Amazon AWS Security

Security Groups and Network ACLs

They are configured within your VPC as part of what AWS provides to tenants as a static firewall. They are adequate for public web servers where there are no security compliance requirements. Typically companies will also deploy Cisco ASA firewall virtual appliances to provide the same level of perimeter security as their private data centers.

Identity and Access Management (IAM)

Identity and Access Management (IAM) is the security schema that defines access to AWS resources for each tenant and associated AWS account/s. Each tenant has multiple users that require various security access to AWS services. The IAM defines users, groups and roles to create granular security permissions based on security access requirements. IAM security is globally unified across the AWS cloud for an AWS tenant account. The tenant does not have to create new roles for instance in different regions or Availability Zones. It is unified globally where existing groups and roles can be assigned, modified or added based on requirements.


GuardDuty is a managed service that provides threat detection for monitoring your AWS infrastructure and application traffic. AWS uses information from threat intelligence feeds to detect security attacks. It can detect hacker attacks and unauthorized account deployments or API calls. When a threat is detected, GuardDuty sends you a detailed security alert.


Amazon Cognito is designed as a user registration and/or sign-in service for internet-based applications. In addition it provides access control to your web and mobile applications as a turn-key service. Cognito is a scalable solutions that can support millions of user credentials. Customers can sign-in with web identity providers such as Facebook, Google, Amazon and enterprise identity providers via SAML 2.0.


Amazon Inspector is an automated security assessment service that analyzes the posture of your AWS deployment. It provides vulnerability assessment testing on tenant applications to verify what if any known vulnerabilities exist. There is analysis of compliance with best practices. The results are listed in a report sent to the tenant that is prioritized by level of severity. Amazon Inspector is comprised of a knowledge base with hundreds of rules for security best practices and vulnerability definitions.


Amazon Macie is a data loss prevention service based on machine learning that automatically discovers, classifies and protects sensitive data in the cloud. Typical sensitive data includes personal information (address, birth date, SSN etc), intellectual property and credit cards. AWS dashboards and alerts describe how the data is being accessed or moved. The fully managed service monitors data access for anomalies, unauthorized access or data leaks. Current support is available for Amazon S3 with support for additional AWS data stores soon.

Directory Service

AWS Directory Service for Microsoft ADS enables applications that support ADS to use managed Active Directory in the AWS Cloud. It is based on native Microsoft ADS and does not require synchronizing or replicating data from on-premises to the cloud. There is support for native Microsoft ADS administration tools, group policy, trusts and single sign-on.

Certificate Manager

Certificate Manager enables free management and deployment of SSL/TLS certificates for use with AWS services. SSL/TLS certificates are used to establish and confirm identity for websites over the Internet. AWS Certificate Manager does the purchase, uploading and renewals of SSL/TLS certificates. Typical usage is with Elastic Load Balancers and Amazon CloudFront distributions.


CloudHSM is a cloud-based hardware security module (HSM) that enables custom private encryption keys (FIPS 140-2 Level 3) for use with AWS infrastructure. CloudHSM supports PKCS#11, JCE and Microsoft CryptoNG (CNG) libraries. CloudHSM is standards-compliant allowing export of keys to most commercially-available HSMs. It is a fully-managed service that automates all administrative tasks associated with setup.

Key Management Service

AWS Key Management Service (KMS) is a managed service that allows tenants to create and manage encryption keys used to encrypt data. it uses Hardware Security Modules (HSMs) to protect tenant keys. AWS Key Management Service is integrated with multiple AWS services. Tenants can import and rotate keys, define user policies and audit activity from the AWS Management Console or by using the AWS SDK or CLI.

AWS Single Sign-On (SSO)

Single Sign-On enables centralized management of access to multiple AWS accounts and applications. You can login to a portal with on-premises credentials and access all of assigned accounts and applications. It eases management of access and user permissions to accounts and create SAML 2.0 integration for extending SSO access to SAML-enabled applications. It provides built-in SAML integration to applications such as Salesforce, Box and Office 365 without deploying and managing your own SSO software.


AWS Shield is a managed service that protects web-based applications from Distributed Denial of Service (DDoS) attacks. AWS Shield provides automatic attack mitigation with standard (free) and advanced tier levels. AWS Shield Standard is designed to protect against common network and transport layer attacks. There is support for protecting EC2 instances, Elastic Load Balancer, CloudFront and Route 53 infrastructure. AWS Shield Advanced provides additional detection and mitigation from complex DDoS attacks with near real-time visibility into attacks and WAF integration. AWS DDoS Response Team (DRT) is available to support any issues associated with DDoS attacks and traffic increases.

Trusted Advisor

Trusted Advisor is an assessment tool that identifies common security misconfigurations and vulnerabilities. There are suggested best practices as well for improving system performance based on current utilization of EC2 instance for example. Monitoring of service limits is available that notify tenants when to increase AWS resources. Trusted Advisor metrics in Amazon CloudWatch allow customers to create customizable alarms for individual service limits such as EC2 On-Demand Instance limits. Trusted Advisor forwards ServiceLimitUsage metric that represents the percentage of utilization versus the limit.

Web Application Firewall (WAF)

AWS WAF is a web application firewall deployed to protect tenant web-based applications from common internet web exploits. AWS WAF enables custom filtering rules that allow tenants control over what traffic is permitted or denied. For example create custom rules that block common attacks such as SQL injection or cross-site scripting. There is API support as well for automating web security rules. It is pay as you go where pricing is based on the number of rules deployed and web requests to a web application. AWS includes WAF services with CloudFront for tenants.


AWS Artifact is a cloud portal that provides access to AWS security and compliance based audit documents. That would include for example Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports and certifications from accreditation authorities to validate the effectiveness of AWS security controls. Verify tenant cloud infrastructure compliance, security posture and submit reporting to auditors or regulators.

Third Party Applications are available from AWS security/partner-solutions