DEV Community

AWS Community Builders profile image Matheus Almeida Costa
Matheus Almeida Costa for AWS Community Builders

Posted on

AWS Security Services Overview

#aws #security #cloud #cloudsec

AWS Security Services

This post provides a complete overview of AWS security services, serving as a reference for professionals who work with Cloud Security.

The goal is to give a clear understanding of what each service does, how it fits into an AWS security strategy, and when it makes sense to use it in real environments.

Each section is organized by category with practical examples and common use cases that reflect real-world scenarios:

  • Identity & Access Management.
  • Data Protection.
  • Network Security.
  • Threat Detection & Monitoring.
  • Application Security.
  • Compliance & Governance.

Identity & Access Management

AWS Identity and Access Management (IAM)

Description
IAM defines who can do what in your AWS environment. It provides authentication (via users, roles, and federated identities) and authorization (via policies) for every AWS service.

Scenario
A security team designs IAM roles for developers to deploy Lambda functions only in non-production environments. Each role has a limited set of permissions (using wildcards carefully) and temporary credentials are used instead of long-term access keys.

Best Practices

  • Apply the principle of least privilege grant only what’s needed.
  • Replace IAM users with roles and temporary credeBest Practicesntials.
  • Enforce MFA for all privileged accounts.
  • Use IAM Access Analyzer to identify unused or overly broad permissions.

Pricing

  • Free.

AWS IAM Identity Center (AWS SSO)

Description
IAM Identity Center is a centralized access management for all your AWS accounts.
It connects with identity providers like Okta, Azure AD, or Google Workspace.

Scenario
In an enterprise setup, employees log in once using their corporate credentials and can access multiple AWS accounts through the AWS Console Portal, with fine-grained permissions mapped by group (Dev, SecOps, Finance, etc.).

Pricing

  • Free.

AWS Organizations

Description
AWS Organizations is a centralized way to manage user access across multiple AWS accounts and business applications. It integrates with identity providers (like Okta, Azure AD, or Google Workspace) for single sign-on (SSO).

Scenario
A company with 10 AWS accounts configures IAM Identity Center with Azure AD. Developers log in once with their corporate credentials and access the AWS accounts they’re assigned to, based on group membership.

Best Practices

  • Use group-based access instead of assigning permissions to individuals.
  • Map corporate directory groups to AWS accounts and permission sets.
  • Enable MFA and session timeouts.

Pricing

  • Free.

AWS Resource Access Manager (RAM)

Description
RAM allows you to securely share AWS resources (like subnets, Transit Gateways, or Route 53 zones) across accounts or within your AWS Organization.

Scenario
A central network account shares a Transit Gateway with multiple VPCs across other accounts, allowing secure and controlled inter-VPC communication.

Best Practices

  • Share only necessary resources with trusted accounts.
  • Review resource shares regularly for unused ones.
  • Use tagging to track ownership and accountability.

Pricing

  • Free.

Amazon Cognito

Description
Cognito handles authentication and authorization for web and mobile apps, supporting user pools (sign-up/sign-in) and identity pools (federation with social or enterprise IdPs).

Scenario
A startup builds a mobile app where users can sign in using Google or Apple ID. Cognito manages identity federation and issues temporary AWS credentials for accessing backend APIs securely.

Best Practices

  • Enable MFA and password policies.
  • Protect access tokens using HTTPS and secure client SDKs.
  • Use Cognito triggers (Lambda) to validate user data or enforce additional checks.

Pricing

  • Pay per monthly active user (MAU) and per authentication request.

AWS Directory Service

Description
Directory Service provides managed Microsoft Active Directory (AD) in AWS or integrates AWS resources with your existing on-premises AD.

Scenario
An enterprise migrates its Windows-based workloads to AWS. By deploying AWS Managed Microsoft AD, administrators can apply the same group policies and authentication rules as in their on-premises environment.

