Appendix: AWS security, identity, and compliance services

Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a short survey

For an introduction or a refresher, see Security, Identity, and Compliance on AWS on the AWS website for a list of the AWS services that help you secure your workloads and applications in the cloud. These services are grouped into five categories: data protection, identity & access management, network & application protection, threat detection & continuous monitoring, and compliance & data privacy.

Data protection – AWS provides services that help you protect your data, accounts, and workloads from unauthorized access.

Amazon Macie – Discover, classify, and protect sensitive data with machine learning-powered security features.
AWS KMS – Create and control the keys used to encrypt your data.
AWS CloudHSM – Manage your hardware security modules (HSMs) in the AWS Cloud.
AWS Certificate Manager – Provision, manage, and deploy SSL/TLS certificates for use with AWS services.
AWS Secrets Manager – Rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle.

Identity & access management – AWS identity services enable you to securely manage identities, resources, and permissions at scale.

IAM – Securely control access to AWS services and resources.
IAM Identity Center – Centrally manage SSO access to multiple AWS accounts and business applications.
Amazon Cognito – Add user sign-up, sign-in, and access control to your web and mobile applications.
AWS Directory Service – Use managed Microsoft Active Directory in the AWS Cloud.
AWS Resource Access Manager – Share AWS resources simply and securely.
AWS Organizations – Implement policy-based management for multiple AWS accounts.
Amazon Verified Permissions – Manage scalable, fine-grained permissions and authorization in your custom applications.

Network & application protection – These categories of services enable you to enforce fine-grained security policy at network control points across your organization. AWS services help you inspect and filter traffic to help prevent unauthorized resource access at the host-level, network-level, and application-level boundaries.

AWS Shield – Safeguard your web applications that run on AWS with managed DDoS protection.
AWS WAF – Protect your web applications from common web exploits, and ensure availability and security.
AWS Firewall Manager – Configure and manage AWS WAF rules across AWS accounts and applications from a central location.
AWS Systems Manager – Configure and manage Amazon EC2 and on-premises systems to apply OS patches, create secure system images, and configure secure operating systems.
Amazon VPC – Provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define.
AWS Network Firewall – Deploy essential network protections for your VPCs.
Amazon Route 53 DNS Firewall – Protect your outbound DNS requests from your VPCs.
AWS Verified Access – Provide secure access to your applications without requiring virtual private networks (VPNs).
Amazon VPC Lattice – Simplify service-to-service connectivity, security, and monitoring.

Threat detection & continuous monitoring – AWS monitoring and detection services provide guidance to help identify potential security incidents within your AWS environment.

AWS Security Hub – View and manage security alerts and automate compliance checks from a central location.
Amazon GuardDuty – Protect your AWS accounts and workloads with intelligent threat detection and continuous monitoring.
Amazon Inspector – Automate security assessments to help improve the security and compliance of your applications that are deployed on AWS.
AWS Config – Record and evaluate the configurations of your AWS resources to enable compliance auditing, resource change tracking, and security analysis.
AWS Config Rules – Create rules that automatically take action in response to changes in your environment, such as isolating resources, enriching events with additional data, or restoring configuration to a known good state.
AWS CloudTrail – Track user activity and API usage to enable governance and operational and risk auditing of your AWS account.
Amazon Detective – Analyze and visualize security data to rapidly get to the root cause of potential security issues.
AWS Lambda – Run code without provisioning or managing servers so you can scale your programmed, automated response to incidents.

Compliance & data privacy – AWS gives you a comprehensive view of your compliance status and continuously monitors your environment by using automated compliance checks based on the AWS best practices and industry standards your business follows.

AWS Artifact – Use a no-cost, self-service portal to get on-demand access to AWS security and compliance reports and select online agreements.
AWS Audit Manager – Continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Acknowledgments

Document history