AWS Cloud Security enhancement using “AWS Security Services”

In today’s spectrum of IT Industry security is the key aspect and it’s become mandatory to secure the data and systems from all the possible security issues and vulnerabilities. To deal with those possible security issues and vulnerabilities AWS recommends some services.

In this article, we will discuss AWS's recommend security services and give small gist on their implementation.

AWS divides it’s security services in several categories which are

1. Identity and access management services
2. Detection Services
3. Infrastructure Protection Services
4. Data Protection Services

We’ll discuss category wise services

Let’s Start

1. Identity and access management services

Following services are come under this category

a. AWS IAM

Identity and Access Management is also known as AWS IAM. We are getting a fair idea about this service from the name itself. Using this service we can control access of our AWS resources i.e who can access and perform an activity on resources we can manage from AWS IAM. We can assign specific Roles, Policies to specific users using AWS IAM. For more details click here.

b. AWS SSO

SSO stands for Single Sign-On. With AWS SSO, we can manage access to multiple accounts and applications and provides the user with Single Sign-On access to all their assigned accounts and applications from a single place. This service can maintain and configure all the necessary permissions for multiple accounts automatically and no additional set up required for Individual accounts. For more details click here.

c. AWS Cognito

Cognito helps to integrate Social (i.e. Facebook, Google and Amazon)Sign Up/ Sign In options in Web and Mobile Applications in a secured way. For more details click here.

d. AWS Directory Services

It’s actually for Microsoft Active Directory Services and also known as AWS managed Microsoft Active Directory. It’s actually built on Microsoft AD and does not require any replication or synchronization of data from the existing Active Directory to the Cloud. For more details click here.

e. AWS Organizations

With AWS Organizations, we can create multiple accounts, groups and allocate resources by defining centralised policies to those accounts and policies. It helps to govern and manage the environment as we grow and scale our resources. For more details click here.

2. Detection services

Following services are come under this category

a. AWS Security Hub

AWS Security Hub gives us an overview of all the security alerts generated from the environment. It also segregates the alerts based on its priority so that require action can be taken on priority. AWS Security Hub continuously monitors your environment using automated security checks based on the AWS best practices and industry standards that your organization follows. For more details click here.

b. AWS GuardDuty

It's a threat detection service which continuously monitors to protect accounts, data, resources from suspicious activity and unintended behaviours. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. For more details click here.

c. AWS Inspector

AWS Inspector is an assessment service. It helps to improve the security and compliance of applications deployed on AWS. Assessments are performed on applications for

i. Network Reachability Rules Package

ii. Common Vulnerabilities and Exposures (CVE)

iii. Center for Internet Security (CIS) benchmarks

iv. Security Best Practices, and Runtime Behavior Analysis

After a successful assessment, AWS Inspector gives a detailed analysis report with the severity level of all the issues. Based on the assessment findings we can deploy patches using AWS System Manager.

d. AWS Config

AWS config helps you to get the answer of four “W” i.e.

i. What is in my environment?

ii. What impact did a particular action have?

iii. What has changed?

iv. Where is the evidence?

By using AWS config, we can discover existing AWS resources, export a complete inventory of our AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting. For more details click here.

e. AWS Cloudtrail

After identifying What impact did a particular action have and what has changed using AWS config we need to identify who perform these changes on the resources. AWS Cloudtrail helps to do the same. It enables compliance, governance, risk auditing, and operational auditing. With AWS Cloudtrail, we can log and monitor all the activities performed on our resources continuously. It also provides the activity histories by using those we can perform security analysis, resource change tracking, and troubleshooting. For more details click here.

3. Infrastructure protection services

Following services are come under this category

a. AWS Network Firewall

AWS network Firewall is a Network Protection service. With just a few clicks we can set up the service to deploy necessary network protections to all our Amazon Virtual Private Clouds (VPCs) and its automatically scales with our network traffic. For more details click here.

b. AWS Shield

AWS recommends a service called AWS Shield. It’s a specialised service to safeguards applications running on AWS from Distributed Denial of Service (DDoS) attacks. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. For more details click here.

c. AWS WAF

AWS WAF stands for Web Application Firewall. It helps to protect web applications and APIs from common web exploits and vulnerabilities. AWS WAF also helps you to create security rules for controlling traffic i.e it gives you control over how traffic reaches your application. For more details click here.

d. AWS Route 53

It’s a Routing service which helps to route end users to Internet applications by translating names like www.medium.com into the numeric IP addresses like 192.0.3.0 that computers use to connect to each other. With AWS Route 53, we can easily manage how our users will be routed to our applications. For more details click here.

4. Data protection services

Following services are come under this category

a. AWS S3

Simple Storage Service is commonly known as AWS S3. It’s an object storage service that allows us to store to any kind of data in a secure way. It has the inbuilt versioning and encryption features which we can use to store data securely. For more details click here.

b. AWS Glacier

AWS Glacier also a storage service. However, this service can be used for data archiving and long-term backup in a secured way. This service designed to deliver almost 100% durability, and provide comprehensive security and compliance capabilities that can help meet even the most stringent regulatory requirements. For more details click here.

c. AWS Macie

In an Organizations when volumes of data are growing it’s become difficult to Identify and protect the Sensitive User data. To mitigate this issue AWS recommends AWS Macie which is fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. For more details click here.

d. AWS KMS

AWS KMS is a Key Management Service which helps to create Cryptographic Keys and control their use across a wide range of AWS services and in our applications. It uses a two-tiered key hierarchy using envelope encryption for key management. For more details click here.

e. AWS CloudHSM

It’s a Cloud-based Hardware Security Module enables you to easily generate and use your own encryption keys on the AWS Cloud. A hardware security module (HSM) is a hardware appliance that provides secure key storage and cryptographic operations within a tamper-resistant hardware device. HSMs are designed to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance. For more details click here.

f. AWS Certificate Manager

With AWS Certificate manager, we can easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and our internal connected resources. For more details click here.

g. AWS Secrets Manager

When we are in the cloud environment there are so many credentials, APIs keys, arbitrary text that is used to access AWS, on-premises, or third-party resources and those need to store securely. AWS Secrets Manager do the same thing for us i.e it’s working as Central Repository to store securely and protect that critical information.

Hope we get a fair idea about AWS Security Services which we can implement in our AWS Cloud Environment to enhance the security of the environment.

Thank You