AWS Cloud

I'd like information about Security in the Cloud »

Cloud security at AWS is the highest priority. As an AWS customer, you will benefit from a data center and network architecture built to meet the requirements of the most risk-sensitive organizations.

The AWS cloud provides you with a platform to scale and innovate, while still maintaining a secure environment. You only pay for the services that you use, meaning that you can have the security you need, but without the upfront expenses, and at a lower cost than in an on-premises environment.

My working assumption a year ago was that the cloud wasn’t as secure as a brick data center. Now, I’m convinced it’s more secure and there’s less risk. We definitely get that from AWS.
Adrian Heeson Operations Director
Service   Product Type   Description
AWS Artifact Compliance Reports The AWS Artifact portal provides on-demand access to AWS' security and compliance documents, also known as audit artifacts.
AWS Certificate Manager SSL/TLS Certificates AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.
AWS CloudHSM Key Storage & Management The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. 
Amazon Cognito User Sign Up & Sign In Amazon Cognito lets you add user sign-up/sign-in and access control to your web and mobile apps quickly and easily.
AWS Directory Service Directory AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also known as AWS Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.
AWS Firewall Manager WAF Management AWS Firewall Manager is a security management service that makes it easier to centrally configure and manage AWS WAF rules across your accounts and applications.
Amazon GuardDuty Threat Detection Amazon GuardDuty is a managed threat detection service that provides you with a more accurate and easy way to continuously monitor and protect your AWS accounts and workloads. 
AWS Identity and Access Management (IAM) Access Control Use AWS Identity and Access Management (IAM) to control users' access to AWS services. Create and manage users and groups, and grant or deny access.
Amazon Inspector Security Assessment Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
AWS Key Management Service Key Storage & Management AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.
Amazon Macie Sensitive Data Classification Amazon Macie is a machine learning-powered security service to discover, classify, and protect sensitive data.
AWS Secrets Manager Secrets management AWS Secrets Manager enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
AWS Security Hub Security console AWS Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. 
AWS Shield DDoS Protection AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS.
AWS Single Sign-On Single Sign-On (SSO) AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications.
AWS WAF Web Application Firewall AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.

The AWS Artifact portal provides on-demand access to AWS’ security and compliance documents, also known as audit artifacts. Examples of audit artifacts include Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.

You can demonstrate the security and compliance of your AWS infrastructure and services by downloading audit artifacts from AWS Artifact, and submitting them to your auditors or regulators.

For more information, visit the AWS Artifact product page »


AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates. With AWS Certificate Manager, you can quickly request a certificate, deploy it on AWS resources such as Elastic Load Balancers or Amazon CloudFront distributions, and let AWS Certificate Manager handle certificate renewals. SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application.

For more information, visit the AWS Certificate Manager product page »


The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. With CloudHSM, you control the encryption keys and cryptographic operations performed by the HSM.

For more information, visit the AWS CloudHSM product page »


Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Cognito scales to millions of users, and supports sign-in with social identity providers such as Facebook, Google, and Amazon. User can also sign-in with their enterprise identity providers via SAML 2.0.

For more information, visit the Amazon Cognito product page »


AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also known as AWS Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud. The Microsoft AD service is built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use standard Active Directory administration tools and take advantage of built-in Active Directory features such as Group Policy, trusts, and single sign-on. With Microsoft AD, you can easily join Amazon EC2 and Amazon RDS for SQL Server instances to a domain, and use AWS Enterprise IT applications such as Amazon WorkSpaces with Active Directory users and groups.

For more information, visit the AWS Directory Service product page »


AWS Firewall Manager is a security management service that makes it easier to centrally configure and manage AWS WAF rules across your accounts and applications. Using Firewall Manager, you can easily roll out AWS WAF rules for your Application Load Balancers and Amazon CloudFront distributions across accounts in AWS Organizations. As new applications are created, Firewall Manager also makes it easy to bring new applications and resources into compliance with a common set of security rules from day one. Now you have a single service to build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your entire Application Load Balancers and Amazon CloudFront infrastructure.

For more information, visit the AWS Firewall Manager product page »


Amazon GuardDuty is a managed threat detection service that provides you with a more accurate and easy way to continuously monitor and protect your AWS accounts and workloads. With just a few clicks, GuardDuty immediately begins analyzing billions of events from multiple AWS log sources. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to detect threats more accurately. For example, GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It can detect attackers probing your web servers for known application vulnerabilities, or accessing your AWS resources from unusual locations. It also checks your AWS accounts for signs of compromise, such as unauthorized infrastructure deployments or unusual API calls. When a threat is detected, GuardDuty sends you a detailed security alert so you can take steps to address the threat. With GuardDuty, you get intelligent threat detection and actionable alerts in an easy to use, pay as you go cloud security service.

For more information, visit the Amazon GuardDuty product page »


AWS Identity and Access Management (IAM) is an accesss management service for your AWS cloud resources. AWS IAM enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

For more information, visit the AWS IAM product page »


Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.

To help you get started quickly, Amazon Inspector includes a knowledge base of hundreds of rules mapped to common security best practices and vulnerability definitions. Examples of built-in rules include checking for remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.

For more information, visit the Amazon Inspector product page »


AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

For more information, visit the AWS Key Management Service (KMS) product page »


Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property, and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved. The fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks. Today, Amazon Macie is available to protect data stored in Amazon S3, with support for additional AWS data stores coming later this year.

For more information, visit the Amazon Macie product page »


AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. Secrets Manager offers secret rotation with built-in integration for Amazon RDS for MySQL, PostgreSQL, and Amazon Aurora. Also, the service is extensible to other types of secrets, including API keys and OAuth tokens. In addition, Secrets Manager enables you to control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-premises.

For more information, visit the AWS Secrets Manager product page »


AWS Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts. There are a range of powerful security tools at your disposal, from firewalls and endpoint protection to vulnerability and compliance scanners. But oftentimes this leaves your team switching back-and-forth between these tools to deal with hundreds, and sometimes thousands, of security alerts every day. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions. Your findings are visually summarized on integrated dashboards with actionable graphs and tables. You can also continuously monitor your environment using automated compliance checks based on the AWS best practices and industry standards your organization follows. Get started with AWS Security Hub just a few clicks in the Management Console and once enabled, Security Hub will begin aggregating and prioritizing findings.

For more information, visit the AWS Security Hub product page »


AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.

All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications.

For more information, visit the AWS Shield product page »


AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. It enables users to sign in to a user portal with their existing corporate credentials and access all of their assigned accounts and applications from one place. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. Further, by using the AWS SSO application configuration wizard, you can create Security Assertion Markup Language (SAML) 2.0 integrations and extend SSO access to any of your SAML-enabled applications. AWS SSO also includes built-in SAML integrations to many business applications, such as Salesforce, Box, and Office 365. With just a few clicks, you can enable a highly available SSO service without the upfront investment and on-going maintenance costs of operating your own SSO infrastructure.

For more information, visit the AWS Single Sign-On product page »


AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.

For more information, visit the AWS WAF product page »


Organizations of all sizes are moving their workloads to AWS because of its agile, scalable and secure cloud infrastructure. These workloads often have unique security needs and that's what our security partners provide to AWS customers. Security on AWS is a shared responsibility, and one that applies differently for different customers. It requires that partners and AWS work with the customer to achieve desired outcomes.

The following featured security partners can help you deploy built-for-AWS, automated, and scalable security solutions designed to grow as your infrastructure grows. 

View featured APN Partners

feature_380x130_security-compliance
Learn More »