AWS Security Services
AWS Security Services
Section titled “AWS Security Services”AWS provides a comprehensive suite of security services covering encryption, identity, threat detection, compliance, and network protection.
In Azure terms: See the comparison column for each service.
Encryption & Key Management
Section titled “Encryption & Key Management”AWS KMS — Key Management Service
Section titled “AWS KMS — Key Management Service”KMS is the central encryption key management service.
- Create and manage symmetric and asymmetric keys
- Integrated with 100+ AWS services (S3, EBS, RDS, Lambda, Secrets Manager)
- Automatic key rotation (annual, for AWS-managed keys)
- Audit key usage via CloudTrail
| Key Type | Control | Use Case |
|---|---|---|
| AWS Managed Keys | AWS manages rotation | Default encryption for S3, EBS, etc. |
| Customer Managed Keys (CMK) | You control rotation, policy | Custom encryption requirements |
| AWS Owned Keys | Fully AWS-managed, no visibility | Free encryption in some services |
In Azure terms: KMS ≈ Azure Key Vault (Keys)
AWS Secrets Manager
Section titled “AWS Secrets Manager”Securely store and automatically rotate secrets (database credentials, API keys, OAuth tokens):
- Native rotation for RDS (MySQL, PostgreSQL, SQL Server, Oracle), Redshift, DocumentDB
- SDK integration: retrieve secrets at runtime, not from env vars or code
- Versioning — access current or previous secret versions
import boto3
client = boto3.client('secretsmanager', region_name='us-east-1')secret = client.get_secret_value(SecretId='prod/myapp/db-password')password = secret['SecretString']In Azure terms: Secrets Manager ≈ Azure Key Vault (Secrets)
AWS Systems Manager Parameter Store
Section titled “AWS Systems Manager Parameter Store”Lighter alternative to Secrets Manager for non-secret config values:
- Store plaintext or encrypted (via KMS) parameters
- Standard tier is free; advanced tier supports larger values and policies
- Commonly used for feature flags, environment config, connection strings
Network Security
Section titled “Network Security”AWS WAF — Web Application Firewall
Section titled “AWS WAF — Web Application Firewall”Protect web applications from common exploits (OWASP Top 10):
- Integrates with CloudFront, ALB, API Gateway, AppSync
- Create rules to block: SQL injection, XSS, bad bots, specific IPs, geographies
- AWS Managed Rule Groups — pre-built rules from AWS and partners
- Rate-based rules — automatically block IPs exceeding request thresholds
In Azure terms: AWS WAF ≈ Azure WAF (on Application Gateway or Front Door)
AWS Shield
Section titled “AWS Shield”DDoS (Distributed Denial of Service) protection:
| Tier | Cost | Protection |
|---|---|---|
| Shield Standard | Free (automatic) | Layer 3/4 DDoS protection for all AWS customers |
| Shield Advanced | $3,000/month | Enhanced DDoS, Layer 7 detection, 24/7 DRT team, cost protection |
In Azure terms: Shield ≈ Azure DDoS Protection (Basic = free, Standard = paid)
Threat Detection & Monitoring
Section titled “Threat Detection & Monitoring”Amazon GuardDuty
Section titled “Amazon GuardDuty”Intelligent threat detection using ML and threat intelligence:
- Analyzes CloudTrail, VPC Flow Logs, DNS logs, S3 access logs
- Detects: cryptocurrency mining, credential compromise, unusual API calls, port scanning
- Findings delivered as JSON events to Security Hub or EventBridge → Lambda → SNS
In Azure terms: GuardDuty ≈ Microsoft Defender for Cloud (threat detection tier)
AWS Security Hub
Section titled “AWS Security Hub”Central security posture management dashboard:
- Aggregates findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, third-party tools
- Automated compliance checks against CIS AWS Foundations, PCI-DSS, AWS Best Practices
- Integrates with SIEM tools (Splunk, Datadog, etc.) via EventBridge
In Azure terms: Security Hub ≈ Microsoft Defender for Cloud (posture management)
Amazon Inspector
Section titled “Amazon Inspector”Automated vulnerability scanning for EC2, Lambda, and container images (ECR):
- Continuously scans for OS CVEs and software vulnerabilities
- Produces risk scores and prioritized findings
- No agent needed for EC2 (uses SSM Agent) and Lambda
In Azure terms: Inspector ≈ Microsoft Defender for Servers / Containers
Amazon Macie
Section titled “Amazon Macie”Uses ML to automatically discover and protect sensitive data in S3:
- Detects PII (names, emails, credit card numbers, SSNs)
- Classifies sensitive data across all S3 buckets
- Generates findings for compliance (GDPR, HIPAA, CCPA)
In Azure terms: Macie ≈ Microsoft Purview (Data Classification)
Compliance & Governance
Section titled “Compliance & Governance”AWS Config
Section titled “AWS Config”Tracks and records resource configuration changes over time:
- “What did this S3 bucket’s policy look like 30 days ago?”
- Evaluate resources against compliance rules (Config Rules)
- Managed rules: ensure EBS is encrypted, S3 is not public, MFA on root, etc.
In Azure terms: Config ≈ Azure Policy + Azure Resource Graph
AWS CloudTrail
Section titled “AWS CloudTrail”Records every API call made in your AWS account:
- Who made the call, when, from where
- Stored in S3 (with optional CloudWatch integration)
- Essential for security investigations, audits, and compliance
In Azure terms: CloudTrail ≈ Azure Activity Log + Microsoft Entra Audit Logs
Security Best Practices Summary
Section titled “Security Best Practices Summary”| Area | Best Practice |
|---|---|
| Identity | Use IAM roles (not access keys), enable MFA on root + all users |
| Secrets | Store in Secrets Manager, never in code or env vars |
| Network | Private subnets for databases, Security Groups with least-privilege rules |
| Encryption | Enable at-rest encryption on all EBS, S3, RDS, DynamoDB |
| Monitoring | Enable GuardDuty, Security Hub, CloudTrail in all regions |
| Patching | Use Inspector for vuln scanning, SSM Patch Manager for OS patches |
| Compliance | Use AWS Config rules to enforce standards continuously |