Introduction

Security, identity, and compliance in the cloud are pivotal components in achieving and maintaining the integrity and safety for your data and services. This is especially relevant as more businesses migrate to cloud providers like Amazon Web Services (AWS).

Cloud security refers to using measures and practices to protect digital assets from threats. This encompasses both the physical security of data centers and the cybersecurity measures to guard against online threats. AWS prioritizes security through encrypted data storage, network security, and continuous monitoring of potential threats.

Identity services help you securely manage identities, resources, and permissions at scale. AWS provides identity services designed for workforce and customer-facing applications, and for managing access to your workloads and applications.

Compliance in the cloud refers to adhering to laws and regulations governing data protection and privacy. AWS Compliance Programs provide information about the certifications, regulations, and frameworks that AWS aligns with. AWS Compliance explains the robust controls in place at AWS to maintain security and data protection in the AWS Cloud.

This guide helps you select the AWS security, identity, and compliance services and tools that are the best fit for your needs and your organization.

Purpose

Help determine which AWS security, compliance, and identity services are the best fit for your organization.

Last updated

March 20, 2024

Covered services

AWS Artifact
AWS Audit Manager
AWS Certificate Manager
AWS CloudHSM
Amazon Cognito
Amazon Detective
AWS Firewall Manager
Amazon GuardDuty
AWS Identity and Access Management (IAM)
AWS IAM Identity Center
Amazon Inspector
AWS Key Management Service (AWS KMS)
Amazon Macie
AWS Network Firewall
AWS Private Certificate Authority (AWS Private CA)
AWS Resource Access Manager (AWS RAM)
AWS Secrets Manager
AWS Security Hub
Amazon Security Lake
AWS Shield
AWS WAF

Understand

Security and compliance are shared responsibilities

Before choosing your AWS security, identity, and compliance services, it’s important to understand that security and compliance are shared responsibilities between you and AWS.

The nature of this shared responsibility helps relieve your operational burden, and it provides you with flexibility and control over your deployment. This differentiation of responsibility is commonly referred to as security “of” the cloud versus security “in” the cloud.

  • AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

  • Your responsibility is determined by the AWS Cloud services you select. This determines the amount of configuration work that you need to do as part of your security responsibilities. For example, a service such as Amazon Elastic Compute Cloud (Amazon EC2) is categorized as Infrastructure as a Service (IaaS). As such, you must perform all of the necessary security configuration and management tasks. If you then deploy an Amazon EC2 instance, you are responsible for management of the guest operating system (including updates and security patches), any application software or utilities you install on the instances, and the configuration of the AWS provided firewall (called a security group) on each instance. For abstracted services, such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and you access the endpoints to store and retrieve data. You are responsible for managing your data (including encryption options), classifying your assets, and using IAM tools to apply the appropriate permissions.

    Carefully consider the services that you choose, as your responsibilities vary depending on:

    • The services used
    • The integration of those services into your existing environment
    • Applicable laws and regulations

With an understanding of this model, you can next understand the range of options available to you, and how the applicable AWS services fit together.

AWS offers 30+ tools and services for security, identity, and compliance

AWS offers more than 30 tools and services across five domains to help you achieve and maintain robust security, identity management, and compliance in the cloud. Those domains are:

  • At the heart of AWS security is the principle of least privilege, so that individuals and services have only the access they need. You can use AWS IAM Identity Center to manage access to your accounts and permissions within those accounts—including identities from external identity providers. With AWS Organizations, you can set up policy-based management for multiple accounts within your organization.

  • AWS provides tools to help you streamline security operations across your AWS environment. For example, Amazon GuardDuty offers intelligent threat detection, while Amazon Detective makes it easy to identify and analyze security findings by collecting log data. AWS Security Hub supports multiple security standards and provides an overview of security alerts and compliance status across AWS accounts. AWS CloudTrail tracks user activity and application programming interface (API) usage, which is crucial for understanding and responding to incidents.