Best Practices

  • Use AWS Managed Microsoft AD when you need full AD capabilities.
  • Limit domain admin access and use dedicated admin accounts.
  • Monitor directory logins using CloudWatch or CloudTrail.

Pricing

  • Charged per directory type and instance hours.

Data Protection

AWS Secrets Manager

Description
AWS Secrets Manager is a managed service for storing, rotating, and retrieving database credentials, API keys, and other secrets securely.

Scenario
Instead of embedding credentials in a Lambda environment variable, the function retrieves the password from Secrets Manager at runtime. Automatic rotation ensures passwords stay up to date.

Best Practices

  • Enable automatic secret rotation using Lambda.
  • Restrict IAM access to specific secrets.
  • Use encryption with KMS for all stored secrets.

Pricing

  • Per secret stored and per 10,000 API calls.

AWS Private Certificate Authority (CA)

Description
AWS Private Certificate Authority (CA) is a managed service for issuing and managing private SSL/TLS certificates for internal use cases.

Scenario
An enterprise uses Private CA to issue certificates for internal APIs, IoT devices, and internal dashboards eliminating reliance on public certificate providers.

Best Practices

  • Automate certificate renewal and deployment via ACM integration.
  • Enforce short certificate lifetimes to reduce exposure risk.
  • Restrict who can issue certificates with IAM policies.

Pricing

  • Monthly fee per CA + per certificate issued.

AWS Certificate Manager (ACM)

Description
AWS Certificate Manager (ACM) Simplifies the provisioning, deployment, and renewal of SSL/TLS certificates for AWS resources (ALB, CloudFront, API Gateway, etc.).

Scenario
A website hosted on CloudFront automatically uses ACM-issued certificates to enable HTTPS, with zero manual renewal effort.

Best Practices

  • Use DNS validation for automation.
  • Prefer ACM for public-facing endpoints.
  • Combine with AWS WAF for secure web delivery.

Pricing

  • Public certificates are free; private ones incur cost via Private CA.

Amazon Macie

Description
Amazon Macie uses machine learning to identify and protect sensitive data (like PII, financial data, or credentials) in Amazon S3.

Scenario
A company stores millions of files in S3. Macie scans the data and alerts the security team when PII is detected in unexpected locations, triggering remediation workflows.

Best Practices

  • Schedule automatic scans of critical buckets.
  • Use Macie findings to enforce Config remediation rules.
  • Integrate with Security Hub for centralized visibility.

Pricing

  • Per GB of data classified and objects monitored.

AWS Key Management Service (KMS)

Description
AWS KMS manages encryption keys for AWS services and custom applications, allowing encryption at rest and in transit with centralized control.

Scenario
A financial team encrypts S3 and RDS data using customer-managed CMKs, ensuring only specific IAM roles can use them for decryption. CloudTrail logs all KMS usage for auditability.

Best Practices

  • Use customer-managed CMKs for sensitive data.
  • Rotate keys automatically.
  • Enable key usage logging in CloudTrail.
  • Enforce access policies to prevent key misuse.

Pricing

  • Per key and per API request (encryption/decryption).

AWS CloudHSM

Description
AWS CloudHSM is a dedicated Hardware Security Module that gives you full control over your cryptographic keys and operations. It’s ideal for compliance-heavy industries.

Scenario
A payments company processes card transactions that must comply with PCI DSS. It uses CloudHSM to generate and store encryption keys in an isolated, FIPS 140-2 Level 3–compliant environment.

Best Practices:

  • Use CloudHSM when compliance requires exclusive control of keys.
  • Combine with KMS custom key store if you need hybrid integration.
  • Plan redundancy HSM clusters span multiple Availability Zones.

Pricing

  • Hourly cost per HSM instance.

AWS Payment Cryptography

Description
AWS Payment Cryptography provides on-demand cryptographic processing for payment systems, including key management and transaction signing.

