Security

Key Management Service (KMS)

  • Managed Key : free (aws/service-name)

  • Customer Managed Key : $1/month

  • Key Policy can be defined to define who can access the key

  • The key can be selected as multi-region. The replicas will be created, they have the same id , key material. The content can be encrypted in 1 region and decrypted in another region. Each key is managed independently

SSM Parameter Store

  • Storage for configuration

  • Optional encryption by using KMS

  • Allow to assign TTL to force update or delete of sensitive data if using advanced parameter

  • Version tracking of configuration

Secret Manager

  • For storing secret

  • Force rotation of secret every X day and auto generation

  • encrypted using KMS

  • Mostly meant for RDS integration

  • Replicate secrets across different regions

Certificate Manager

  • Deploy TLS certificate to provide HTTPS

  • Automatic certificate renewal

  • Support public and private certificate, but free of charge for public certificate

  • Option to generate certificate outside of ACM and import it

  • ACM send daily expiration event starting 45 days prior to expiration

Web Application Firewall (WAF)

  • Layer 7 Firewall, mostly deploy on application load balancer, cloud front, api gateway, ....

  • Web Access Control List (Web ACL) rules can be defined to restrict ip, http header, rate limit

  • Firewall Manager can be used to manage the rule for accounts of an organization

AWS Shield

  • Prevent from DDoS Attack

GuardDuty

  • Using machine learning algo to discover the threat

  • The date includes cloud trail event logs, DNS logs, ....

Inspector

  • Evaluate the security of EC2, Container Images and lambda functions

Macie

  • Using algo to identify the sensitive data

PreviousMonitoringNextAzure

Last updated

Was this helpful?