  • AWS offers several services to protect your networks and applications. Amazon Virtual Private Cloud (Amazon VPC) helps you launch AWS resources in a virtual network, offering control over the network environment. AWS Shield provides protection against Distributed Denial of Service (DDoS) attacks, and AWS WAF helps protect web applications from common web exploits.

  • Data protection is vital in the cloud, and AWS provides services that help you protect your data, accounts, and workloads. AWS Key Management Service (AWS KMS) and AWS CloudHSM allow you to create and control the cryptographic keys you use to protect your data.  

  • AWS supports a range of compliance certifications and controls, helping customers meet their regulatory requirements. For example, AWS Artifact provides on-demand access to compliance reports, and AWS Config helps track compliance of AWS resources with auditing and governance needs.

In summary, the AWS services across these five domains can help you form a multi-layered approach to keeping your data and environments safe. You can use these services to help you fortify your cloud infrastructure against evolving threats—while helping you adhere to stringent regulatory standards.

To learn more about AWS security, including security documentation for our services, see AWS Security Documentation.

Consider

Choosing the right security, identity, and compliance services on AWS depends on your specific requirements and use cases. Here are some criteria to consider when making your decision.

  • Conduct a comprehensive assessment of your organization's specific vulnerabilities and threats. This involves identifying the types of data you handle, such as personal customer information, financial records, or proprietary business data. Understand the potential risks associated with each.

    Assess your application and infrastructure architecture. Determine whether your applications are public-facing and what kind of web traffic they handle. This influences the need for services like AWS WAF to protect against web exploits. For internal applications, consider the importance of internal threat detection and continuous monitoring with Amazon GuardDuty, which can identify unusual access patterns or unauthorized deployments.

    Finally, consider the sophistication of your existing security posture and the expertise of your security team. If your team has limited resources, opting for services that offer more automation and integration can provide effective security enhancements without overwhelming your team. Example services include AWS Shield for DDoS protection and AWS Security Hub for centralized security monitoring.

  • Compliance is about protecting your customer data and maintaining trust. Identify the relevant laws and standards for your industry or geographic region, such as General Data Protection Regulation (GDPR), the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA), or Payment Card Industry Data Security Standard (PCI DSS).

    AWS offers services such as AWS Config and AWS Artifact to help manage compliance with various standards. AWS Config allows you to assess, audit, and evaluate the configurations of your AWS resources, making it easier to ensure compliance with internal policies and regulatory requirements. AWS Artifact provides on-demand access to AWS compliance documentation, aiding in audits and compliance reporting.

    Choosing services that align with specific compliance needs can help your organization meet legal requirements and build a secure and trustworthy environment for your data. Explore AWS Compliance Programs to learn more.

  • When considering cost and budget implications of AWS security services, it’s essential to start with a clear understanding of the pricing models for each service that you’re considering. AWS often charges based on usage, such as the number of API calls, the volume of data processed, or the amount of data stored. For example, Amazon GuardDuty charges based on the amount of log data analyzed for threat detection, while AWS WAF bills are based on the number of rules deployed and the number of web requests received.

    Estimate your expected usage to forecast costs accurately. Consider both current needs and potential growth or spikes in demand. Scalability is a key feature of AWS services but can also lead to increased costs if not managed carefully. Use the AWS Pricing Calculator to model different scenarios and assess their financial impact.

    Evaluate the total cost of ownership (TCO), which includes both direct costs and indirect costs such as the time and resources needed for management and maintenance. Opting for managed services can reduce operational overhead but might come at a higher price point.

    Lastly, prioritize your security investments based on risk assessment. Not all security services will be equally critical to your infrastructure, so focus your budget on the areas that will have the most significant impact on reducing risk and ensuring compliance. Balancing cost-effectiveness with the level of security needed is key to a successful AWS security strategy.

  • Evaluate how you will manage and authenticate user identities, assign roles, and enforce access controls across your AWS environment. Adopt the principle of least privilege—ensuring that users have only the access necessary to perform their roles.

