AWS Security - keshavbaweja-git/guides GitHub Wiki

Detection

Amazon GuardDuty

A threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. GuardDuty uses integrated threat intelligence sources, ML and anomaly detection techniques to identify and prioritize potential threats. Once activated, GuardDuty produces threat findings in following four areas – compromised EC2 instances, anomalous, malicious and unauthorized IAM activity, compromised S3 buckets, compromised EKS clusters.

AWS Config

Provides a detailed view of configuration of an AWS resource in your AWS accounts along with its relationship to other AWS resources and a timeline view. With AWS Config Rules and Conformance Packs configuration of AWS resources can be evaluated for compliance and auto-remediated in case of non-compliance. E.g. a Config rule can check if EBS encryption is enabled by default in your AWS account, and if not remediate it by enabling this configuration in the account.

AWS CloudTrail

AWS CloudTrail enables operational and risk auditing in your account. It records actions taken by IAM user/role or an AWS service in an AWS account. These actions could have been initiated by AWS Management Console, AWS CLI, SDKs or APIs.

Amazon SecurityHub

Provides a centralized and consolidated view of security events from AWS accounts, services and a number of (30+) 3rd party partner products to identify high priority security issues and analyse security trends. Findings from Amazon GuardDuty, AWS Config, Amazon Macie and Amazon Inspector are integrated with SecurityHub, all these findings are normalized and presented in a consistent manner in SecurityHub. For automated security incident response, SecurityHub is integrated with Amazon EventBridge which can be used to trigger Lambda functions and Step Functions workflows.

Infrastructure Protection

AWS Shield

A managed Distributed Denial of Service (DDoS) protection service with always-on detection and automated mitigations to minimize application downtime and latency. Offered in two tiers, Shield Standard provides protection from common layer 3 and 4 attacks. Shield Advanced provides protection for EC2, ELB, CloudFront, Global Accelerator and Route %3 against larger and sophisticated attacks, access to 24X7 response team and cost protection from scaling charges due to DDoS attacks.

AWS WAF

A web application firewall that monitors and controls HTTP/HTTPS access to CloudFront, API Gateway, Application Load Balancer and AppSync GraphQL API. AWS provides managed rule groups for baseline and use case specific protection. With an AWS Shield Advanced subscription, AWS WAF is offered at no additional charge.

AWS Network Firewall

A stateful firewall service to protect AWS VPC resources in your account from network threats. Provides active traffic flow inspection to identify and block vulnerability exploits.

Amazon Inspector

An automated vulnerability management service that continually scans EC2 and container workloads for software vulnerabilities and unintended network exposure. (currently not available in Singapore region)

AWS Systems Manager

Easily configure and manage Amazon EC2 and on-premises systems to apply OS patches, create secure system images, and configure secure operating systems.

Data Protection

AWS Key Management Service (KMS)

Streamlines the creation and management of secure cryptographic keys. AWS KMS is integrated with a number of AWS services for data encryption requirements, integrated with CloudTrail to log generation and use of KMS keys.

AWS CloudHSM

A cloud-based FIPS 140-2 Level 3 validated hardware security module(HSM) that enables you to deploy PCI, FedRAMP compliant workloads. AWS CloudHSM can be configured as a custom key store in AWS KMS with customer control over key material.

AWS Secrets Manager

Securely store, retrieve and manage sensitive information like credentials and API keys. AWS Secrets Manager has built in integration with RDS, Redshift and DocumentDB for automated rotation of database credentials and can be extended similarly for other secret types.

Amazon Macie

A data security and privacy service that uses ML and pattern matching to discover and protect sensitive data on Amazon S3 buckets. Macie automatically detects a number of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers. You can add custom-defined data types using regular expressions to enable Macie to discover proprietary or unique sensitive data for your business. Macie gives you constant visibility of the data security and data privacy of your data stored in Amazon S3.

Incident Response

Amazon EventBridge

AWS Lambda

AWS Step Functions

Identity and Access Management

Identity and Access Management (IAM)

AWS Organizations

AWS Organizations enable you to implement a multi account structure in a secure and scalable manner. AWS Organizations enables you to implement security policies and audits in a centralized manner.