Now, let us look at AWS Security services. These are AWS services that primarily provide ways to secure your resources in AWS. We'll briefly go over these services in this section as all of these services are discussed in detail in the subsequent chapters.
AWS Security services
AWS Identity and Access Management
AWS IAM enables customers to control access securely for their AWS resources and AWS users. In a nutshell, IAM provides authentication and authorization for accessing AWS resources. It supports accessing AWS resources through a web-based management console, CLI, or programmatically through API and SDK. It has basic features for access control such as users, groups, roles, and permissions as well as advanced features such as Identity Federation for integrating with the customer's existing user database, which could be a Microsoft Active Directory or Facebook, or Google. You can define granular permissions for all your resources as well as use temporary security credentials for providing access to external users outside of your AWS account.
AWS Virtual Private Cloud
AWS VPC is an IaaS that allows you to create your own VPN in the cloud. You can provision your resources in this logically isolated network in AWS. This network can be configured to connect to your on-premise data center securely. You can configure firewalls for all your resources in your VPC at instance level and/or subnet level to control traffic passing in and out of your VPC. VPC has a VPC flow log feature that enables you to collect information regarding IP traffic of your VPC.
AWS Key Management System (KMS)
AWS KMS is a service that helps you manage keys used for encryption. There are multiple options for KMS that include bringing your own keys and having them managed by KMS along with those generated by AWS. This is a fully managed service and integrates with other AWS Services such as AWS CloudTrail to log all activities for your KMS services. This service plays an important role in securing the data stored by your applications by encrypting them.
AWS Shield
AWS shield protects your web applications running on AWS from managed Distributed Denial of Service (DDoS) attacks. It is a fully managed service and has two variants, standard and advanced. AWS shield standard is offered to all customers free of charge and provides protection from most common attacks that target your applications or websites on AWS. AWS shield advanced gives you higher levels of protection, integration with other services such as web application firewalls, and access to the AWS DDoS response team.
AWS Web Application Firewall (WAF)
AWS WAF is a configurable firewall for your web applications, allowing you to filter traffic that you want to receive for your web applications. It is a managed service and can be configured either from the management console or through AWS WAF API, so you can have security checkpoints at various levels in your application by multiple actors such as developer, DevOps engineer, security analysts, and so on.
AWS CloudTrail
This is a logging service that logs all API requests in and out of your AWS account. It helps with compliance, auditing, and governance. It delivers a log of API calls to an S3 bucket periodically. This log can be analyzed by using log analysis tools for tracing the history of events. This service plays a very important part in Security Automation and Security Analysis.
AWS CloudWatch
This is a monitoring service that provides metrics, alarms and dashboards for all AWS Services available in your account. It integrates with other AWS services such as AutoScaling, Elastic Load Balancer, AWS SNS, and AWS Lambda for automating response for a metric crossing threshold. It can also collect and monitor logs. AWS CloudWatch can also be used to collect and monitor custom metrics for your AWS resources or applications.
AWS Config
AWS Config is a service that lets you audit and evaluates the configuration of your AWS resources. You can visit the historical configuration of your AWS resources to audit any incident. It helps you with compliance auditing, operational troubleshooting, and so on. You will use this service to make sure your AWS resources stay compliant and configured as per your baseline configuration. This service enables continuous monitoring and continuous assessment of configuration of your AWS resources.
AWS Artifact
This service gives you all compliance related documents at the click of a button. AWS Artificat is a self service, on-demand portal dedicated to compliance and audit related information along with select agreements such as business addendum and non disclosure agreement, and so on.
Penetration testing
AWS allows you to conduct penetration testing for your own EC2 and Relational Database Service (RDS) instances; however, you have to first submit a request to AWS. Once AWS approves this request, you can conduct penetration testing and vulnerability scans for EC2 and RDS instances in your AWS account. We'll take a detailed look at penetration testing in subsequent chapters.