    Think about your organization’s structure and how access needs might vary by team, project, or location. IAM helps you create granular policies that reflect these needs. Also, consider the integration of multi-factor authentication (MFA) to add an extra layer of security for accessing sensitive resources.

    Another aspect is the management of credentials and access keys. Consider using IAM Identity Center for centralizing access management across multiple AWS accounts and business applications, enhancing both security and user convenience.

    Lastly, evaluate how these identity and access management services integrate with your existing directory services. If you have an existing identity provider, you can integrate it with IAM using SAML 2.0 or OpenID Connect (OIDC). IAM Identity Center has support for System for Cross-domain Identity Management (SCIM) provisioning to help keep your directories synchronized. This helps you ensure a seamless and secure user experience while accessing AWS resources.

  • In the context of AWS security-related services, scalability and flexibility are critical considerations to ensure that security measures grow seamlessly with your infrastructure and adapt to evolving threats. 

    AWS security services, such as Amazon GuardDuty for threat detection and AWS WAF for protecting web applications, are designed to automatically scale with your application's traffic and usage patterns. This ensures that as your business scales up, your security measures do too, without requiring manual adjustments or causing bottlenecks.

    Flexibility is equally important, as it allows for the customization of security controls to match specific business requirements and threat landscapes. For instance, you can use some security, identity, and compliance services with AWS Organizations, which allows you to manage those services’ resources across multiple accounts. This gives individual application teams the flexibility and visibility to manage security needs that are specific to their workload, while also allowing governance and visibility to centralized security teams.

    Considering scalability and flexibility helps you ensure that your security posture is robust, responsive, and capable of supporting dynamic business environments.

  • Ensure that new security measures enhance, rather than disrupt, your current operations. Effective integration facilitates streamlined workflows, allowing security data and alerts from AWS services to be aggregated and analyzed alongside existing security information and event management (SIEM) systems. 

    Aim to improve your overall security posture by allowing for a unified view of security threats and vulnerabilities across both AWS and on-premises environments.

    For instance, integrating AWS CloudTrail with existing log management solutions allows for comprehensive monitoring of user activities and API usage across your AWS infrastructure and existing applications. Integration optimizes resource utilization and ensures that security policies are applied consistently across environments. This helps reduce the risk of gaps in security coverage. Ultimately, well-integrated security solutions support more efficient and effective security operations. This is critical for maintaining the integrity and resilience of business operations in the cloud.

Choose

Now that you know the criteria for evaluating your security options, you're ready to choose which AWS security services might be a good fit for your organizational requirements.

The following table highlights which services are optimized for which circumstances. Use the table to help determine the service that is the best fit for your organization and use case.

Service Categories
What is it optimized for?
Security, identity, and compliance services
Close

Grant appropriate individuals the right level of access to systems, applications, and data.

Optimized to help you securely manage and govern access for your customers, workforce, and workloads.
Close

IAM

Helps you centrally manage permissions that control which AWS resources users can access.

Close

AWS IAM Identity Center

Create or connect users and centrally manage access across AWS accounts and applications.

Close

Amazon Cognito

Provides an identity tool for web and mobile apps to authenticate and authorize users from the built-in user directory, from your enterprise directory, and consumer identity providers.

Close

AWS RAM

Helps you securely share your resources across AWS accounts, within your organization, and with IAM roles and users.

Close

Continuously identify and prioritize security risks, while integrating security best practices early.

Optimized to help you detect and respond to security risks, so you can protect your workloads at scale.
Close

AWS Config

Get a detailed view of the configuration of AWS resources in your AWS account.

 

Close

AWS Security Hub

Provides a comprehensive view of your security state in AWS.

Close

Amazon GuardDuty

Analyzes and processes CloudTrail management events, CloudTrail event logs, VPC flow logs, and DNS logs.

Close

Amazon Inspector

Scans your AWS workloads for software vulnerabilities and unintended network exposure.

