Contents
- 1 🛡️ AWS Security Controls and Services
- 1.1 🔐 Identity and Access Management (IAM)
- 1.2 🧭 AWS Organizations & SCPs (Service Control Policies)
- 1.3 🧪 AWS Inspector
- 1.4 📜 AWS Config
- 1.5 📚 AWS Security Hub
- 1.6 🕵️ Amazon GuardDuty
- 1.7 🔎 AWS Macie
- 1.8 📂 AWS KMS & Secrets Manager
- 1.9 📜 AWS CloudTrail
- 1.10 🔥 AWS WAF & Shield
- 1.11 🔧 AWS Systems Manager
- 1.12 🧩 Additional Services
- 1.13 🧭 Best Practices
🛡️ AWS Security Controls and Services
Amazon Web Services (AWS) offers a wide range of built-in security services, features, and best practices to help protect your cloud infrastructure, applications, and data. This page provides a structured overview of key AWS security controls and services that cybersecurity professionals should understand and leverage.
🔐 Identity and Access Management (IAM)
IAM enables you to securely manage access to AWS services and resources.
- Users, Groups, Roles, Policies: Fine-grained permissions with least privilege enforcement.
- IAM Access Analyzer: Identifies resources shared externally.
- Best Practice: Use roles for services and avoid long-term credentials.
🧭 AWS Organizations & SCPs (Service Control Policies)
- Enforce permission boundaries across all accounts in an organisation.
- Centralise security governance using AWS Organizations.
- Use SCPs to prevent high-risk actions like deleting logs or modifying security configurations.
🧪 AWS Inspector
- Automated security assessment service.
- Scans EC2 instances, Lambda functions, and containers for vulnerabilities.
- Integrates with Amazon EventBridge for real-time findings.
📜 AWS Config
- Monitors and records AWS resource configurations.
- Tracks compliance against rules (e.g., “S3 buckets must not be public”).
- Supports conformance packs for standards like CIS or NIST.
📚 AWS Security Hub
- Centralised dashboard for security alerts and compliance status.
- Integrates findings from services like GuardDuty, Inspector, Macie, and third-party tools.
- Supports automated response using EventBridge rules and Systems Manager Automation.
🕵️ Amazon GuardDuty
- Threat detection service using machine learning.
- Detects unusual behaviour, brute force attempts, data exfiltration, and more.
- No agent required – uses VPC Flow Logs, DNS logs, and CloudTrail events.
🔎 AWS Macie
- Uses ML to discover, classify, and protect sensitive data (like PII) in S3.
- Alerts on data access anomalies and unencrypted buckets.
- Ideal for GDPR and compliance monitoring.
📂 AWS KMS & Secrets Manager
- AWS Key Management Service (KMS): Centralised key management and encryption.
- AWS Secrets Manager: Securely store, rotate, and audit access to secrets like database passwords and API keys.
📜 AWS CloudTrail
- Records all API activity across your account.
- Critical for audit trails, forensic investigations, and alerting.
- Can be centralised across accounts for security team visibility.
🔥 AWS WAF & Shield
- AWS WAF (Web Application Firewall): Protects against SQLi, XSS, bot attacks.
- AWS Shield: DDoS protection service, with Standard and Advanced tiers.
- Easily integrated with CloudFront and ALBs.
🔧 AWS Systems Manager
- Provides secure remote management of EC2 and hybrid instances.
- Patch Manager automates OS and software patching.
- Run Command and Session Manager support secure ops without SSH.
🧩 Additional Services
- Amazon Detective: Investigates and analyses GuardDuty and CloudTrail findings.
- VPC Traffic Mirroring: Deep packet inspection and network forensics.
- AWS Firewall Manager: Centralised policy management for WAF, Shield, and security groups.
🧭 Best Practices
- Enable multi-account architecture with least privilege and separation of duties.
- Turn on Security Hub and integrate across accounts for full visibility.
- Use CloudFormation Drift Detection, Config, and Trusted Advisor to monitor changes and health.