Security, Identity and Compliance
- AWS Identity & Access Management (IAM) - Manage User Access and Encryption Keys
- Amazon Cloud Directory - Create Flexible Cloud-native Directories
- Amazon Cognito - Identity Management for your Apps
- AWS Single Sign-On - Cloud Single Sign-On (SSO) Service
- Amazon GuardDuty - Managed Threat Detection Service
- Amazon GuardDuty
- Amazon GuardDuty combines ML and integrated threat intelligence from AWS and leading third parties to help protect your AWS accounts, workloads, and data from threats.
- AWS Direct Connect - Dedicated Network Connection to AWS
- Amazon Inspector - Analyze Application Security
- Amazon Macie - Discover, Classify, and Protect Your Data
- Amazon Macie is a data security service that uses machine learning (ML) and pattern matching to discover and help protect your sensitive data.
- What is Amazon Macie? | Amazon Web Services - YouTube
- AWS Certificate Manager - Provision, Manage, and Deploy SSL/TLS Certificates
- AWS CloudHSM - Hardware-based Key Storage for Regulatory Compliance
- AWS Directory Service - Host and Manage Active Directory
- AWS Key Management Service - Managed Creation and Control of Encryption Keys
- AWS Organizations - Policy-based Management for Multiple AWS Accounts
- AWS Shield - DDOS Protection
- AWS Shield Standard is automatically enabled for all AWS customers at no additional cost and protects against common DDoS attacks on your AWS services like ELB, CloudFront, and Route 53. However, for enhanced protection against more sophisticated attacks, you must explicitly enable and configure AWS Shield Advanced for specific AWS resources.
- AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that provides two tiers of protection: AWS Shield Standard is automatically included for all AWS customers at no extra cost, offering protection against common network and transport layer DDoS events. AWS Shield Advanced provides more sophisticated and customized protection against large and complex attacks, includes access to the AWS Shield Response Team for expert guidance, and offers cost protection for excess data transfer during a DDoS attack.
- AWS WAF - Filter Malicious Web Traffic
AWS Startup Security Baseline (AWS SSB) - AWS Prescriptive Guidance
Security Groups
- Cluster security group - It is designed to allow all traffic from the control plane and managed node groups to flow freely between each other
- Node security group - It is designed to allow traffic between worker nodes, or allowing a service like rds, redshift
Cryptography & PKI
-
AWS Key Management Service (AWS KMS)
AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
AWS Shared Responsibility Model
Shared responsibility model - Amazon Web Services: Risk and Compliance
Others
Open-source SAST tools such as Semgrep, Bandit, or KICS can help you find vulnerabilities and compliance issues in your code.
GitHub - ossf/scorecard: OpenSSF Scorecard - Security health metrics for Open Source
Security Checks Simplified: How to Implement Best Practices with Ease - YouTube