 

Close

Amazon Security Lake

Automatically centralizes security data from AWS environments, SaaS providers, on-premises environments, cloud sources, and third-party sources into a data lake.

Close

Amazon Detective

Helps you analyze, investigate, and quickly identify the root cause of security findings or suspicious activities.  

Close

Protect your internet-facing resources centrally against common DDoS and application attacks.  

Optimized to help you enforce fine-grained security policies at every network control point.
Close

AWS Firewall Manager

Simplifies your administration and maintenance tasks across multiple accounts and resources for protections.

Close

AWS Network Firewall

Provides a stateful, managed, network firewall and intrusion detection and prevention service with your VPC.

 

Close

AWS Shield

Provides protections against DDoS attacks for AWS resources at the network, transport, and application layers.

Close

AWS AWF

Provides a web application firewall that lets you monitor the HTTP(S) requests that are forwarded to your protected web application resources.

Close

Automate and simplify data protection and security tasks—ranging from key management and sensitive data discovery to credential management.

 

Optimized to help you achieve and maintain the confidentiality, integrity, and availability of sensitive data stored and processed within AWS environments.
Close

Amazon Macie

Discovers sensitive data by using machine learning and pattern matching, and enables automated protection against associated risks.

 

Close

AWS KMS

Creates and controls the cryptographic keys that you use to protect your data.
 

Close

AWS CloudHSM

Provides highly available, cloud-based hardware security modules (HSMs).

Close

AWS Certificate Manager

Handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys. 

 

Close

AWS Private CA

Helps you create private certificate authority hierarchies, including root and subordinate certificate authorities (CA)s.

Close

AWS Secrets Manager

Manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets.

Close

Automate your compliance and auditing processes.

Optimized to help you meet regulatory requirements, industry standards, and internal security policies when using AWS.
Close

AWS Artifact

Provides on-demand downloads of AWS security and compliance documents.

Close

AWS Audit Manager

Helps you continuously audit your AWS usage to simplify how you assess risk and compliance.

Use

You should now have a clear understanding of what each AWS security service (and the supporting AWS tools and services) does - and which might be right for you.

To explore how to use and learn more about each of the available AWS security services, we have provided a pathway to explore how each of the services work. The following sections provide links to in-depth documentation, hands-on tutorials, and resources to get you started.

Here are some useful identity and access management resources, organized by service, to help you get started.

  • AWS Identity and Access Management (IAM)
  • AWS Identity and Access Management (IAM)

    Getting started with IAM

    Create IAM roles, users, and policies using the AWS Management Console.

    Use the tutorial »

    AWS Identity and Access Management (IAM)

    Delegate access across AWS accounts using roles

    Use a role to delegate access to resources in different AWS accounts.

    Use the tutorial »

    AWS Identity and Access Management (IAM)

    Create a customer managed policy

    Use the AWS Management Console to create a customer managed policy and then attach that policy to an IAM user in your AWS account.

    Use the tutorial »

    AWS Identity and Access Management (IAM)

    Use attribute-based access control

    Create and test a policy that allows IAM roles with principal tags to access resources with matching tags.

    Use the tutorial »

    AWS Identity and Access Management (IAM)

    Security best practices in IAM

    Help secure your AWS resources by using IAM best practices.

    Explore the guide »

  • AWS IAM Identity Center
  • AWS IAM Identity Center

    Enabling AWS IAM Identity Center

    Enable IAM Identity Center and begin using it with your AWS Organizations.

    Explore the guide »

    AWS IAM Identity Center

    Configure user access with the default IAM Identity Center directory

    Use the default directory as your identity source and set up and test user access.

    Use the tutorial »

    AWS IAM Identity Center

    Using Active Directory as an identity source

    Complete the basic setup for using Active Directory as an IAM Identity Center identity source.

    Use the tutorial »

    AWS IAM Identity Center

    Configure SAML and SCIM with Okta and IAM Identity Center

    Set up a SAML connection with Okta and IAM Identity Center.