Scenario
A fintech uses AWS Payment Cryptography to perform secure PIN generation and key exchange with banks, ensuring compliance with PCI PIN standards.

Best Practices

  • Use with CloudHSM for regulated workloads.
  • Restrict access using IAM conditions and audit logs.
  • Rotate cryptographic keys periodically.

Pricing

  • Per cryptographic operation and per key.

Network and Application Protection

AWS Web Application Firewall (WAF)

Description
AWS WAF protects web applications from common exploits like SQL injection, cross-site scripting (XSS), and malicious bots. It operates at layer 7 (HTTP/HTTPS) and integrates with CloudFront, API Gateway, and Application Load Balancer.

Scenario
An online retail application exposes an API through API Gateway. AWS WAF inspects incoming traffic and blocks requests containing suspicious patterns (like “UNION SELECT” or script injections), preventing data leaks and service disruptions.

Best Practices

  • Use AWS Managed Rule Groups to defend against OWASP Top 10 vulnerabilities.
  • Create rate-based rules to throttle suspicious traffic and prevent brute-force attacks.
  • Regularly review logs in CloudWatch or Kinesis Firehose for visibility.
  • Deploy different WAF Web ACLs for staging and production environments.

Pricing

  • Charged per Web ACL, rule, and number of requests inspected.

AWS Shield

Description
AWS Shield provides managed protection against Distributed Denial of Service (DDoS) attacks. It offers two tiers Shield Standard (automatic and free) and Shield Advanced (enhanced detection and mitigation with 24/7 support).

Scenario
A fintech company hosts its public-facing APIs behind CloudFront. During a DDoS attempt, AWS Shield Advanced automatically detects abnormal spikes in traffic and engages AWS’s DDoS Response Team (DRT) to mitigate the attack while maintaining availability.

Best Practices

  • Use Shield Advanced for mission-critical workloads (e.g., e-commerce, financial APIs).
  • Combine with WAF for application-layer defense.
  • Regularly test DDoS resilience with simulated events.
  • Monitor metrics in CloudWatch DDoSDashboard.

Pricing

  • Shield Standard: Free (included by default).
  • Shield Advanced: Monthly subscription + data transfer usage.

AWS Network Firewall

Description
AWS Network Firewall a managed, scalable firewall that inspects traffic at the VPC level and blocks or allows traffic based on stateful and stateless rules.

Scenario
A large organization builds a central inspection VPC where Network Firewall analyzes all traffic between business units using AWS Transit Gateway. Security teams manage policies globally.

Best Practices

  • Centralize firewalls in shared network accounts.
  • Log all traffic to CloudWatch Logs or S3.
  • Use domain-based and Suricata-compatible rule groups.

Pricing

  • Per firewall endpoint-hour and GB processed.

AWS Firewall Manager

Description
AWS Firewall Manager is a centralized management for WAF, Shield, and Network Firewall policies across multiple AWS accounts.

Scenario
A security team applies a standard WAF rule set to every CloudFront distribution in the organization using Firewall Manager policies, ensuring consistency across environments.

Best Practices

  • Integrate with AWS Organizations for unified control.
  • Tag resources consistently for policy targeting.
  • Use for compliance enforcement (e.g., mandatory WAF).

Pricing

  • Per policy per region.

Threat Detection & Monitoring

AWS CloudTrail

Description
AWS CloudTrail records every API call and management event in your AWS environment, providing visibility into who did what and when. It’s fundamental for auditing, incident response, and compliance.

Scenario
A developer accidentally grants public access to an S3 bucket. CloudTrail logs the API call, capturing the user identity, source IP, and timestamp. The security team uses these logs to investigate and roll back the change.

Best Practices

  • Enable CloudTrail across all accounts using AWS Organizations.
  • Store logs in S3 with encryption and set lifecycle policies for retention.
  • Integrate with CloudWatch Logs or Security Lake for monitoring.
  • Use CloudTrail Insights to detect unusual activity patterns automatically.

