Secure Your Business with the Security, Identity and Compliance Products of AWS
At AWS, security, specifically, cloud security, is the highest priority. Today, organizations are exposed to the most hostile information security threats. So, the number one priority of AWS is protecting your data. As a customer of AWS, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. Moreover, the global infrastructure of AWS is designed and managed according to security best practices and a variety of compliance standards.
A number of security services are offered by AWS to manage access and keys, encrypt data, send alerts whenever changes are made to your AWS resources, mitigate DDoS attacks and analyze data for irregular activity with machine learning capabilities. Additionally, as an AWS customer, you will have access to audit-friendly, governance-focused service features that help meet audit standards and compliance regulations. Following is a list of security services offered by AWS under the ‘Security, Identity & Compliance’ banner that can help you to prevent threats from cyber criminals and ensure security compliance.
Amazon Cloud Directory
A fully managed cloud-based directory, Amazon Cloud Directory allows you to store and organize data hierarchies across multiple dimensions. Since it is a managed service, Amazon Cloud Directory does not require you to install or patch software, manage servers, or scale any infrastructure.
A specialized graph-based directory store, Amazon Cloud Directory provides the building block for applications. A highly scalable and available web-based directory, Cloud Directory is used to organize and manage resources for applications like users, groups, locations, devices, policies and the relationships between them.
Whether it is in transit or at rest, data in Amazon Cloud Directory is secured. Moreover, unlike most traditional directory systems, Cloud Directory does not limit organizing directory objects to a single fixed hierarchy. A specialized directory store, Amazon Cloud Directory can be used to:
Build cloud-based applications that offer device registry, group and user management, permissions or policy management, address books, application or product catalogs and customer management
Minimize the complexity of layering applications that sit atop Cloud Directory
Create directory-based applications without worrying about deployment, availability, performance and global scale
Manage schema information over time to ensure future compatibility for users
AWS Identity & Access Management (IAM)
A free service from Amazon, AWS Identity & Access Management (IAM) was launched in 2010 and in 2011, the e-commerce and cloud computing company announced the availability of IAM support for CloudFront.
A web service, IAM enables customers of Amazon Web Services to manage users and user permissions in AWS. An identity within your AWS account, a ‘User’ has unique security credentials that can be used to access AWS services. With IAM, there is no need to share passwords or access keys. Moreover, you can easily enable or disable User’s access as appropriate. When you’re using AWS, IAM offers you greater control, flexibility and security.
Targeted at organizations having multiple users or systems in the cloud that use AWS products such as the AWS Management Console, Amazon SimpleDB, and Amazon EC2, the IAM service allows you to centrally manage:
Permissions that control which AWS resources users can access
Security credential such as access keys
In April 2016, Amazon Web Services publicly released Amazon Inspector, a security vulnerability assessment tool. Performing vulnerability scans in the cloud have always been a challenge. Keeping up with your continuous deployment workflow becomes difficult when you try to arrange scans with your security team and cloud provider. The good news is that you can solve this security challenge with Amazon Inspector.
To help you find potential security issues, Amazon Inspectors allows you to conduct ongoing assessments of your EC2 application environment. In addition to identifying potential security issues, Amazon Inspector examines the behavior of the applications that you run in AWS. Issues that Amazon Inspector can look for include failure to follow best practices, out of date software and areas to harden the operating system. With this broad coverage, you can get a good view into the security posture of your Amazon EC2 instances.
Amazon Inspector raises a finding as soon as it sees an issue. And, a recommended action is provided by each finding. These recommendations provide solid guidance on how to manually resolve each issue. As it isn’t a penetration testing tool, Amazon Inspector looks at your AWS instances from within. In fact, this AWS service requires you to install an agent into your AWS instances.
On August 14, 2017, Amazon Web Services launched a new service: Amazon Macie, a machine learning service that helps organizations to protect their sensitive data in the cloud. For now, you can use this AWS service to protect intellectual property and personally identifiable information in the Amazon S3 storage service.
A service that can identify names, addresses, driver licenses, social security number, credit card numbers and other such information, Macie tracks data on the S3 storage service. In addition to monitoring the aforementioned -data, Macie keeps an eye out for irregularities. While it cannot conclude if the leak is malicious or not, Macie will send out notifications once it identifies there is a leak. Amazon Macie ensures data security within your AWS environment by allowing you to:
Identify and protect various data types
Receive notifications when data and account credentials go beyond protected zones
Identify policies and access control lists changes
Verify compliance with automated logs that allow for instant auditing
Detect when large quantities of business-critical documents are shared internally and externally
Observe changes in user behavior and receive actionable alerts
AWS Certificate Manager
In January 2016, AWS released AWS Certificate Manager, a product that allows AWS customers to easily and automatically provision, deploy and renew SSL and TSL certificates on supported AWS resources. But, the best thing is that AWS is not charging for these certificates. Yes, they are free!
Now that it’s free to get an SSL/ TSL certificate from Amazon, it would be no less than a crime for anyone to run a site without SSL.