    Use the tutorial »

  • Amazon Cognito
  • Amazon Cognito

    Getting started with Amazon Cognito

    Learn about the most common Amazon Cognito tasks.

    Explore the guide »

    Amazon Cognito

    Tutorial: Creating a user pool

    Create a user pool, which allows your users to sign in to your web or mobile app.

    Use the tutorial »

    Amazon Cognito

    Tutorial: Creating an identity pool

    Create an identity pool, which allows your users to obtain temporary AWS credentials to access AWS services.

    Use the tutorial »

    Amazon Cognito

    Amazon Cognito workshop

    Practice using Amazon Cognito to build an Auth solution for a hypothetical pet store. 

    Use the tutorial »

  • AWS Resource Access Manager (AWS RAM)
  • AWS Resource Access Manager

    Getting started with AWS Resource Access Manager

    Learn about AWS RAM terms and concepts.

    Explore the guide »

    AWS Resource Access Manager

    Working with shared AWS resources

    Share AWS resources that you own and access AWS resources that are shared with you.

    Explore the guide »

    AWS Resource Access Manager

    Managing permissions in AWS RAM

    Learn about AWS managed permissions and customer managed permissions.

    Explore the guide »

    AWS Resource Access Manager

    Configure fine-grained access to your resources shared using AWS RAM

    Use customer managed permissions to tailor your resource access and achieve the best practice of least privilege. 

    Read the blog »

The following section offers links to detailed resources covering AWS detection and response services.

  • AWS Config
  • AWS Config

    Getting started with AWS Config

    Follow this guide to get started with AWS Config.

    Explore the guide »

    AWS Config

    Risk and Compliance workshop

    Learn how to automate controls using AWS Config and AWS Managed Config Rules.

    Start the workshop »

    AWS Config

    AWS Config Rule Development Kit library: Build and operate rules at scale

    Learn how to use the Rule Development Kit (RDK) to build a custom AWS Config rule and deploy it with the RDKLib.

    Read the blog »

  • AWS Security Hub
  • AWS Security Hub

    Getting started with AWS Security Hub 

    Get a comprehensive view of your security state in AWS and get help assessing your AWS environment in alignment with security industry standards and best practices.

    Explore the guide »

    AWS Security Hub

    Enabling AWS Security Hub

    Enable AWS Security Hub with AWS Organizations or in a standalone account.

    Explore the guide »

    AWS Security Hub

    Cross-Region aggregation

    Aggregate AWS Security Hub findings from multiple AWS Regions to a single aggregation Region.

    Explore the guide »

    AWS Security Hub

    AWS Security Hub workshop

    Learn how to use AWS Security Hub and to manage and improve the security posture of your AWS environment(s).

    Use the workshop »

    AWS Security Hub

    Three recurring Security Hub usage patterns and how to deploy them

    Learn about the three most common Security Hub usage patterns to improve your strategy for identifying and managing findings.

    Read the blog »

  • Amazon GuardDuty
  • Amazon GuardDuty

    Getting started with Amazon GuardDuty

    Enable Amazon GuardDuty, generate sample findings, and set up alerts.

    Use the tutorial »

    Amazon GuardDuty

    EKS protection in Amazon GuardDuty

    Use Amazon GuardDuty to monitor your Amazon Elastic Kubernetes Service (Amazon EKS) audit logs.

    Explore the guide »

    Amazon GuardDuty

    Lambda protection in Amazon GuardDuty

    Identify potential security threats when an AWS Lambda function is invoked.

    Explore the guide »

    Amazon GuardDuty

    GuardDuty Amazon RDS protection

    Use Amazon GuardDuty to analyze and profile Amazon Relational Database Service (Amazon RDS) login activity for potential access threats to your Amazon Aurora databases.

    Explore the guide »

    Amazon GuardDuty

    Amazon S3 protection in Amazon GuardDuty

    Use GuardDuty to monitor CloudTrail data events to identify potential security risks within your S3 buckets.

