The AWS service that is essential to Security is AWS Identity and AccessManagement (IAM), which allows you to securely control access to AWS services and resources for your users. The following services and features support the five areas insecurity:
Identity and Access Management: IAM enables you to securely control access toAWS services and resources. MFA adds an additional layer of protection on useraccess. AWS Organizations lets you centrally manage and enforce policies for multiple AWS accounts.
Detective Controls: AWS CloudTrail records AWS API calls, AWS Config provides a detailed inventory of your AWS resources and configuration. Amazon GuardDuty is a managed threat detection service that continuously monitors for maliciousor unauthorized behavior. Amazon CloudWatch is a monitoring service for AWS resources which can trigger CloudWatch Events to automate security responses.
Infrastructure Protection: Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. AmazonCloudFront is a global content delivery network that securely delivers data, videos, applications, and APIs to your viewers which integrates with AWS Shield for DDoS mitigation. AWS WAF is a web application firewall that is deployed on either Amazon CloudFront or Application Load Balancer to help protect your web applications from common web exploits.
Data Protection: Services such as ELB, Amazon Elastic Block Store (Amazon EBS),Amazon S3, and Amazon Relational Database Service (Amazon RDS) include encryption capabilities to protect your data in transit and at rest. Amazon Macie automatically discovers, classifies and protects sensitive data, while AWS KeyManagement Service (AWS KMS) makes it easy for you to create and control keys used for encryption.
Incident Response: IAM should be used to grant appropriate authorization to incident response teams and response tools. AWS CloudFormation can be used to create a trusted environment or clean room for conducting investigations. AmazonCloudWatch Events allows you to create rules that trigger automated responses including AWS Lambda.