Appendix: AWS security, identity, and compliance services - AWS Prescriptive Guidance

Appendix: AWS security, identity, and compliance services

As an introduction or a refresher, see the Security, Identity, and Compliance on AWS webpage for a list of the AWS services that are aligned with the security perspective of the AWS Cloud Adoption Framework (AWS CAF). Within this perspective, the AWS CAF outlines five core programmatic epics for properly managing AWS Cloud security: identity and access management, detective controls, infrastructure security, data protection, and incident response. In addition to the epics, AWS offers services that help you determine your compliance status.

Identity and access management – AWS identity services enable you to securely manage identities, resources, and permissions at scale.

  • IAM – Securely control access to AWS services and resources.

  • AWS SSO – Centrally manage SSO access to multiple AWS accounts and business applications.

  • Amazon Cognito – Add user sign-up, sign-in, and access control to your web and mobile applications.

  • AWS Directory Service – Use managed Microsoft Active Directory in the AWS Cloud.

  • AWS Resource Access Manager – Share AWS resources simply and securely.

  • AWS Organizations – Implement policy-based management for multiple AWS accounts.

Detective controls – AWS monitoring and detection services provide guidance to help identify potential security incidents within your AWS environment.

  • AWS Security Hub – View and manage security alerts and automate compliance checks from a central location.

  • Amazon GuardDuty – Protect your AWS accounts and workloads with intelligent threat detection and continuous monitoring.

  • Amazon Inspector – Automate security assessments to help improve the security and compliance of your applications that are deployed on AWS.

  • AWS Config – Record and evaluate the configurations of your AWS resources to enable compliance auditing, resource change tracking, and security analysis.

  • AWS CloudTrail – Track user activity and API usage to enable governance, compliance, and operational and risk auditing of your AWS account.

Infrastructure security – AWS network and application protection services enable you to enforce fine-grained security policy at network control points across your AWS organization.

  • AWS Shield – Safeguard your web applications running on AWS with managed DDoS protection.

  • AWS WAF – Protect your web applications from common web exploits and ensure availability and security.

  • AWS Firewall Manager – Configure and manage AWS WAF rules across AWS accounts and applications from a central location.

  • AWS Systems Manager – Easily configure and manage Amazon EC2 and on-premises systems to apply OS patches, create secure system images, and configure secure operating systems.

  • Amazon VPC – Provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define.

  • AWS Network Firewall – Easily deploy essential network protections for all your VPCs.

Data protection – AWS provides services that help you protect your data, accounts, and workloads from unauthorized access.

  • Amazon Macie – Discover, classify, and protect sensitive data with machine learning-powered security features.

  • AWS KMS – Easily create and control the keys used to encrypt your data.

  • AWS CloudHSM – Manage your hardware security modules (HSMs) in the AWS Cloud.

  • AWS Certificate Manager – Easily provision, manage, and deploy SSL/TLS certificates for use with AWS services.

  • AWS Secrets Manager – Easily rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle.

Incident response – AWS identifies threats by continuously monitoring the network activity and account behavior within your cloud environment.

  • Amazon Detective – Analyze and visualize security data to rapidly get to the root cause of potential security issues.

  • AWS Config Rules – Create rules that automatically take action in response to changes in your environment, such as isolating resources, enriching events with additional data, or restoring configuration to a known good state.

  • AWS Lambda – Run code without provisioning or managing servers so you can scale your programmed, automated response to incidents.

Compliance – AWS gives you a comprehensive view of your compliance status and continuously monitors your environment by using automated compliance checks based on the AWS best practices and industry standards your business follows.

  • AWS Artifact – No-cost, self-service portal that provides on-demand access to AWS security and compliance reports and select online agreements.

  • AWS Audit Manager – Continuously audits your AWS usage to simplify how you assess risk and compliance with regulations and industry standards.