    Explore the guide »

    Amazon GuardDuty

    Threat detection and response with Amazon GuardDuty and Amazon Detective

    Learn the basics of Amazon GuardDuty and Amazon Detective.

    Use the workshop »

  • Amazon Inspector
  • Amazon Inspector

    Getting started with Amazon Inspector

    Activate Amazon Inspector scans to understand findings in the console.

    Use the tutorial »

    Amazon Inspector

    Vulnerability management with Amazon Inspector

    Use Amazon Inspector to scan Amazon EC2 instances and container images that reside in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities.

    Use the workshop »

    Amazon Inspector

    How to scan EC2 AMIs using Amazon Inspector

    Build a solution using multiple AWS services to scan your AMIs for known vulnerabilities.

    Read the blog »

  • Amazon Security Lake
  • Amazon Security Lake

    Getting started with Amazon Security Lake

    Enable and start using Amazon Security Lake.

    Explore the guide »

    Amazon Security Lake

    Managing multiple accounts with AWS Organizations

    Collect security logs and events from multiple AWS accounts.

    Explore the guide »

    Amazon Security Lake

    Ingest, transform, and deliver events published by Amazon Security Lake to Amazon OpenSearch Service

    Ingest, transform, and deliver Amazon Security Lake data to Amazon OpenSearch Service for use by your SecOps teams.

    Read the blog »

    Amazon Security Lake

    How to visualize Amazon Security Lake findings with Amazon QuickSight

    Query and visualize data from Amazon Security Lake using Amazon Athena and Amazon QuickSight.

    Read the blog »

  • Amazon Detective
  • Amazon Detective

    Amazon Detective terms and concepts

    Learn the key terms and concepts that are important for understanding Amazon Detective and how it works.

    Explore the guide »

    Amazon Detective

    Setting up Amazon Detective

    Enable Amazon Detective from the Amazon Detective console, Amazon Detective API, or AWS CLI.

    Explore the guide »

    Amazon Detective

    Threat detection and response with Amazon GuardDuty and Amazon Detective

    Learn the basics of Amazon GuardDuty and Amazon Detective.

    Use the workshop »

The following section offers links to detailed resources covering AWS network and application protection.

  • AWS Firewall Manager
  • AWS Firewall Manager

    Getting started with AWS Firewall Manager policies

    Use AWS Firewall Manager to enable different types of security policies.

    Explore the guide »

    AWS Firewall Manager

    How to continuously audit and limit security groups with AWS Firewall Manager

    Use AWS Firewall Manager to limit security groups, ensuring that only required ports are open.

    Explore the guide »

    AWS Firewall Manager

    Use AWS Firewall Manager to deploy protection at scale in AWS Organizations

    Deploy and manage security policies across your AWS Organizations.

    Explore the guide »

  • AWS Network Firewall
  • AWS Network Firewall

    Getting started with AWS Network Firewall

    Use AWS Network Firewall to configure and implement a firewall for a VPC with a basic internet gateway architecture.

    Explore the guide »

    AWS Network Firewall

    AWS Network Firewall Workshop

    Deploy an AWS Network Firewall using infrastructure as code.

    Use the workshop »

    AWS Network Firewall

    Hands-on walkthrough of the AWS Network Firewall flexible rules engine – Part 1

    Deploy a demo AWS Network Firewall within your AWS account to interact with its rules engine.

    Read the blog »

    AWS Network Firewall

    Hands-on walkthrough of the AWS Network Firewall flexible rules engine – Part 2

    Create a firewall policy with a strict rule order and set one or more default actions.

    Read the blog »

    AWS Network Firewall

    Deployment models for AWS Network Firewall

    Learn deployment models for common use cases where you can add AWS Network Firewall to the traffic path.

    Read the blog »

    AWS Network Firewall

    Deployment models for AWS Network Firewall with VPC routing enhancements

    Use enhanced VPC routing primitives to insert AWS Network Firewall between workloads in different subnets of the same VPC.