Pricing

  • One management trail per region is free.
  • Additional trails and data events (e.g., S3 object access, Lambda invocations) incur cost per 100,000 events.

Amazon GuardDuty

Description
Amazon GuardDuty provides continuous, intelligent threat detection for your AWS environment. It analyzes CloudTrail logs, VPC Flow Logs, and DNS logs to identify suspicious activity using machine learning and threat intelligence feeds.

Scenario
Your security team receives a GuardDuty finding showing an EC2 instance communicating with a known crypto-mining domain. An EventBridge rule triggers a Lambda function that isolates the instance by removing its IAM role and updating the security group.

Best Practices

  • Enable GuardDuty at the organization level for centralized visibility.
  • Automate incident response workflows using EventBridge and Lambda.
  • Regularly review findings in Security Hub and suppress known safe activities.

Pricing

  • Based on the volume of data analyzed (per GB of logs).

AWS Security Hub

Description
AWS Security Hub aggregates and prioritizes findings from multiple AWS security services (like GuardDuty, Inspector, and Macie) and third-party tools. It gives you a unified view of your security posture across all AWS accounts.

Scenario
A compliance officer enables AWS Foundational Security Best Practices in Security Hub. The tool automatically checks for common misconfigurations such as unencrypted S3 buckets or unused IAM access keys and produces consolidated compliance scores.

Best Practices

  • Enable Security Standards (e.g., CIS AWS Benchmark, PCI DSS).
  • Integrate with AWS Organizations for centralized management.
  • Use custom insights to filter high-priority findings for your environment.

Pricing

  • Per compliance check and per finding ingested.

Amazon Detective

Description
Amazon Detective simplifies the process of investigating and understanding the root cause of security issues by automatically collecting and correlating data from GuardDuty, CloudTrail, and VPC Flow Logs.

Scenario
A GuardDuty alert shows potential credential compromise. The security team uses Detective to trace which IAM user performed the unauthorized API calls and what resources were affected, visualizing relationships over time.

Best Practices

  • Enable Detective in accounts where GuardDuty is active.
  • Use it for incident post-analysis, not real-time response.
  • Retain data for the default 12 months for full investigation context.

Pricing

  • Per GB of data processed monthly.

Amazon Inspector

Description
Amazon Inspector provides continuous vulnerability scanning for EC2 instances, container images in ECR, and Lambda functions. It identifies software vulnerabilities (CVEs) and insecure configurations automatically.

Scenario
Inspector detects an outdated OpenSSL library on EC2 instances. The findings are sent to Security Hub, which triggers an SNS notification to the DevOps team for remediation.

Best Practices

  • Enable automatic scanning for new workloads.
  • Integrate Inspector findings with ticketing systems (like Jira).
  • Use tags to include/exclude workloads from scanning.

Pricing

  • Based on resource type and number of assessments per month.

AWS Security Lake

Description
AWS Security Lake centralizes security data from AWS services and third-party sources into a data lake built on S3. It normalizes data into the Open Cybersecurity Schema Framework (OCSF) for analytics and SIEM integration.

Scenario
An enterprise collects logs from GuardDuty, CloudTrail, and EDR tools into Security Lake, then queries them with Amazon Athena for security analytics and incident correlation.

Best Practices

  • Use lifecycle policies to control storage costs.
  • Integrate with Athena or OpenSearch for detection and dashboards.
  • Segment access by team or data type (SOC, Compliance, Forensics).

Pricing

  • Per GB of data ingested and stored.

AWS Security Incident Response

Description
AWS Security Incident Response a set of AWS services, playbooks, and automations that help organizations prepare for, detect, and recover from security incidents.

Scenario
A company sets up an incident response workflow: GuardDuty detects a threat → EventBridge triggers Lambda → instance is quarantined → forensics team uses CloudTrail logs for investigation → snapshots are preserved for evidence.

