Professional Documents
Culture Documents
Cloud-based WAFs, thus, utilize all advantages of WAFs and share that
threat detection information among all tenants of the service, which
improves results and speeds up detection rates. The whole community learns
from an attack to any website sharing a single cloud-based WAF service.
AWS Security
Security
Group
All inbound traffic is blocked by default
All outbound traffic is allowed by default
You can have multiple security group attached to EC2 instance
If you have created an inbound traffic IN, that traffic is automatically allowed
back out again
You can not block specific IP addresses, using security groups, instead you
need to use Network access control list (NACL)
You can only specify allow rules not deny rules
Security group is applied at an instance but NACL is applied to subnets
NACL
Your VPC automatically comes with default NACL and by default allows all
the outbound and inbound traffic
NACL operates at subnet level
Each subnet in your VPC must be associated with an NACL if you do not
associate explicitly, the subnet will be associated with default NACL
You can associate NACL with multiple subnets however a subnet can be
associated with only one NACL at a time
NACL contains a number list of rule that is evaluated in order
NACL has separate inbound and outbound rule and each rule either allow or
deny traffic (based on IP address)
NACL are stateless
Identify & access management
Identify management for your apps Amazon Cognito
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps
quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity
providers.
AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS
resources with any AWS account or within your AWS Organization. You can share AWS Transit Gateways,
Subnets, AWS License Manager configurations.
AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT
resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys,
and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets
Manager APIs, eliminating the need to hardcode sensitive information in plain text.
AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and
business applications and provide users with single sign-on access to all their assigned accounts and
applications from one place.
Detective controls
Unified security and compliance center AWS Security Hub
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards
applications running on AWS. AWS Shield provides always-on detection and automatic inline
mitigations that minimize application downtime and latency, so there is no need to engage AWS
Support to benefit from DDoS protection.
AWS WAF is a web application firewall that helps protect your web applications or APIs against
common web exploits that may affect availability, compromise security, or consume excessive
resources. AWS WAF gives you control over how traffic reaches your applications by enabling you
to create security rules that block common attack patterns, such as SQL injection or cross-site
scripting, and rules that filter out specific traffic patterns you define.
AWS Firewall Manager is a security management service which allows you to centrally configure
and manage firewall rules across your accounts and applications in AWS Organization. As new
applications are created, Firewall Manager makes it easy to bring new applications and resources
into compliance by enforcing a common set of security rules. Now you have a single service to
build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner
across your entire infrastructure.
Data Protection
Key storage management AWS Key management service (KMS)
AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic
keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a
secure and resilient service that uses hardware security modules that have been validated under FIPS
140-2, or are in the process of being validated, to protect your keys.
AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate
and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own
encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to
integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography
Extensions (JCE), and Microsoft CryptoNG (CNG) libraries.
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and
private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services
and your internal connected resources. SSL/TLS certificates are used to secure network
communications and establish the identity of websites over the Internet as well as resources on private
networks. AWS Certificate Manager removes the time-consuming manual process of purchasing,
uploading, and renewing SSL/TLS certificates.
Compliance
AWS Artifact is your go-to, central resource for compliance-related information that matters
to you. It provides on-demand access to AWS’ security and compliance reports and select
online agreements. Reports available in AWS Artifact include our Service Organization Control
(SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies
across geographies and compliance verticals that validate the implementation and operating
effectiveness of AWS security controls. Agreements available in AWS Artifact include the
Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).
Benefits of AWS Cloud Security
Built with the highest standard for privacy and data security
Built with the highest standard for privacy and data security