    Read the blog »

  • AWS Shield
  • AWS Shield

    How AWS Shield works

    Learn how AWS Shield Standard and AWS Shield Advanced provide protections against DDoS attacks for AWS resources at the network and transport layers (layer 3 and 4) and the application layer (layer 7).

    Explore the guide »

    AWS Shield

    Getting started with AWS Shield Advanced

    Get started with AWS Shield Advanced by using the Shield Advanced console.

    Explore the guide »

    AWS Shield

    AWS Shield Advanced workshop

    Protect internet exposed resources against DDoS attacks and monitor DDoS attacks against your infrastructure and notify the appropriate teams.

    Use the workshop »

  • AWS WAF
  • AWS WAF

    Getting started with AWS WAF

    Set up AWS WAF, create a web ACL, and protect Amazon CloudFront by adding rules and rules groups to filter web requests.

    Use the tutorial »

    AWS WAF

    AWS WAF workshop

    Use AWS WAF to protect your web application against a series of hypothetical challenges.

    Use the workshop »

    AWS WAF

    Analyzing AWS WAF Logs in Amazon CloudWatch Logs

    Natively set up AWS WAF logging to Amazon CloudWatch logs and visualize and analyze the data in the logs.

    Read the blog »

    AWS WAF

    Visualize AWS WAF logs with an Amazon CloudWatch dashboard

    Use Amazon CloudWatch to monitor and analyze AWS WAF activity using CloudWatch metrics, Contributor Insights, and Logs Insights.

    Read the blog »

The following section offers links to detailed resources covering AWS data protection.

  • Amazon Macie
  • Amazon Macie

    Getting started with Amazon Macie

    Enable Macie for your AWS account and learn how to assess your Amazon Simple Storage Service (Amazon S3) security posture and configure key Macie settings for discovering and reporting sensitive data in your S3 buckets.

    Explore the guide »

    Amazon Macie

    Monitoring data security and privacy with Amazon Macie

    Use Amazon Macie to monitor Amazon S3 data security and assess your S3 security posture.

    Explore the guide »

    Amazon Macie

    Analyzing Amazon Macie findings

    Review, analyze, and manage Amazon Macie findings.

    Explore the guide »

    Amazon Macie

    How to use Amazon Macie to preview sensitive data in S3 buckets

    Use Amazon Macie to retrieve examples of sensitive data found in your S3 buckets and control access to this capability.

    Read the blog »

    Amazon Macie

    Discovering sensitive data with Amazon Macie

    Automate discovery, logging, and reporting of sensitive data in your Amazon S3 data estate.

    Explore the guide »

  • AWS KMS
  • AWS KMS

    Getting started with AWS KMS

    Manage symmetric encryption KMS keys, from creation to deletion.

    Explore the guide »

    AWS KMS

    Special-purpose keys

    Learn about the different types of keys that AWS KMS supports in addition to symmetric encryption KMS keys.

    Explore the guide »

    AWS KMS

    Scale your encryption at rest capabilities with AWS KMS

    Learn about the encryption at rest options available within AWS.

    Use the workshop »

  • AWS CloudHSM
  • AWS CloudHSM

    Getting started with AWS CloudHSM

    Create, initialize, and activate an AWS CloudHSM cluster.

    Explore the guide »

    AWS CloudHSM

    Managing AWS CloudHSM clusters

    Connect to your AWS CloudHSM cluster and the various administrative tasks in managing your cluster.

    Explore the guide »

    AWS CloudHSM

    Managing HSM users and keys in AWS CloudHSM

    Create users and keys on the HSMs in your cluster.

    Explore the guide »

    AWS CloudHSM
    AWS CloudHSM

    Automate the deployment of an NGINX web service using Amazon ECS with TLS offload in CloudHSM

    Use AWS CloudHSM to store your private keys for your websites hosted in the cloud.

