Which AWS Service is best for me to secure my production environment?
Amazon Web Security Services are a comprehensive set of tools that help enterprises track, control, monitor, and authorise activities in their cloud environment. AWS Security Services work on a shared responsibility model, allowing users to manage their workflow system, automate threat detection and remediation, smartly monitor accounts and resources, mitigate infrastructural drainage, assess risks, and provide certificates. These work hand-in-hand with other monitoring, compute and container services such as Cloud Watch, Lambda etc. Hence, they can be used in combination with each other, or individually at a single management console as per user’s preference, schedule and need, depending on their production environment.
Here is a detailed view of AWS Security, Identity and Compliance products to answer the evolving question – Which AWS Service is best for me to secure my production environment?
Identity and Access Management: IAM helps users manage access keys, and rotate them from time to time. IAM provides a fine grained access control over instances and buckets. User can specify permissions, roles, categorise authority of roles, set rules, manage who can launch and instance, who can read it, etc. all at one place. It does not impose any additional charge to the currently used services.
Cognito: Cognito supports creation of identities for app using both public login providers and unauthenticated identities. Their profile data is seamlessly transferred. It saves any kind of data and key value pairs such as app preferences, games stage, etc.. The user’s data is securely synced through API and stored in an AWS cloud. Cognito gives storage and syncs for AWS to do the heavy lifting of backend, identity, network stages, storage, and user can focus solely on their development of project.
Amazon Guard Duty: Amazon Guard Duty is a cloud-scale threat detection service that helps in continuous monitoring and protection of AWS accounts and workloads using machine learning. Guard Duty sends actionable detailed alerts that prioritise and remediate threats to respond faster. Guard duty supports AWS Cloud Watch events, Lambda and other services at a centralised panel.
Inspector: Inspector automates security assessments informed and powered by a set of rules based on a comprehensive list of best practices and exposing most common vulnerabilities from minute to minute at every stage of development and deployment lifecycle. These findings can be easily delivered to email ticketing and pager system.
Macie: Macie is an automatic detecting, identifying and classifying data compliance service. Macie currently supports S3 storage, backed by machine learning that can spot access patterns and user behaviour by analysing cloud travel event data to alert against any unusual or irregular activity. The findings by Amazon Macie are presented in a dashboard which can trigger alert to quickly resolve any potential threat exposure or compromise of data.
Certificate manager: AWS certificate manager is a private certificate authority meaning that an enterprise or a business can have a set of services accessible only throughout that enterprise. Users get SSL Certificates for free if they are booking domains through Route 53. This allows companies to run their own private certificate authority where they create, manage and test against its validity and centrally decide who exactly have access to the services that are protected by these certificates.
Cloud HSM: AWS Cloud HSM (Hardware Security Module) provides a dedicated and validated HSM to store keys under user’s exclusive control within VPC. All communication within specific HSM is protected throughout the channel and is encrypted till the end so that it is not visible externally to anybody.
Directory Service: Directory Service lessens the administrative burden by allowing computers to connect domains, identify authenticated users, and connect to on premises directory, networks, databases and even printers. All connections are secured through VPN. Directory credentials can be used by developers to access console to manage EC2 instances and S3 buckets.
AWS Web App Firewall: WAF reduces vulnerability to DDoS attacks, SQL injections, Cross site scripting, and other threats. WAF works on the basis of certain conditions and rules through 7 layers that are set up by user to determine what firewall is going to filter and what not. It can be used on any site, inspect HTTPS traffic and make migration error-free and secure.
Shield: Shield is specifically designed to combat DDoS attacks and botnet intrusions on EC2, Elastic Load Balancers, Cloud Front and other resources. Shield comes with other extra protection via different stages and pay plans such as standard and advanced Shield.
Artifact: Artifact is a console designed to tackle regulations and compliances and provide downloads of such documents and certifications like PCI reports. It allows users to compare their current security status and its effectiveness with that of guidelines.