A cloud-based hardware security module (HSM), AWS CloudHSM enables you to easily generate and use your own encryption keys on the AWS cloud. Hardware-based security service, CloudHSM gives customers an extra level of protection for strict contractual, corporate and regulatory compliance requirements by offering them isolated HSM appliances.
Single-tenant access to each HSM within an Amazon Virtual Private Cloud (VPC) is what the AWS CloudHSM provides. Until the administrator terminates the instance, AWS bills the service upfront for each instance, plus an hourly fee. Following are some of the features of AWS CloudHSM:
NIST FIPS 140-2 compliant devices
Suitable for OFFICIAL and/or SENSITIVE workloads
Tamper-resistant hardware security modules
Connectivity options for N3, PSN, Janet, RLI and regional networks
NCSC Cloud Security Principles aligned, Security Cleared (SC) staff available
Following are some of the benefits of using this AWS service:
Integrated with other AWS services
Improved application performance
Integrated role-based access control across all AWS services
Training and architectural patterns/guidance
Contractual and Regulatory compliance
Secure connectivity in AWS VPC
Comprehensive, cross-service API audit logging and security
AWS Directory Service
An Amazon web services tool, AWS Directory Service eliminates the need for the system administrator to build an active directory from scratch. The AWS Directory Service offers a way for AWS resources to use managed Active Directory in the AWS cloud. With AWS Directory Service, an administrator can minimize the time spent on management tasks.
The AWS Directory Service automatically creates and manages the entire directory for customers. As Amazon takes care of all the hard work, there is no physical access to the underlying machine or its operating system. Using a client tool to connect to the service endpoint is all that users do. Following are some of the benefits of AWS Directory Service:
Automatic Fault Tolerance
Simple Security Group Configuration
Integration with other AWS Applications
Single sign-in for console users
AWS Key Management Service
A fully managed service, AWS Key Management Service provides you with a uniform, centralized control over your encryption keys. Using HSMs, it protects the security of your keys and enables you to easily encrypt the data across your AWS infrastructure as well as within your own applications. AWS Key Management Service allows examining carefully the use of encryption keys used to encrypt your data. Following are the benefits of using this AWS service:
Full control over your encryption keys
Centralized key management
Integration with other AWS services
A cloud service, AWS Organizations applies and manages access policies across Amazon Web Services accounts. With AWS Organizations, you can manage AWS accounts from a single root account. The need for a developer to code scripts to allow individual or groups to communicate when workload is divided across multiple AWS accounts is eliminated by AWS Organizations.
Thanks to AWS Organizations, you no longer need to manage security policies through separate AWS accounts. Before the introduction of this AWS service, if you had multiple AWS accounts, you had to ensure that users in those accounts had the right level of access to AWS services. But, with Organizations, you can easily launch an individual account, Organization Unit (OU), or service control policies (SCPs), which allows you to configure a single policy and have it apply to your entire organization. Following is what this AWS service allows you to do:
Centrally manage policies across multiple AWS accounts
Control Access to AWS services
Automate AWS account creation and management
Consolidate billing across multiple AWS accounts
An Amazon Web Services tool, AWS shield offers protection against Distributed Denial of Service (DDoS) attacks. A commonly used attack type, DDoS continues to rise in frequency. According to a recent survey, an average of over 100,000 DDoS attacks per week was recorded over the last year and a half.
A powerful managed service, AWS Shield protects your sites or web applications from many types and sizes of DDoS attacks. Now, there are two types of AWS Shield available to customers: AWS Shield Standard and AWS Shield Advanced.
Available to all AWS customers by default, AWS Shield can be availed without any extra cost. This version of AWS Shield protects your web applications from over 90% of common DDoS attacks such as Syn/ACK floods, Volumetric attacks and HTTP slow reads. On Amazon Route 53, Amazon Cloud Front and Elastic Load Balancing resources, AWS Shield is turned on by default. To provide quick detection and protection from most of the DDoS attacks, AWS Shield standard uses analysis techniques, traffic signatures, and anomaly algorithms to track malicious traffic in real-time. With Shield Standard, you get:
On the other hand, the advanced AWS Shield provides a higher level of protection against DDoS attacks including intelligent DDoS attack detection for network layer, transport layer and application layer. With AW Shield Advanced, you get:
Advanced Attack Mitigation
Visibility and Attack Notification
AWS Web Application Firewall (WAF)
A security system, AWS WAF controls inbound and outbound traffic for applications and websites based on the Amazon Web Services public cloud. This AWS service helps protect your web applications from attacks that could affect application availability, compromise security, or consume excessive resources.
By providing them with the ability to customize security rules, AWS WAF allows developers to allow, block or track web requests. This helps protect applications and sites from common web attacks that could otherwise negatively affect application performance and availability. Following are the benefits of using this AWS service:
Increased protection against Web Attacks
Ease of development and maintenance
Improved web traffic visibility
Cost effective web application protection
Increase web security as you develop your application
There you have it – the security, identity and compliance products of AWS that can help secure your business.