    Read the blog »

  • AWS Certificate Manager
  • AWS Certificate Manager

    Getting started with AWS Certificate Manager

    Learn how to use this service to handle the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.

    Explore the guide »

    AWS Certificate Manager

    Request a public certificate

    Use the AWS Certificate Manager (ACM) console or AWS CLI to request a public ACM certificate.

    Explore the guide »

    AWS Certificate Manager

    Best practices for AWS Certificate Manager

    Learn best practices based on real-world experience from current ACM customers.

    Explore the guide »

  • AWS Private CA
  • AWS Private CA

    Getting started with AWS Private CA

    Learn how this service can be used to enable creation of private certificate authority (CA) hierarchies, including root and subordinate CAs, without the investment and maintenance costs of operating an on-premises CA.

    Explore the guide »

    AWS Private CA

    Planning your AWS Private CA deployment

    Prepare AWS Private CA for use before you create a private certificate authority.

    Explore the guide »

    AWS Private CA

    AWS Private CA administration

    Create an entirely AWS hosted hierarchy of root and subordinate certificate authorities for internal use by your organization.

    Explore the guide »

    AWS Private CA

    AWS Private CA workshop

    Develop hands-on experience with various use cases of private certificate authorities.

    Use the workshop »

    AWS Private CA

    How to simplify certificate provisioning in Active Directory with AWS Private CA

    Use AWS Private CA to more easily provision certificates for users and machines within your Microsoft Active Directory environment.

    Read the blog »

    AWS Private CA

    How to enforce DNS name constraints in AWS Private CA

    Apply DNS name constraints to a subordinate CA by using the AWS Private CA service.

    Read the blog »

  • AWS Secrets Manager
  • AWS Secrets Manager

    Getting started with AWS Secrets Manager

    Learn how this service helps you manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets throughout their lifecycles.

    Explore the guide »

    AWS Secrets Manager

    AWS Secrets Manager concepts

    Perform basic certificate administration tasks with AWS Private CA such as issuing, retrieving, and listing private certificates.

    Explore the guide »

    AWS Secrets Manager

    Using AWS Secrets Manager secrets with Kubernetes

    Show secrets from Secrets Manager as files mounted in Amazon EKS pods using the AWS Secrets and Configuration Provider (ASCP).

    Explore the guide »

The following section offers links to detailed resources covering compliance.

  • AWS Artifact
  • AWS Artifact

    Getting started with AWS Artifact

    Download security and compliance reports, manage legal agreements, and manage notifications.

    Explore the guide »

    AWS Artifact

    Managing agreements in AWS Artifact

    Use the AWS Management Console to review, accept, and manage agreements for your account or organization.

    Explore the guide »

    AWS Artifact

    Prepare for an Audit in AWS Part 1 – AWS Audit Manager, AWS Config, and AWS Artifact

    Use AWS services to help you automate the collection of evidence used in audits.

    Read the blog »

  • AWS Audit Manager
  • AWS Audit Manager

    Enabling AWS Audit Manager

    Enable Audit Manager using the AWS Management Console, the Audit Manager API, or the AWS CLI.

    Explore the guide »

    AWS Audit Manager

    Tutorial for Audit Owners: Creating an assessment

    Create an assessment using the AWS Audit Manager Sample Framework.

    Explore the guide »

    AWS Audit Manager

    Tutorial for Delegates: Reviewing a control set

    Review a control set that was shared with you by an audit owner in AWS Audit Manager.

    Explore the guide »

Explore

Architecture Diagrams

Explore reference architecture diagrams to help you use AWS security, identity, and compliance services.

Explore architecture diagrams »

 

Whitepapers

Explore whitepapers to help you get started, learn best practices, and understand your security, identity, and compliance options on AWS.

Explore whitepapers »

 

AWS Solutions

Explore vetted solutions and architectural guidance for common AWS security, identity, and compliance use cases.

Explore solutions »

 

Was this page helpful?

 Feedback