Skip to content

Security Configurations on AWS⚓︎

AWS Certificate Manager (ACM)⚓︎

AWS Certificate Manager (ACM) is a robust service designed to streamline the management, provisioning, import, and deployment of SSL/TLS certificates, both public and private, for use with AWS services and internal resources. Key features include:

  • Efficient Lifecycle Management: ACM eliminates the time-consuming manual processes associated with purchasing, uploading, and renewing SSL/TLS certificates. It centrally manages the entire certificate lifecycle, ensuring seamless operations.

  • Automatic Renewal: ACM automatically renews certificates it issues, reducing the burden of manual renewal tasks and enhancing overall security.

  • Private Certificates: While public certificate usage is free, private certificates incur a monthly fee, providing flexibility based on specific security requirements.

Systems Manager (SSM) Parameter Store⚓︎

AWS Systems Manager Parameter Store offers a secure and scalable solution for storing secrets, providing version tracking, and offering seamless encryption options with Key Management Service (KMS). Key attributes include:

  • Version Control: Each parameter value edit creates a new version, enabling historical tracking and rollback capabilities.

  • Scalability: Serverless and scalable, SSM Parameter Store ensures easy integration with software development kits (SDKs) and efficient secret management through Identity and Access Management (IAM) policies.

  • Customization Options: Users can assign Time-To-Live (TTL) values to parameters, facilitating updates or automatic deletion through policies.

  • Storage Flexibility: Parameters come with varying specifications, including limitations on the total number, maximum size, and additional features, allowing users to tailor configurations to their needs.

AWS Secrets Manager⚓︎

AWS Secrets Manager is a comprehensive solution for managing, retrieving, and rotating credentials and other secrets throughout their lifecycles. Notable features include:

  • Automated Rotation: Secrets Manager automates the generation of secrets during rotation, utilizing AWS Lambda functions for seamless updates.

  • Integration: It seamlessly integrates with Amazon RDS, providing a centralized location for managing various secrets.

  • Multi-Region Support: The ability to synchronize read replicas across regions enhances disaster recovery strategies.

  • Auditability: CloudTrail, CloudWatch, and SNS integration ensure robust auditing capabilities for enhanced security monitoring.

Amazon GuardDuty⚓︎

Amazon GuardDuty is a threat detection service designed to continuously monitor AWS accounts and workloads for malicious activity, providing detailed security findings for remediation. Key features include:

  • Comprehensive Threat Protection: GuardDuty safeguards against various threats, including cryptocurrency attacks, through dedicated findings.

  • Data Source Scanning: GuardDuty scans multiple data sources, such as CloudTrail logs, VPC Flow logs, and DNS query logs, utilizing anomaly detection via machine learning.

  • Granular Control: Users can choose to suspend or disable GuardDuty, with clear distinctions between stopping analysis and deleting data.

Amazon Macie⚓︎

Amazon Macie leverages machine learning and natural language processing to discover, classify, and protect sensitive data stored in Amazon S3. Features include:

  • Data Classification: Macie identifies and classifies sensitive data, including Personally Identifiable Information (PII), dashboards, reports, and alerts.

  • CloudTrail Integration: The ability to analyze CloudTrail logs enhances its capabilities to detect suspicious activity.

AWS WAF⚓︎

AWS Web Application Firewall (WAF) provides protection for CloudFront, API Gateway, ALB, Appsync, and Cognito User Pool. Key features include:

  • Comprehensive Protection: WAF monitors HTTP/HTTPS requests and offers granular control through Web ACL rules.

  • Rule Variety: Rules cover a range of parameters, including IP rules, rate-based rules, geolocation, request headers, string matching, length, SQL presence, and script presence.

AWS Shield⚓︎

AWS Shield is a DDoS protection service safeguarding applications running on AWS. Notable features include:

  • Free Tier: AWS Shield offers a free tier for all AWS customers, providing baseline protection against DDoS attacks.

  • Advanced Protection: Users can opt for AWS Shield Advanced for more sophisticated protection, covering services such as ELB, EC2, CloudFront, Global Accelerator, and Route 53.

AWS Firewall Manager⚓︎

AWS Firewall Manager is a centralized service for managing firewall-related rules across all accounts within an AWS organization. Key features include:

  • Rule Management: Firewall Manager provides a common set of security rules for WAF, AWS Shield Advanced, Security Groups (SGs), and more.

  • Automated Rule Application: Rules are automatically applied to new resources, ensuring compliance across all accounts within an organization.

AWS Network Firewall⚓︎

AWS Network Firewall offers comprehensive protection for entire Amazon VPCs, providing layer 3 to layer 7 protection. Key features include:

  • Traffic Filtering: Network Firewall allows for detailed traffic filtering, covering inbound/outbound traffic, internet traffic, VPC-to-VPC traffic, and more.

  • Centralized Management: Firewall rules can be centrally managed through AWS Firewall Manager, supporting thousands of rules for enhanced security.

  • Logging and Reporting: Network Firewall sends logs of rule matches to S3, CloudWatch logs, and Kinesis Data Firehose for thorough monitoring.

WAF vs Firewall Manager vs Shield⚓︎

These services work together for comprehensive protection, with each offering specific advantages:

  • WAF: Ideal for defining Web ACL rules, providing granular protection for resources.

  • Firewall Manager: Centralizes rule management for WAF, AWS Shield Advanced, SGs, and other firewall-related rules, ensuring automated application to new resources.

  • Shield Advanced: Adds advanced features on top of AWS WAF, including dedicated support from the Shield Response Team (SRT) and advanced reporting.

Amazon Inspector⚓︎

Amazon Inspector provides automated security assessments for Lambda functions, EC2 instances, and container infrastructures. Key features include:

  • Assessment Scope: Inspector assesses EC2 instances and Lambda functions against unintended network accessibility and known vulnerabilities, while also evaluating containers as they are pushed to Amazon Elastic Container Registry (ECR).

  • Continuous Scanning: Continuous scanning ensures infrastructure security with timely reporting and integration with AWS Security Hub and Amazon Event Bridge.

  • Network Reachability: Inspector identifies software vulnerabilities, network reachability, and risk scores associated with vulnerabilities for effective prioritization.