolidating alerts and findings from AWS accounts, services, and third-party solutions into a unified view of security posture across AWS environments.
AWS Security Hub key use cases include:
Centralized Security Management
Manages security across AWS environments by collecting data from AWS services like GuardDuty, Inspector, Macie, and third-party tools.
Threat and Vulnerability Visibility
Provides a unified view of threats and vulnerabilities, consolidating findings in one place.
Prioritization of Security Issues
Standardizes and prioritizes findings to highlight high-risk security issues and compliance violations.
Compliance Monitoring
Continuously assesses compliance with standards like CIS benchmarks and PCI-DSS, offering clear compliance status insights.
Automated Remediation
Features automation rules and Amazon EventBridge integration for efficient remediation across multiple accounts.
Operational Integration
Integrates with services like Systems Manager for combined investigation and resolution of security and operational issues.
Automated Security Checks
Proactively identifies potential security issues through automated checks against industry standards.
Incident Investigation and Response
Aids in investigating security incidents and automates responses to threats.
Anomaly Detection and Alerts
Detects and alerts on unusual activities, assisting in early threat detection.
Cross-Account Security
Provides a consolidated security view across multiple AWS accounts, ideal for complex organizational structures.
Third-Party Security Integration
Extends capabilities by integrating with a range of third-party security solutions.
Continuous Security Assessment
Ensures ongoing effectiveness of security measures through continuous assessment.
Custom Insights and Dashboards
Offers customizable insights and dashboards for focused security monitoring.
AWS Key Management Service
AWS Key Management Service (KMS) is a secure and resilient AWS service that simplifies the creation and management of encryption keys used for data encryption.
AWS Key Management Service key use cases include:
AWS Data Encryption in transit and at rest
Enables encrypting data moving between applications, services, and devices.
Provides encryption for data stored in AWS services like S3, EBS, and Redshift using customer-managed keys and KMS-managed keys.
Data in Transit Encryption
with KMS-managed keys.
Digital Signature
Facilitates digital signing of code, documents, or assets to ensure authenticity and detect tampering.
Message Authentication
Supports strong message authentication and integrity verification using HMACs and CMACs.
Compliance with Regulations
Meets compliance requirements using FIPS 140-2 validated HSMs and auditing key usage via AWS CloudTrail.
Encryption Workflow Management
Manages encryption workflows programmatically through KMS APIs or SDKs, including key generation, encryption, decryption, and rotation.
Access Control
Controls who can access encrypted data by managing key usage permissions.
Multi-Region Encryption
Ensures consistent encryption practices across multiple AWS regions through key replication.
AWS Service Integration
Seamlessly integrates with AWS services for efficient encryption and decryption.
Secure Key Storage
Safely stores encryption keys using AWS CloudHSM-integrated FIPS 140-2 validated HSMs.
Custom Key Management
Allows organizations to create and manage their own encryption keys for specific needs.
AWS Resource Access Manager (RAM)
AWS Resource Access Manager (RAM) is an AWS service that facilitates the secure and easy sharing of AWS resources across different AWS accounts within an organization, streamlining resource sharing and management.
AWS Resource Access Manager key use cases include:
Cross-Account Resource Sharing
Shares AWS resources like VPCs, subnets, and security groups across multiple accounts within an organization, reducing duplication and simplifying permission management.
Cross-Account Access to Resources
Enables access to resources such as S3 buckets across accounts using IAM roles and users.
Streamlined Access Management
Manages access to resources needed by multiple accounts through resource groups and attached policies.
Integration with AWS Organizations
Facilitates resource sharing within organizational units (OUs) or specific accounts in an organization.
Compliance and Centralized Permissions Management
Manages permissions centrally for shared resources and audits access via AWS CloudTrail for compliance.
Programmatic Cross-Account Access Management
Utilizes AWS CLI or SDKs for creating, attaching, and detaching permissions to shared resources.
AWS Secerets Manager
AWS Secrets Manager is an AWS service that securely stores, manages, and retrieves secrets like tokens, passwords, certificates, API keys, and database credentials, offering tight access control without the need for extensive infrastructure investment and maintenance.
AWS Secerets Manager key use cases include:
Centralized Secrets Storage
Store sensitive data centrally, including database credentials, API keys, and passwords, to avoid hardcoding secrets in code.
Automated Rotation
Automatically rotate secrets, such as database credentials, on a schedule to enhance security without code changes.
Dynamic Secret Retrieval
Allow applications to retrieve secrets dynamically at runtime, simplifying secret management.
Integration with AWS Services
Securely provide secrets to services like RDS, Redshift, and ECS, enabling automatic credential rotation.
Access Control
Control access to secrets using IAM policies, ensuring only authorized users and applications can access them.
Encryption at Rest
Encrypt secrets at rest using customer-managed keys in AWS Key Management Service (KMS) for added security.
Auditing Access
Audit access to secrets through integration with services like AWS CloudTrail, ensuring compliance.
Centralized Secret Management
Centrally manage secrets for applications and services, simplifying access control and tracking.
Application Credential Management
Provide credentials to applications at runtime to avoid hard-coding sensitive data.
Disaster Recovery
Replicate secrets across AWS regions to support disaster recovery and high availability.
Secure Configuration Management
Manage configuration data securely for applications and IT resources, especially in automated deployment and CI/CD scenarios.
Resources
What is Amazon GuardDuty? - Amazon GuardDuty
Security in Amazon GuardDuty - Amazon GuardDuty
Managing multiple accounts in Amazon GuardDuty - Amazon GuardDuty
Managing GuardDuty accounts by invitation - Amazon GuardDuty
AWS WAF - Amazon Web Services (AWS)
FAQs - AWS WAF - Amazon Web Services (AWS)
What is Amazon Detective? - Amazon Detective
How Amazon Detective is used for investigation - Amazon Detective
What is Amazon Inspector? - Amazon Inspector
What is Amazon Inspector Classic? - Amazon Inspector Classic
What is AWS Network Firewall? - AWS Network Firewall
AWS Network Firewall FAQs – Managed Network Security Service – Amazon Web Services
AQs - AWS Shield - Amazon Web Services (AWS)
AWS Shield Advanced overview - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
FAQs - AWS WAF - Amazon Web Services (AWS)
What is Amazon Cognito? - Amazon Cognito
FAQs | Amazon Cognito | Amazon Web Services (AWS)
What is Amazon Macie? - Amazon Macie
Sensitive Data Discovery– Amazon Macie FAQs – Amazon Web Services
What Is AWS Certificate Manager? - AWS Certificate Manager
AWS Certificate Manager Documentation
What is AWS Security Hub? - AWS Security Hub
Cloud Security Posture Management – AWS Security Hub FAQs – Amazon Web Services
AWS Key Management Service Documentation
AWS Key Management Service - AWS Key Management Service
AWS KMS use cases - AWS Key Management Service
What is AWS Resource Access Manager? - AWS Resource Access Manager
Resource Management Account - AWS Resource Access Manager - AWS
AWS Resource Access Manager and AWS Organizations - AWS Organizations
What is AWS Secrets Manager? - AWS Secrets Manager
AWS services that use AWS Secrets Manager secrets - AWS Secrets Manager