Best Practices

  • Build automated runbooks using Step Functions or Systems Manager.
  • Predefine response actions for different incident categories.
  • Regularly test your response plan through simulations.

Pricing

  • Depends on the AWS services used (no direct cost for the framework).

Application Security

AWS Signer

Description
AWS Signer digitally signs code artifacts to ensure integrity and trust before deployment. It’s often used for Lambda functions, container images, and IoT applications.

Scenario
A DevOps team signs Lambda function packages with Signer before deployment. At runtime, the function’s integrity is verified automatically, ensuring no tampering occurred during delivery.

Best Practices

  • Integrate Signer into your CI/CD pipeline.
  • Rotate and protect signing keys with KMS.
  • Sign only verified and tested artifacts.

Pricing:

  • Per signing job.

AWS Security Agent

Description:
AWS Security Agent continuously scans workloads and applications for vulnerabilities and misconfigurations throughout the development lifecycle.

Scenario:
During CI/CD, the Security Agent detects that an ECS task definition exposes unnecessary ports. The pipeline blocks the deployment until the issue is fixed.

Best Practices

  • Embed scans into your development pipeline.
  • Combine with Inspector for runtime checks.
  • Use findings to educate teams on secure configuration.

Pricing

  • Based on scan frequency and resource usage.

Amazon Verified Permissions

Description
Amazon Verified Permissions A fine-grained authorization service that lets applications make real-time access decisions based on centrally managed policies.

Scenario
A banking application uses Verified Permissions to determine whether a user can view or modify specific accounts. Authorization policies are stored centrally, ensuring consistent enforcement across microservices.

Best Practices

  • Keep authorization policies centralized and version-controlled.
  • Design policies that reflect real business logic, not only technical access.
  • Combine with Cognito or IAM for authentication.

Pricing

  • Charged based on authorization request volume.

Compliance & Governance

AWS Config

Description
AWS Config records the configuration state of AWS resources and continuously evaluates them against compliance rules and baselines.

Scenario
Config detects that an S3 bucket becomes public. A Lambda remediation function is triggered automatically to restore compliance by blocking public access.

Best Practices

  • Use Config Conformance Packs for CIS or NIST compliance.
  • Enable across all accounts via AWS Organizations.
  • Integrate Config findings with Security Hub for unified reporting.

Pricing

  • Per configuration item recorded and per compliance evaluation.

AWS Audit Manager

Description
Audit Manager automates the collection of compliance evidence, mapping AWS resource data to controls for frameworks such as SOC 2, ISO 27001, or PCI DSS.

Scenario
A compliance officer creates an assessment based on ISO 27001. Audit Manager automatically collects encryption settings, IAM configurations, and logging evidence to prepare audit-ready reports.

Best Practices

  • Use prebuilt control frameworks.
  • Assign ownership of each control to specific stakeholders.
  • Review reports regularly before formal audits.

Pricing

  • Per active assessment per month.

AWS Artifact

Description
AWS Artifact provides on-demand access to compliance reports and agreements such as SOC, ISO, and PCI certifications for AWS services.

Scenario
A security team downloads AWS’s PCI DSS attestation report from Artifact to include in their compliance documentation when onboarding a new client.

Best Practices

  • Keep reports updated for each audit cycle.
  • Store downloaded reports securely and limit access.

Pricing

  • Free.

AWS Security Hub CSPM (Cloud Security Posture Management)

Description
AWS Security Hub CSPM A feature within Security Hub that continuously checks your AWS environment against best practices and compliance standards to identify misconfigurations and security gaps.

Scenario
Security Hub CSPM detects that RDS instances aren’t encrypted and that CloudTrail logging is disabled in a few accounts. Findings are sent to Slack via EventBridge for immediate action.

Best Practices

  • Enable across all AWS accounts for unified visibility.
  • Align CSPM rules with your company’s compliance framework.
  • Use findings for automated remediation workflows.

Pricing

  • Included within Security Hub pricing.

Top comments (0)