Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Decision tree for adopting an AWS security service - AWS Prescriptive Guidance

Decision tree for adopting an AWS security service

The following image shows a decision tree that you can use to evaluate whether your organization should adopt an AWS security service. The decision tree is divided into two sections: Company context and AWS security service evaluation. The first section, Company context, is designed to evaluate your current control or solution, if it exists. You proceed to the second section, AWS security service evaluation, if you don't have a current solution or if your current control or solution doesn't meet your business or technical requirements. In the AWS security service evaluation section, you determine whether the AWS service meets those requirements.

Decision tree for adopting an AWS security service

Company context for evaluating a current security control or solution

In this section, you evaluate your current control or solution to make sure that it meets your organization's business and technical requirements. If you don't have a control or solution in place, you should evaluate the AWS security service and skip directly to the AWS security service evaluation section.

1.1 Is a compliance, security, or privacy mandate not attended?

Organizations are under the scope of laws and regulations regarding data security and privacy. Any violations of these mandates can result in severe consequences. If your company is unable to meet a compliance, security, or privacy requirement, you should evaluate the AWS security service.

1.2 Do you have high risks (above appetite) that are not addressed?

Risk appetite refers to the amount and type of risk that an organization is willing to take in order to meet their strategic objectives. If your current solution (or absence of it) is not mitigating risks to an acceptable level, you should evaluate the AWS security service.

1.3 Do you have a manual or error-prone solution?

Solutions that require manual steps or human interaction are more error prone. Inconsistency, low data reliability, noncompliant assets, and lack of scalability are common in these scenarios. Automated controls are fundamentally important for IT systems and workloads. If your current solution does not support full automation, you should evaluate the AWS security service.

1.4 Do you face management, agility, or scalability issues?

It is important to map any problem related to management. The following are some examples: Lack of compatibility managing different assets, the solution does not cover all devices, errors and disruptions during updates, and negative performance impact in production. The solution must offer agility so that teams can innovate from a strong security posture. You must support scalability to achieve exponential business growth. If you have any management, availability, or scaling issues, you should evaluate the AWS security service.

1.5 Do you have a higher total cost of ownership (TCO) than your industry segment?

You can compare your costs to market benchmarks for your industry segment from research institutes. As a baseline, it's common to invest 6–14% of an IT budget in cybersecurity, and an average is 10%. Another point of comparison could be your internal tools covering the same number of assets to be protected. If you have a high TCO and want to reduce costs, you should evaluate the AWS security service.

AWS security service evaluation

A proof of technology (POT) is similar to a proof of concept. The goal of a POT is to determine whether a potential solution to a technical problem is viable. For example, you might use a POT to prove that a specific configuration can achieve a certain outcome. In this section, you use a POT to evaluate and demonstrate whether a given AWS security service meets your business and technical requirements.

2.1 Does the AWS security service address your compliance, security, or privacy mandates?

The AWS security service must address any compliance, security, and privacy mandates that the current solution does not address. You can find AWS certifications and reports for security and compliance in AWS Artifact. In addition, you can use the AWS service documentation for coverage validation.

2.2 Does the AWS security service help mitigate risk?

Risk management is a key factor to help protect companies against many threats. The decision to adopt a service might be directly connected with mitigating one or more high risks in your organization. The AWS security service must mitigate the risk to an acceptable level, based on your risk appetite and business context.

2.3 Does the POT show effectiveness of the security service?

The effectiveness of the AWS security service must be demonstrated through a POT, according to different metrics of each security service. For example, the POT might validate that the service can detect and respond to security threats quickly through a threat intelligence algorithm. You might evaluate success by confirming that threats where detected within minutes and that automated notifications and remediations ran successfully. For a vulnerability management service, you might evaluate effectiveness based on the following:

  • How many vulnerabilities were detected?

  • What is the success rate of applying patches and updates?

  • For web protection, were cross-site scripting (XSS) and SQL-injection attacks performed by the offensive security team (also known as the red team) immediately blocked?

AWS Professional Services and AWS Partners can support you in this POT evaluation.

2.4 Is the TCO lower than the current control or solution?

Lower TCO can help you optimize costs in your organization. Some common metrics used in these comparisons are: acquisition and implementation costs, fixed and variable expenses, operation costs, maintenance and support costs, expansion and reliability costs, and training costs. There are other cost measurements and comparisons that you can perform based on your specific use case. The AWS Pricing Calculator can help you estimate costs for AWS services.

2.5 Trade-off decision

Sometimes, it can be difficult to accurately calculate the TCO or determine whether your current control or solution meets your business and technical requirements better than the AWS service. In this case, you can balance all of the information you have to determine an overall positive or negative balance. Therefore, you need to make a trade-off decision. To help you make this decision, one approach is to use the Free AWS Cloud Security Trials and then monitor the costs during the trial period.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.