Appendix: AWS security, identity, and compliance services
For an introduction or a refresher, see Security, identity, and compliance on AWS
Data protection – AWS provides services that help you protect your data, accounts, and workloads from unauthorized access.
Amazon Macie
– Discover, classify, and protect sensitive data with machine learning-powered security features. AWS KMS
– Create and control the keys used to encrypt your data. AWS CloudHSM
– Manage your hardware security modules (HSMs) in the AWS Cloud. AWS Certificate Manager
– Provision, manage, and deploy SSL/TLS certificates for use with AWS services. AWS Secrets Manager
– Rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle. AWS Private CA - Create private certificate authority (CA) hierarchies, including root and subordinate CAs.
Identity & access management – AWS identity services enable you to securely manage identities, resources, and permissions at scale.
IAM
– Securely control access to AWS services and resources. IAM Access Analyzer – Use provable security
to implement least privilege by providing capabilities to set, verify, and refine permissions. IAM Identity Center
– Centrally manage SSO access to multiple AWS accounts and business applications. Amazon Cognito
– Add user sign-up, sign-in, and access control to your web and mobile applications. AWS Directory Service
– Use managed Microsoft Active Directory in the AWS Cloud. AWS RAM
– Share AWS resources simply and securely. AWS Organizations
– Implement policy-based management for multiple AWS accounts. Amazon Verified Permissions – Manage scalable, fine-grained permissions and authorization in your custom applications.
Network & application protection – These categories of services enable you to enforce fine-grained security policy at network control points across your organization. AWS services help you inspect and filter traffic to help prevent unauthorized resource access at the host-level, network-level, and application-level boundaries.
AWS Shield
– Safeguard your web applications that run on AWS with managed DDoS protection. AWS WAF
– Protect your web applications from common web exploits, and ensure availability and security. AWS Firewall Manager
– Configure and manage AWS WAF rules across AWS accounts and applications from a central location. AWS Systems Manager
– Configure and manage Amazon EC2 and on-premises systems to apply OS patches, create secure system images, and configure secure operating systems. Amazon VPC
– Provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define. AWS Network Firewall
– Deploy essential network protections for your VPCs. Amazon Route 53 DNS Firewall – Protect your outbound DNS requests from your VPCs.
AWS Verified Access – Provide secure access to your applications without requiring virtual private networks (VPNs).
Amazon VPC Lattice
– Simplify service-to-service connectivity, security, and monitoring. AWS Transit Gateway - Connect VPCs, AWS accounts, and on-premises networks to a single gateway
Network Access Analyzer - Identify unintended network access to your resources on AWS.
Threat detection & continuous monitoring – AWS monitoring and detection services provide guidance to help identify potential security incidents within your AWS environment.
AWS Security Hub CSPM
– View and manage security alerts and automate compliance checks from a central location. AWS Security Hub
– Correlate and enrich security findings to prioritize critical security issues across your accounts and AWS Regions. Amazon GuardDuty
– Protect your AWS accounts and workloads with intelligent threat detection and continuous monitoring. Amazon Inspector
– Automate security assessments to help improve the security and compliance of your applications that are deployed on AWS. AWS Config
– Record and evaluate the configurations of your AWS resources to enable compliance auditing, resource change tracking, and security analysis. AWS Config Rules – Create rules that automatically take action in response to changes in your environment, such as isolating resources, enriching events with additional data, or restoring configuration to a known good state.
AWS Security Incident Response
– Automate security incident response, investigation, and remediation with pre-built playbooks and workflows. AWS CloudTrail
– Track user activity and API usage to enable governance and operational and risk auditing of your AWS account. Amazon Detective
– Analyze and visualize security data to rapidly get to the root cause of potential security issues. AWS Lambda
– Run code without provisioning or managing servers so you can scale your programmed, automated response to incidents.
Compliance & data privacy – AWS gives you a comprehensive view of your compliance status and continuously monitors your environment by using automated compliance checks based on the AWS best practices and industry standards your business follows.
AWS Artifact
– Use a no-cost, self-service portal to get on-demand access to AWS security and compliance reports and select online agreements. AWS Audit Manager
– Continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards.