This is a comprehensive list of AWS’s primary security controls and services, categorized by their function within the cloud provider's architecture. AWS adheres to the "Shared Responsibility Model," where AWS protects the infrastructure "of" the cloud, and these controls are the tools customers use to secure their assets "in" the cloud.
These controls manage identities, define permissions, and ensure the right resources are accessed by the right people or machines.
AWS Identity and Access Management (IAM): The foundational control for managing authentication (who can sign in) and authorization (what permissions they have). It supports:
Users, Groups, and Roles: Assigning identities to humans or machines.
Policies: JSON documents defining granular permissions.
Permission Boundaries: Setting the maximum permissions an IAM entity can have.
AWS IAM Identity Center (successor to AWS SSO): Centralizes the management of SSO access to multiple AWS accounts and business applications. It can connect to external identity providers (like Active Directory or Okta).
AWS Organizations: Allows you to centrally manage and govern your environment as you scale. The key security control here is Service Control Policies (SCPs), which can restrict the maximum available permissions at the account level, overriding even IAM admin permissions.
Multi-Factor Authentication (MFA): AWS strongly supports MFA for both root users and IAM users to provide an essential layer of login security.
Amazon Cognito: Provides identity management for customer-facing web and mobile applications (sign-up, sign-in, and access control).
These controls protect the network perimeter, isolate workloads, and control traffic flow.
Amazon Virtual Private Cloud (VPC): The fundamental network isolation control, allowing you to launch AWS resources into a virtual network you define.
Security Groups: Act as a built-in stateful firewall for EC2 instances and other resources, controlling inbound and outbound traffic at the instance level.
Network Access Control Lists (NACLs): A built-in stateless firewall for controlling traffic at the subnet level (acting as a secondary defense layer to Security Groups).
AWS WAF (Web Application Firewall): Protects web applications and APIs from common web exploits (e.g., SQL injection, XSS) and malicious bots.
AWS Shield: A managed Distributed Denial of Service (DDoS) protection service.
Shield Standard: Provides automatic protection against common infrastructure attacks (Layers 3 and 4) at no extra cost.
Shield Advanced: Offers higher-level protection, attack mitigation expertise, and cost protection against DDoS-related scaling charges.
AWS Network Firewall: A managed, stateful network firewall and intrusion detection and prevention service (IPS/IDS) for the VPC.
AWS PrivateLink: Provides secure, private connectivity between VPCs, AWS services, and on-premises networks without exposing traffic to the public internet.
These controls focus on data security at rest (storage), in transit (network), and in use.
Encryption and Key Management
AWS Key Management Service (KMS): A managed service that makes it easy to create and control the cryptographic keys used to encrypt data across hundreds of AWS services and within your applications.
AWS CloudHSM: Provides dedicated hardware security modules (HSMs) within the AWS cloud for customers who require the highest level of regulatory compliance for key storage and cryptographic operations.
AWS Certificate Manager (ACM): Provisions, manages, and deploys public and private SSL/TLS certificates for use with AWS services (like Elastic Load Balancing and CloudFront).
Data Governance and Discovery
Amazon Macie: Uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data (like PII or financial data) stored in Amazon S3.
S3 Block Public Access: A centralized bucket-level or account-level control that prevents accidental public exposure of S3 objects, regardless of ACL or policy settings.
These controls are designed to protect the underlying compute, storage, and database infrastructure from attacks and misconfigurations.
Amazon GuardDuty: A managed threat detection service that continuously monitors for malicious activity and unauthorized behavior within your AWS accounts, workloads (EC2, EKS), and data stored in S3. It uses machine learning and anomaly detection.
Amazon Inspector: An automated vulnerability management service that continually scans Amazon EC2 instances, container images, and Lambda functions for software vulnerabilities and unintended network exposure.
AWS Systems Manager Patch Manager: Automates the process of patching managed nodes with both security-related and other types of updates.
AWS Artifact: A central resource for on-demand access to AWS’s security and compliance reports (e.g., SOC, ISO, PCI) and select online agreements.
These controls are specifically tailored for serverless functions, code pipelines, and runtime environments.
AWS Lambda Security: Security is built into the Lambda execution environment (strong isolation). Access is controlled via IAM execution roles.
AWS Signer: A code-signing service that helps ensure the trust and integrity of code by allowing you to digitally sign code artifacts (like Lambda functions or IoT firmware).
Amazon CodeGuru Security: A static application security testing (SAST) tool that uses machine learning to identify security vulnerabilities (like hardcoded credentials or resource leaks) in application code.
These controls provide visibility, maintain a record of activity, and ensure resources adhere to security policies.
AWS CloudTrail: The key auditing control. It records API calls made within an AWS account, providing a history of who did what, when, and from where.
AWS Config: A service that enables you to assess, audit, and evaluate the configurations of your AWS resources. You can use AWS Config Rules to automatically check if resource configurations comply with security best practices.
AWS Security Hub: A security center that provides a comprehensive view of your security state across AWS accounts. It aggregates security alerts (findings) from other AWS services (like GuardDuty, Inspector) and checks your environment against security standards (like CIS Benchmarks).
AWS Audit Manager: Helps you continuously audit your AWS usage to simplify how you manage risk and compliance with regulations and industry standards.